Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Presentation.pptx

Overview

General Information

Sample name:Presentation.pptx
Analysis ID:1523386
MD5:d6fe5c7469058b496c0eb7882bd99934
SHA1:051f36a8d8b3134e163981f4ae4a0548853e7fe8
SHA256:0441d5351a8829f35050985ebd60d7bd113eedd4747889b904588b84909148eb
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Detected non-DNS traffic on DNS port
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • POWERPNT.EXE (PID: 6160 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" /AUTOMATION -Embedding MD5: 2A43FE7F9F699F7F53FEBC254F68F46D)
    • ai.exe (PID: 5440 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ACDED7EB-D880-4ACC-A58C-ABC31A66F134" "DD203341-10FD-4262-8EA1-67EA019FAACD" "6160" "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" "PowerPointCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • chrome.exe (PID: 7244 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xmlj.debelfor.com/59lCq/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7464 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,12280827540682383525,3330265013288624858,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:50378 version: TLS 1.2
Source: powerpnt.exeMemory has grown: Private usage: 1MB later: 114MB
Source: global trafficTCP traffic: 192.168.2.4:49755 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.4:50376 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.68
Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VXRCG+6Xxbe7s+B&MD=g7hxx7UY HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VXRCG+6Xxbe7s+B&MD=g7hxx7UY HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficDNS traffic detected: DNS query: xmlj.debelfor.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 50378 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50378
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50381
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 50381 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownHTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:50378 version: TLS 1.2
Source: 465CD7B9-F6D2-499D-82FE-5B9E04191CBD.0.drOLE indicator, VBA macros: true
Source: CatalogCacheMetaData.xml.0.drOLE indicator, VBA macros: true
Source: 465CD7B9-F6D2-499D-82FE-5B9E04191CBD.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: CatalogCacheMetaData.xml.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: clean3.winPPTX@22/212@22/5
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\465CD7B9-F6D2-499D-82FE-5B9E04191CBDJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Temp\{2365BA56-4F7A-4470-9619-EABBF3614690} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ACDED7EB-D880-4ACC-A58C-ABC31A66F134" "DD203341-10FD-4262-8EA1-67EA019FAACD" "6160" "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" "PowerPointCombinedFloatieLreOnline.onnx"
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xmlj.debelfor.com/59lCq/
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,12280827540682383525,3330265013288624858,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ACDED7EB-D880-4ACC-A58C-ABC31A66F134" "DD203341-10FD-4262-8EA1-67EA019FAACD" "6160" "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" "PowerPointCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,12280827540682383525,3330265013288624858,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: Presentation.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Presentation.pptx
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\PowerPointCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
DLL Side-Loading		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523386 Sample: Presentation.pptx Startdate: 01/10/2024 Architecture: WINDOWS Score: 3 16 xmlj.debelfor.com 2->16 18 templatesmetadata.office.net 2->18 6 chrome.exe 1 2->6         started        9 POWERPNT.EXE 501 369 2->9         started        process3 dnsIp4 20 192.168.2.16 unknown unknown 6->20 22 192.168.2.4, 138, 443, 49723 unknown unknown 6->22 24 2 other IPs or domains 6->24 11 chrome.exe 6->11         started        14 ai.exe 9->14         started        process5 dnsIp6 26 www.google.com 142.250.186.132, 443, 49752, 50381 GOOGLEUS United States 11->26 28 xmlj.debelfor.com 11->28 30 google.com 11->30

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
google.com
142.250.185.78
truefalse
    		unknown
    www.google.com
    		142.250.186.132
    		truefalse
      		unknown
      xmlj.debelfor.com
      		unknown
      		unknownfalse
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        239.255.255.250
        		unknownReserved
        		unknownunknownfalse
        142.250.186.132
        		www.google.comUnited States
        		15169GOOGLEUSfalse

        Private

        IP
        192.168.2.7
        192.168.2.16
        192.168.2.4

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1523386
        Start date and time:2024-10-01 15:05:31 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Potential for more IOCs and behavior
        Number of analysed new started processes analysed:13
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Presentation.pptx
        Detection:CLEAN
        Classification:clean3.winPPTX@22/212@22/5
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .pptx
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.68.129, 93.184.221.240, 184.28.90.27, 192.229.221.95, 142.250.186.35, 64.233.166.84, 142.250.185.206, 34.104.35.123, 51.104.15.253, 95.101.111.179, 95.101.111.168, 88.221.110.138, 88.221.110.227, 2.16.164.89, 2.16.164.34, 142.250.186.163, 216.58.212.174
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, a1847.dscg2.akamai.net, d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, clients2.google.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, wu-b-net.trafficmanager.net, ecs.office.com, fs.microsoft.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, edgedl.me.gvt1.com, s-0005.s-msedge.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, clients.l.google.com, europe.configsvc1.live.com.akadns.net, binaries.templates.cdn.office.net.edgesuite.net, templatesmetadata.office.net.edgekey.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, ecs-office.s-0005.s-msedge.net, roa
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.
        • Report size getting too big, too many NtSetValueKey calls found.
        • VT rate limit hit for: Presentation.pptx

        Simulations

        Behavior and APIs

        No simulations

        QR Codes

        SourceURL
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/
        Screenshothttps://xmlj.debelfor.com/59lCq/

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        239.255.255.250file.exeGet hashmaliciousCredential FlusherBrowse
          https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
            Sales_Contract_Main_417053608_09.2024.pdfGet hashmaliciousUnknownBrowse
              https://swissquotech.com/swissquote-2024.zipGet hashmaliciousPhisherBrowse
                https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                  http://innerglowjourney.comGet hashmaliciousUnknownBrowse
                    file.exeGet hashmaliciousCredential FlusherBrowse
                      https://app.powerbi.com/Redirect?action=OpenLink&linkId=zdvBDOlnbh&ctid=fc5c5a9f-3ade-48e2-abb1-5450e9fb332d&pbi_source=linkShare_m365Notify&bookmarkGuid=5672cb10-cc42-4d8a-943e-29b95931de59&bookmarkUsage=1Get hashmaliciousHTMLPhisherBrowse
                        file.exeGet hashmaliciousUnknownBrowse
                          file.exeGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            google.comfile.exeGet hashmaliciousCredential FlusherBrowse
                            • 142.250.184.196
                            https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                            • 142.250.184.196
                            https://swissquotech.com/swissquote-2024.zipGet hashmaliciousPhisherBrowse
                            • 142.250.185.100
                            https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                            • 142.250.186.68
                            http://innerglowjourney.comGet hashmaliciousUnknownBrowse
                            • 142.250.186.132
                            file.exeGet hashmaliciousCredential FlusherBrowse
                            • 142.250.185.132
                            https://app.powerbi.com/Redirect?action=OpenLink&linkId=zdvBDOlnbh&ctid=fc5c5a9f-3ade-48e2-abb1-5450e9fb332d&pbi_source=linkShare_m365Notify&bookmarkGuid=5672cb10-cc42-4d8a-943e-29b95931de59&bookmarkUsage=1Get hashmaliciousHTMLPhisherBrowse
                            • 142.250.184.196
                            m0F4yRjd58.jsGet hashmaliciousUnknownBrowse
                            • 142.250.185.68
                            GW7N3RMHCj.ps1Get hashmaliciousUnknownBrowse
                            • 142.250.217.164
                            8mDIjZgSAs.jsGet hashmaliciousUnknownBrowse
                            • 142.250.185.68

                            ASNs

                            No context

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            28a2c9bd18a11de089ef85a160da29e4file.exeGet hashmaliciousCredential FlusherBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            https://swissquotech.com/swissquote-2024.zipGet hashmaliciousPhisherBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            http://innerglowjourney.comGet hashmaliciousUnknownBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            file.exeGet hashmaliciousCredential FlusherBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            R183nzNa89.exeGet hashmaliciousUnknownBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            R183nzNa89.exeGet hashmaliciousUnknownBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            https://app.powerbi.com/Redirect?action=OpenLink&linkId=zdvBDOlnbh&ctid=fc5c5a9f-3ade-48e2-abb1-5450e9fb332d&pbi_source=linkShare_m365Notify&bookmarkGuid=5672cb10-cc42-4d8a-943e-29b95931de59&bookmarkUsage=1Get hashmaliciousHTMLPhisherBrowse
                            • 40.126.32.68
                            • 52.165.165.26
                            file.exeGet hashmaliciousUnknownBrowse
                            • 40.126.32.68
                            • 52.165.165.26

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):118
                            Entropy (8bit):3.5700810731231707
                            Encrypted:false
                            SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                            MD5:573220372DA4ED487441611079B623CD
                            SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                            SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                            SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):338
                            Entropy (8bit):3.4557019111652925
                            Encrypted:false
                            SSDEEP:6:kKnr+r8yJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:/qrqkPlE99SCQl2DUevat
                            MD5:758FD4EB3F2633839DDF7C9A160F2AAF
                            SHA1:355813E3B9C4B9F28B35FEB711854DC7B8643934
                            SHA-256:EB5E10C9312EB53BFEA5737FF991AD51BCBADC9729D5525F770C1047AC036261
                            SHA-512:E011E19151DCEA744458EE0474CAAFB2105E9968F14173C49DCB3F3E33E8B93D15689FD2C73920EA01E7C3EA6E2128BBB64CD8C3D4985C22BFBD7B4C507BE26C
                            Malicious:false
                            Reputation:low
                            Preview:p...... .........s.....(................................................,..@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                            C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
                            Category:dropped
                            Size (bytes):1869
                            Entropy (8bit):5.0901213094137985
                            Encrypted:false
                            SSDEEP:48:cG3JFnzyr3InzysWkSyr0dnzyrXHnzyMySyKUdSyqIASyRdyDhdyBkJdyudyO:hF27I2sVb4d2rH2MybKUdbqIAbREDhEo
                            MD5:B3B62F1DF28D04912960F1C7255E443D
                            SHA1:B9E1B67C2AE04650939BE30D9ED1785DE01ACFA0
                            SHA-256:83D6AB480533C8AD154BB9D5D72AC93D8A93D64FFFAB94A73C108558957CE13F
                            SHA-512:31021C4597E7C20703BC6ED5F278D6CD07C747E58483A83B79BA9C3B614E7757EE543EDD39C100333C1808F3B4D774D9F2530711F09D47581F02839B027170D1
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Display_45876482</Id><LAT>2023-10-04T10:58:38Z</LAT><key>29442803203.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-04T10:58:38Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215426</Id><LAT>2023-10-04T10:58:38Z</LAT><key>37262344671.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2024-10-01T13:06:36Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2023-10-04T10:58:38Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-04T10:58:38Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type

                            C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):521377
                            Entropy (8bit):4.9084889265453135
                            Encrypted:false
                            SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
                            MD5:C37972CBD8748E2CA6DA205839B16444
                            SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                            SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                            SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                            C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                            Category:dropped
                            Size (bytes):773040
                            Entropy (8bit):6.55939673749297
                            Encrypted:false
                            SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
                            MD5:4296A064B917926682E7EED650D4A745
                            SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                            SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                            SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\PowerPoint\1380790193167760279.C4

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BB7DF04E1B0A2570657527A7E108AE23
                            SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                            SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                            SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\PowerPoint\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):86
                            Entropy (8bit):5.034375355902624
                            Encrypted:false
                            SSDEEP:3:dDIk1q/l1EuOt+WfWlp1ceRthVAvs:1qt3OwvZvRVAvs
                            MD5:4CC9EBE76643FE6C684F1175C788D060
                            SHA1:6E440C8121FBFB1C7AFE6F1742B1139D183FC87F
                            SHA-256:2CDCEB68373041CEB08A36591C3B80966866CCEE57620B0536DBA4C414EA18F4
                            SHA-512:4EF0ACCF31529B68C1AE4CCE3E37FBB91E57C84F539AEF8232E704F9DBEA4A9EBBF52379D87A2D7BABC4077DD97649C235FE833F3997AAA7FBF7BEAFEA3DD5BE
                            Malicious:false
                            Preview:S...6L....J.....A............file:///C:\Users\user\Desktop\..Presentation..pptx.....

                            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\465CD7B9-F6D2-499D-82FE-5B9E04191CBD

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):177088
                            Entropy (8bit):5.286733774804938
                            Encrypted:false
                            SSDEEP:1536:5i2XfRAqcbH41gwEwLe7HW8bM/o/NM5cAZl1p5ihs7EXXCEAD2OdaLI:8Ce7HW8bM/o/9XPkiI
                            MD5:D031799FD12E28BE8BAC134D714F7ED6
                            SHA1:8A92A452734122A5A3B6927CE886A380DDA41E3A
                            SHA-256:E03D6950BAD4AB6C2546F0C2BE1A34C2157EA5BE6742B6AC7A9A7B65546CC00E
                            SHA-512:B00485D7319DDEBDFB2DAD577D5CA6ACB085A7B2DE8F08ABC73EC581FF536B0C0FEFF4AF913251AAD6B592B8F712C9E89C2273527C5DC1FC39B22149175AFD2A
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-01T13:06:35">.. Build: 16.0.18112.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):0.09216609452072291
                            Encrypted:false
                            SSDEEP:3:lSWFN3l/klslpF/4llfll:l9F8E0/
                            MD5:F138A66469C10D5761C6CBB36F2163C3
                            SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                            SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                            SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                            Malicious:false
                            Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-journal

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:SQLite Rollback Journal
                            Category:dropped
                            Size (bytes):4616
                            Entropy (8bit):0.1370048545379396
                            Encrypted:false
                            SSDEEP:3:7FEG2l+o5H/FllkpMRgSWbNFl/sl+ltlslVlllfllVVn:7+/lX5Bg9bNFlEs1EP/Xn
                            MD5:B072ECD2BF46BD567EF92C352025090D
                            SHA1:1BDF21089A61D359B9BB71CFC8828FF9F7B34B37
                            SHA-256:BB647A92D70288915EA99C17BCD54892B0EEB162D3DFC6735BFB73036F1E0B8B
                            SHA-512:66BFC26B71919BEF15BF560C72FE03B741AD77C97E2F8E5D8C53B4EF171AAB5EF31E7D60E2838BBD15FB2A19E5578998DC56C7627460BC4F2D929E17E236C4BF
                            Malicious:false
                            Preview:.... .c......-.~....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-shm

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):0.044450445079271414
                            Encrypted:false
                            SSDEEP:3:G4l2r8c/gkBlIt4l2r8c/gkB/lElL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2KkzY4l2KkplML9XXPH4l942U
                            MD5:479D84200E0979826C4B6E36D41A4007
                            SHA1:252B5CA61DCEB34C58799B276A8F89488778A670
                            SHA-256:6FD0B5DEFD11F3726FF16C72BA2B55C995070E3FCE20F17A1BF1C011958073F7
                            SHA-512:4CA416AD9C10FB4B890AA663FC54C4FB664F62989BF6CA7AF5CC73EF645162091D69CFBB6C61EE72F8ADA57D67E0F8D702CB04E6A901CDECCFBEA1B9F5E2FAB6
                            Malicious:false
                            Preview:..-.....................|...~B........5........-.....................|...~B........5..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-wal

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:SQLite Write-Ahead Log, version 3007000
                            Category:dropped
                            Size (bytes):45352
                            Entropy (8bit):0.39484348996349017
                            Encrypted:false
                            SSDEEP:24:KEvQ3zRD7Ull7DBtDi4kZERDtzqt8VtbDBtDi4kZERDini:JvQ1vUll7DYMJzO8VFDYMeni
                            MD5:EFEC9533431EB0EDAC60E5DC80C09EC1
                            SHA1:B9F50F2F1B5BAE1378EFFC5E62E3593BDC9E16ED
                            SHA-256:B25C8F55760272D4D23D8507070D9F27923E8B09022946F366E8880686DFAA32
                            SHA-512:3AE0CDA211219AD6B8E4920C331C402A9DBDCE38F8891B32AB19020DEF3E347E8A8B3FCFFE2B201B5BE9B75B86440FCC4BAD15A11D48DB4113E38012501CEBB6
                            Malicious:false
                            Preview:7....-.....................vW.............".k.. .SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):2278
                            Entropy (8bit):3.8584956573829956
                            Encrypted:false
                            SSDEEP:48:uiTrlKxsxxcxl9Il8u9Gd267Dl3CZb96OlBK05elOo6yEd1rc:vwYLGdNQbEOlsO6OoD
                            MD5:9F716A1B691EEF0C76F51AAEB602EB01
                            SHA1:9C333DCA04E772EB6474A4F9D79118753AF35A59
                            SHA-256:D7FD81915A6358A720A18F94485EAE1ABFA2216A299870A074A7BD42D07A25E6
                            SHA-512:C01B15DE261276E35B8FC7A7B890B4A1DA67B34FA5FBF20764C5443E450F9C7F684B5CEA05E18D053E1A6F34724A93F7A65E44C5A1E8B7B3207323540370B43A
                            Malicious:false
                            Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.I.F.J.I.g.s.U.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.Z.H.o.c.X.M.

                            C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):4542
                            Entropy (8bit):3.998491497979512
                            Encrypted:false
                            SSDEEP:96:FYLGd3vwZDIdhst8HNvtGPt6sHrH/NOQHS5C8WoVlx:FEGdvwPt8tvtGt9rH1OQyfx
                            MD5:59966AC902DE6EBD7F17A563C17AC04F
                            SHA1:A8C7D225E8BEE8F9A77CDE8E6AFFF4E76F4190F1
                            SHA-256:EE9A25DA532711F5BDAE98BEFA83C069142B6D46B080D495D9E6F066A27E753C
                            SHA-512:FA06B11AA13BD55489C43E95A5A8BD548C38F00EEB2DE0D0C8FFC026ECA5A7141F85D6574A485E203FEA773003D4AE109F2020341CD44934170DBF146D4104EF
                            Malicious:false
                            Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.c./.W.B.g.M.U.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.Z.H.o.c.X.M.

                            C:\Users\user\AppData\Local\Microsoft\Windows\2057\StructuredQuerySchema.bin

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:modified
                            Size (bytes):423818
                            Entropy (8bit):5.375342137412923
                            Encrypted:false
                            SSDEEP:6144:/Myflm+vyJfbnQkK96B88yKv4bWTmTvEiLSu:/MyNm+6dF4/9
                            MD5:64A3E7576CF5C372B32425F19E7DA148
                            SHA1:33D20D9F1C90BA594F1ED934EDA6F74489B390B9
                            SHA-256:57E97D2C6B44FC33263BB6D54C4A856781F92AA0DB9DC9E238DE1F5CF0825AEF
                            SHA-512:DC43BECFB76416B959736777883B65823F9F2B0343DF93D9667DB250C51BDB70BE994BCBBC43C316AA743CB81875E5EB6995D7B16A7F877D563CA7D936931A0A
                            Malicious:false
                            Preview:...P................d...................D...................System.StructuredQueryType.Action.System.StructuredQueryType.AllBitsSet.System.StructuredQueryType.AnyBitsSet.System.StructuredQueryType.Blurb.System.StructuredQueryType.Boolean.=TRUE.=FALSE.System.StructuredQueryType.ByteUnit.=1.=1024.=1048576.=1073741824.=1099511627776.=1125899906842624.=1152921504606846976.=1000.=1000000.=1000000000.=1000000000000.=1000000000000000.=1000000000000000000.System.StructuredQueryType.DateTime.N00UUUUUUUK7ZZNNU.N00UUUUUUUK1ZZNNU.N00UUUUUUUK2ZZNNU.N00UUUUUUUK3ZZNNU.N00UUUUUUUK4ZZNNU.N00UUUUUUUK5ZZNNU.N00UUUUUUUK6ZZNNU.N00UK1UUUUUUZZNNU.N00UK2UUUUUUZZNNU.N00UK3UUUUUUZZNNU.N00UK4UUUUUUZZNNU.N00UK5UUUUUUZZNNU.N00UK6UUUUUUZZNNU.N00UK7UUUUUUZZNNU.N00UK8UUUUUUZZNNU.N00UK9UUUUUUZZNNU.N00UK10UUUUUUZZNNU.N00UK11UUUUUUZZNNU.N00UK12UUUUUUZZNNU.R00UUUUUUUUZDNNU.R00UUUUUUUUD-1DNNU.R00UUUUUUUUD1DNNU.R00UUUUUUUUZZXD-1NU.R00UUUUUUUUZZXD1NU.R00UUUUUUUUZWNNU.R00UUUUUUUUW-1WNNU.R00UUUUUUUUW1WNNU.R00UUUUUUUUZZXW-1NU.

                            C:\Users\user\AppData\Local\Temp\Diagnostics\POWERPNT\App1727787993490942000_2365BA56-4F7A-4470-9619-EABBF3614690.log

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):20971520
                            Entropy (8bit):0.02265934586032286
                            Encrypted:false
                            SSDEEP:1536:PjVpTsl9AKph0fXwq07ekewN2Tx1p6mAcCYXVXMOHGX8ezUB3+m+7IPD7c:3
                            MD5:597B53515AA1B2E8C6442AF6E030893B
                            SHA1:9BFCD34C7EEABC79179EF005E6D25261D7D37312
                            SHA-256:36CE88B8D81C710A65616C72DBBF9E92CEFBF9780CA9A609DF85E989BE57F089
                            SHA-512:1FDA802BF8CEDD12FFE3B6782F5C5FEEABA63D15A88F782F9D011B6A0F848BFDA115AF3D0312B5F94FEEA3817930876EB466E3ECB51554B595E7E63DE1F8B618
                            Malicious:false
                            Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/01/2024 13:06:34.160.POWERPNT (0x1810).0x191C.Microsoft PowerPoint.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Performance.Boot","Flags":2814766963868161,"InternalSequenceNumber":29,"Time":"2024-10-01T13:06:34.160Z","Contract":"Office.System.Activity","Activity.CV":"VrplI3pPcESWGeq782FGkA.1","Activity.Duration":1696272,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.ActivationKind":"Automation","Data.InitializationDuration":565795,"Data.DurationUntilMso20Initialization":97583,"Data.LoadAccountsDuration":1707,"Data.IdentityMainThreadDuration":5868,"Data.OneAuthStackUsed":false,"Data.TotalWorkingSetMB":43.281250,"Data.PrivateCommitUsageMB":16.867187,"Data.PageFaultCount":12082,"Data.FreeMemoryPercentage":29,"Data.BootToStart":false,"Data.DurationProcessCreationTimeToMso20Initialization":881097}...10/01/2024 13:06:34.207.POWERPNT (0x1810).0x153C.Microsoft PowerPoint.Telemetry Ev

                            C:\Users\user\AppData\Local\Temp\Diagnostics\POWERPNT\App1727787993491415700_2365BA56-4F7A-4470-9619-EABBF3614690.log

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):20971520
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                            SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                            SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                            SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\TCD10D.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):262
                            Entropy (8bit):3.4901887319218092
                            Encrypted:false
                            SSDEEP:6:fxnxUXqhBMl0OoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyiMl0OoGHmD0+dAH/luWvv
                            MD5:52BD0762F3DC77334807DDFC60D5F304
                            SHA1:5962DA7C58F742046A116DDDA5DC8EA889C4CB0E
                            SHA-256:30C20CC835E912A6DD89FD1BF5F7D92B233B2EC24594F1C1FE0CADB03A8C3FAB
                            SHA-512:FB68B1CF9677A00D5651C51EC604B61DAC2D250D44A71D43CD69F41F16E4F0A7BAA7AD4A6F7BB870429297465A893013BBD7CC77A8F709AD6DB97F5A0927B1DD
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.a.d.i.a.l.P.i.c.t.u.r.e.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD10D.tmp\RadialPictureList.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):5596
                            Entropy (8bit):7.875182123405584
                            Encrypted:false
                            SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                            MD5:CDC1493350011DB9892100E94D5592FE
                            SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                            SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                            SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                            C:\Users\user\AppData\Local\Temp\TCD11E.tmp\CircleProcess.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):16806
                            Entropy (8bit):7.9519793977093505
                            Encrypted:false
                            SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                            MD5:950F3AB11CB67CC651082FEBE523AF63
                            SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                            SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                            SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                            C:\Users\user\AppData\Local\Temp\TCD11E.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):254
                            Entropy (8bit):3.4720677950594836
                            Encrypted:false
                            SSDEEP:6:fxnxUXOu9+MlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnycMlWlzGHmD0+dAH/luWvv
                            MD5:D04EC08EFE18D1611BDB9A5EC0CC00B1
                            SHA1:668FF6DFE64D5306220341FC2C1353199D122932
                            SHA-256:FA60500F951AFAF8FFDB6D1828456D60004AE1558E8E1364ADC6ECB59F5450C9
                            SHA-512:97EBCCAF64FA33238B7CFC0A6D853EFB050D877E21EE87A78E17698F0BB38382FCE7F6C4D97D550276BD6B133D3099ECAB9CFCD739F31BFE545F4930D896EEC3
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.l.e.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD120.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):280
                            Entropy (8bit):3.484503080761839
                            Encrypted:false
                            SSDEEP:6:fxnxUXGdQ1MecJZMlWlk2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny2dQ98MlWlzGHmD0+dAH/luWvv
                            MD5:1309D172F10DD53911779C89A06BBF65
                            SHA1:274351A1059868E9DEB53ADF01209E6BFBDFADFB
                            SHA-256:C190F9E7D00E053596C3477455D1639C337C0BE01012C0D4F12DFCB432F5EC56
                            SHA-512:31B38AD2D1FFF93E03BF707811F3A18AD08192F906E36178457306DDAB0C3D8D044C69DE575ECE6A4EE584800F827FB3C769F98EA650F1C208FEE84177070339
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.r.c.o.n.n.e.c.t.e.d.B.l.o.c.k.P.r.o.c.e.s.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD120.tmp\InterconnectedBlockProcess.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):9191
                            Entropy (8bit):7.93263830735235
                            Encrypted:false
                            SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                            MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                            SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                            SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                            SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                            Malicious:false
                            Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                            C:\Users\user\AppData\Local\Temp\TCD131.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):258
                            Entropy (8bit):3.4692172273306268
                            Encrypted:false
                            SSDEEP:6:fxnxUXcq9DsoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnysmYoGHmD0+dAH/luWvv
                            MD5:C1B36A0547FB75445957A619201143AC
                            SHA1:CDB0A18152F57653F1A707D39F3D7FB504E244A7
                            SHA-256:4DFF7D1CEF6DD85CC73E1554D705FA6586A1FBD10E4A73EEE44EAABA2D2FFED9
                            SHA-512:0923FB41A6DB96C85B44186E861D34C26595E37F30A6F8E554BD3053B99F237D9AC893D47E8B1E9CF36556E86EFF5BE33C015CBBDD31269CDAA68D6947C47F3F
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .p.i.c.t.u.r.e.o.r.g.c.h.a.r.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD131.tmp\pictureorgchart.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):7370
                            Entropy (8bit):7.9204386289679745
                            Encrypted:false
                            SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                            MD5:586CEBC1FAC6962F9E36388E5549FFE9
                            SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                            SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                            SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                            Malicious:false
                            Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                            C:\Users\user\AppData\Local\Temp\TCD142.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):254
                            Entropy (8bit):3.4721586910685547
                            Encrypted:false
                            SSDEEP:6:fxnxUX9+RclTloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyteUTloGHmD0+dAH/luWvv
                            MD5:4DD225E2A305B50AF39084CE568B8110
                            SHA1:C85173D49FC1522121AA2B0B2E98ADF4BB95B897
                            SHA-256:6F00DD73F169C73D425CB9895DAC12387E21C6E4C9C7DDCFB03AC32552E577F4
                            SHA-512:0493AB431004191381FF84AD7CC46BD09A1E0FEEC16B3183089AA8C20CC7E491FAE86FE0668A9AC677F435A203E494F5E6E9E4A0571962F6021D6156B288B28A
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.e.v.r.o.n.a.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD142.tmp\chevronaccent.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):4243
                            Entropy (8bit):7.824383764848892
                            Encrypted:false
                            SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                            MD5:7BC0A35807CD69C37A949BBD51880FF5
                            SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                            SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                            SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                            Malicious:false
                            Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                            C:\Users\user\AppData\Local\Temp\TCD143.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):264
                            Entropy (8bit):3.4866056878458096
                            Encrypted:false
                            SSDEEP:6:fxnxUX0XrZUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXWloGHmD0+dAH/luWvv
                            MD5:6C489D45F3B56845E68BE07EA804C698
                            SHA1:C4C9012C0159770CB882870D4C92C307126CEC3F
                            SHA-256:3FE447260CDCDEE287B8D01CF5F9F53738BFD6AAEC9FB9787F2826F8DEF1CA45
                            SHA-512:D1355C48A09E7317773E4F1613C4613B7EA42D21F5A6692031D288D69D47B19E8F4D5A29AFD8B751B353FC7DE865EAE7CFE3F0BEC05F33DDF79526D64A29EB18
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD143.tmp\ThemePictureAccent.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):6448
                            Entropy (8bit):7.897260397307811
                            Encrypted:false
                            SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                            MD5:42A840DC06727E42D42C352703EC72AA
                            SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                            SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                            SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                            Malicious:false
                            Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                            C:\Users\user\AppData\Local\Temp\TCD144.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):254
                            Entropy (8bit):3.4845992218379616
                            Encrypted:false
                            SSDEEP:6:fxnxUXQFoElh/lE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8lLGHmD0+dAH/luWvv
                            MD5:E8B30D1070779CC14FBE93C8F5CF65BE
                            SHA1:9C87F7BC66CF55634AB3F070064AAF8CC977CD05
                            SHA-256:2E90434BE1F6DCEA9257D42C331CD9A8D06B848859FD4742A15612B2CA6EFACB
                            SHA-512:C0D5363B43D45751192EF06C4EC3C896A161BB11DBFF1FC2E598D28C644824413C78AE3A68027F7E622AF0D709BE0FA893A3A3B4909084DF1ED9A8C1B8267FCA
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .H.e.x.a.g.o.n.R.a.d.i.a.l...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD144.tmp\HexagonRadial.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):6024
                            Entropy (8bit):7.886254023824049
                            Encrypted:false
                            SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                            MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                            SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                            SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                            SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                            C:\Users\user\AppData\Local\Temp\TCD145.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):260
                            Entropy (8bit):3.4895685222798054
                            Encrypted:false
                            SSDEEP:6:fxnxUX4cPBl4xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyPl4xoGHmD0+dAH/luWvv
                            MD5:63E8B0621B5DEFE1EF17F02EFBFC2436
                            SHA1:2D02AD4FD9BF89F453683B7D2B3557BC1EEEE953
                            SHA-256:9243D99795DCDAD26FA857CB2740E58E3ED581E3FAEF0CB3781CBCD25FB4EE06
                            SHA-512:A27CDA84DF5AD906C9A60152F166E7BD517266CAA447195E6435997280104CBF83037F7B05AE9D4617323895DCA471117D8C150E32A3855156CB156E15FA5864
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.r.y.i.n.g.W.i.d.t.h.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD145.tmp\VaryingWidthList.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3075
                            Entropy (8bit):7.716021191059687
                            Encrypted:false
                            SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                            MD5:67766FF48AF205B771B53AA2FA82B4F4
                            SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                            SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                            SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                            Malicious:false
                            Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                            C:\Users\user\AppData\Local\Temp\TCD166.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):260
                            Entropy (8bit):3.494357416502254
                            Encrypted:false
                            SSDEEP:6:fxnxUX0XPE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPGHmD0+dAH/luWvv
                            MD5:6F8FE7B05855C203F6DEC5C31885DD08
                            SHA1:9CC27D17B654C6205284DECA3278DA0DD0153AFF
                            SHA-256:B7F58DF058C938CCF39054B31472DC76E18A3764B78B414088A261E440870175
                            SHA-512:C518A243E51CB4A1E3C227F6A8A8D9532EE111D5A1C86EBBB23BD4328D92CD6A0587DF65B3B40A0BE2576D8755686D2A3A55E10444D5BB09FC4E0194DB70AFE6
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.G.r.i.d...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD166.tmp\ThemePictureGrid.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):6193
                            Entropy (8bit):7.855499268199703
                            Encrypted:false
                            SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                            MD5:031C246FFE0E2B623BBBD231E414E0D2
                            SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                            SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                            SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                            Malicious:false
                            Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                            C:\Users\user\AppData\Local\Temp\TCD178.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):286
                            Entropy (8bit):3.4670546921349774
                            Encrypted:false
                            SSDEEP:6:fxnxUX0XPYDxUloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyEXPYDCloGHmD0+dAH/luWvv
                            MD5:3D52060B74D7D448DC733FFE5B92CB52
                            SHA1:3FBA3FFC315DB5B70BF6F05C4FF84B52A50FCCBC
                            SHA-256:BB980559C6FC38B703D1E9C41720D5CE8D00D2FF86D4F25136DB02B1E54B1518
                            SHA-512:952EF139A72562A528C1052F1942DAE1C0509D67654BF5E7C0602C87F90147E8EE9E251D2632BCB5B511AB2FF8A3734293D0A4E3DBD3D187F5E3C042685F9A0C
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.h.e.m.e.P.i.c.t.u.r.e.A.l.t.e.r.n.a.t.i.n.g.A.c.c.e.n.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD178.tmp\ThemePictureAlternatingAccent.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):5630
                            Entropy (8bit):7.87271654296772
                            Encrypted:false
                            SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                            MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                            SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                            SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                            SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                            Malicious:false
                            Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                            C:\Users\user\AppData\Local\Temp\TCD179.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):242
                            Entropy (8bit):3.4938093034530917
                            Encrypted:false
                            SSDEEP:6:fxnxUX44lWWoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvToGHmD0+dAH/luWvv
                            MD5:A6B2731ECC78E7CED9ED5408AB4F2931
                            SHA1:BA15D036D522978409846EA682A1D7778381266F
                            SHA-256:6A2F9E46087B1F0ED0E847AF05C4D4CC9F246989794993E8F3E15B633EFDD744
                            SHA-512:666926612E83A7B4F6259C3FFEC3185ED3F07BDC88D43796A24C3C9F980516EB231BDEA4DC4CC05C6D7714BA12AE2DCC764CD07605118698809DEF12A71F1FDD
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD179.tmp\TabList.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):4888
                            Entropy (8bit):7.8636569313247335
                            Encrypted:false
                            SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                            MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                            SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                            SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                            SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                            Malicious:false
                            Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                            C:\Users\user\AppData\Local\Temp\TCD199.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):238
                            Entropy (8bit):3.472155835869843
                            Encrypted:false
                            SSDEEP:6:fxnxUXGE2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny4GHmD0+dAH/luWvv
                            MD5:2240CF2315F2EB448CEA6E9CE21B5AC5
                            SHA1:46332668E2169E86760CBD975FF6FA9DB5274F43
                            SHA-256:0F7D0BD5A8CED523CFF4F99D7854C0EE007F5793FA9E1BA1CD933B0894BFBD0D
                            SHA-512:10BA73FF861112590BF135F4B337346F9D4ACEB10798E15DC5976671E345BC29AC8527C6052FEC86AA7058E06D1E49052E49D7BCF24A01DB259B5902DB091182
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .r.i.n.g.s...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCD199.tmp\rings.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):5151
                            Entropy (8bit):7.859615916913808
                            Encrypted:false
                            SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                            MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                            SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                            SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                            SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                            Malicious:false
                            Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                            C:\Users\user\AppData\Local\Temp\TCD19A5.tmp\Organic.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):8705569
                            Entropy (8bit):7.955490103632122
                            Encrypted:false
                            SSDEEP:196608:fHnG7lmZcnwldXA4AZwsjVvWJ5u2AbKLCIV50CAmad7uS/5o:u7lVGXA4ABJWJc2A6rkno
                            MD5:476CF35ED8367EB98237B6428266D6D8
                            SHA1:37B320D5109D5FB41044F329187CFECAA8DE2A9C
                            SHA-256:71739BEA66F1DEE0789A7675ADD098123EC0E8E45EB74D707F6412B28FCBAE81
                            SHA-512:7280C51F2DC97871C8B959A971445E1CE1499D108204C025043A0B44E9A9D6AC03E1326BBE652EF2EF900BC6F3F5566A32DBA5AA2EEA6A84F1585323E9C9CAE0
                            Malicious:false
                            Preview:PK..........A.f}......p......[Content_Types].xml..n.@.._......8i.'......}.......(y...H}......3Fi..%.......3..._...j.`.2....cod.(...r...w{s..)...]..3..APF.61...6ug.Y...... 7.....d<..Q.V6.N......{.0.U5...>.-..Ko.nw.f...'.....!.s.=fw.{PaW.. ..82.;.<..os....n....>...w..%....P...v...v....'....m.m..3.[.._...:[,...h..!~s..^..Y..E.....^.9Y.j.....#x......3....=....b}4O.*....k7.+.&.Xg.X.X..XSN.KN.+N.7.X....!..CR....I]...>....L...!=...9..!L.0.v.gEo\.......w..No.a.C.q.}<.........a..n./......e.-)h9a..}i.}.."-..C.C.Xq..0?..M4.........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......4....&T......Wlw.b....}..+.A\...q......~.WK.Z^..........>.h..`......}......k..s.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G.....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ...-Z.>X.2.....>8..S.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ..

                            C:\Users\user\AppData\Local\Temp\TCD19A5.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):280
                            Entropy (8bit):3.532897849466528
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXYwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                            MD5:FB2CC12691A46374B7E41C7717EA840C
                            SHA1:D0D3FCB7822E592D941E93D345038319D0AD5F72
                            SHA-256:511CC0AD1D792722E928A7FF0A99EA09125D47F6F63381BB9E7B57336A7CAA43
                            SHA-512:E491B650D49B1136D5AC34B4DD8157F7FB41B9B57906A9A23B6ADD24FEE0EA3CA182CAFD9F4C0D35816D5417D610799E9DEDA248184DBBB7ED1AD52CA0958D4A
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .O.r.g.a.n.i.c...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD247.tmp\Banded.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):562113
                            Entropy (8bit):7.67409707491542
                            Encrypted:false
                            SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                            MD5:4A1657A3872F9A77EC257F41B8F56B3D
                            SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                            SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                            SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Local\Temp\TCD247.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):278
                            Entropy (8bit):3.535736910133401
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXeAlFkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyRGymD0wbnKNAH/lMz1
                            MD5:487E25E610F3FC2EEA27AB54324EA8F6
                            SHA1:11C2BB004C5E44503704E9FFEEFA7EA7C2A9305C
                            SHA-256:022EC5077279A8E447B590F7260E1DBFF764DE5F9CDFD4FDEE32C94C66D4A1A2
                            SHA-512:B8DF351E2C0EF101CF91DC02E136A3EE9C1FDB18294BECB13A29D676FBBE791A80A58A18FBDEB953BC21EC54EB7608154D401407C461ABD10ACB94CE8AD0E092
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.n.d.e.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD353.tmp\Basis.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):558035
                            Entropy (8bit):7.696653383430889
                            Encrypted:false
                            SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                            MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                            SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                            SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                            SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Local\Temp\TCD353.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.5361139545278144
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXeMWMluRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnycMlMymD0wbnKNAH/lMz1
                            MD5:133D126F0DE2CC4B29ECE38194983265
                            SHA1:D8D701298D7949BE6235493925026ED405290D43
                            SHA-256:08485EBF168364D846C6FD55CD9089FE2090D1EE9D1A27C1812E1247B9005E68
                            SHA-512:75D7322BE8A5EF05CAA48B754036A7A6C56399F17B1401F3F501DA5F32B60C1519F2981043A773A31458C3D9E1EF230EC60C9A60CAC6D52FFE16147E2E0A9830
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.a.s.i.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD376.tmp\Dividend.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):570901
                            Entropy (8bit):7.674434888248144
                            Encrypted:false
                            SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                            MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                            SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                            SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                            SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Local\Temp\TCD376.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):282
                            Entropy (8bit):3.5459495297497368
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXvBAuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnypJymD0wbnKNAH/lMz1
                            MD5:76340C3F8A0BFCEDAB48B08C57D9B559
                            SHA1:E1A6672681AA6F6D525B1D17A15BF4F912C4A69B
                            SHA-256:78FE546321EDB34EBFA1C06F2B6ADE375F3B7C12552AB2A04892A26E121B3ECC
                            SHA-512:49099F040C099A0AED88E7F19338140A65472A0F95ED99DEB5FA87587E792A2D11081D59FD6A83B7EE68C164329806511E4F1B8D673BEC9074B4FF1C09E3435D
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.i.v.i.d.e.n.d...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD386.tmp\Metropolitan.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):777647
                            Entropy (8bit):7.689662652914981
                            Encrypted:false
                            SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                            MD5:B30D2EF0FC261AECE90B62E9C5597379
                            SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                            SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                            SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                            Malicious:false
                            Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                            C:\Users\user\AppData\Local\Temp\TCD386.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):290
                            Entropy (8bit):3.5091498509646044
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUX1MiDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyFdMymD0wbnKNAH/lMz1
                            MD5:23D59577F4AE6C6D1527A1B8CDB9AB19
                            SHA1:A345D683E54D04CC0105C4BFFCEF8C6617A0093D
                            SHA-256:9ADD2C3912E01C2AC7FAD6737901E4EECBCCE6EC60F8E4D78585469A440E1E2C
                            SHA-512:B85027276B888548ECB8A2FC1DB1574C26FF3FCA7AF1F29CD5074EC3642F9EC62650E7D47462837607E11DCAE879B1F83DF4762CA94667AE70CBF78F8D455346
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.t.r.o.p.o.l.i.t.a.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD397.tmp\Frame.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):523048
                            Entropy (8bit):7.715248170753013
                            Encrypted:false
                            SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                            MD5:C276F590BB846309A5E30ADC35C502AD
                            SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                            SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                            SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Local\Temp\TCD397.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.5159096381406645
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXQIa3ARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygIaqymD0wbnKNAH/lMz1
                            MD5:71CCB69AF8DD9821F463270FB8CBB285
                            SHA1:8FED3EB733A74B2A57D72961F0E4CF8BCA42C851
                            SHA-256:8E63D7ABA97DABF9C20D2FAC6EB1665A5D3FDEAB5FA29E4750566424AE6E40B4
                            SHA-512:E62FC5BEAEC98C5FDD010FABDAA8D69237D31CA9A1C73F168B1C3ED90B6A9B95E613DEAD50EB8A5B71A7422942F13D6B5A299EB2353542811F2EF9DA7C3A15DC
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.r.a.m.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD3E9.tmp\View.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):486596
                            Entropy (8bit):7.668294441507828
                            Encrypted:false
                            SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                            MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                            SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                            SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                            SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                            Malicious:false
                            Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                            C:\Users\user\AppData\Local\Temp\TCD3E9.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):274
                            Entropy (8bit):3.535303979138867
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUX3IlVARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnynG6ymD0wbnKNAH/lMz1
                            MD5:35AFE8D8724F3E19EB08274906926A0B
                            SHA1:435B528AAF746428A01F375226C5A6A04099DF75
                            SHA-256:97B8B2E246E4DAB15E494D2FB5F8BE3E6361A76C8B406C77902CE4DFF7AC1A35
                            SHA-512:ACF4F124207974CFC46A6F4EA028A38D11B5AF40E55809E5B0F6F5DABA7F6FC994D286026FAC19A0B4E2311D5E9B16B8154F8566ED786E5EF7CDBA8128FD62AF
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.i.e.w...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD3FA.tmp\Parcel.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):608122
                            Entropy (8bit):7.729143855239127
                            Encrypted:false
                            SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                            MD5:8BA551EEC497947FC39D1D48EC868B54
                            SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                            SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                            SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                            Malicious:false
                            Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Local\Temp\TCD3FA.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):278
                            Entropy (8bit):3.516359852766808
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXKwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6qymD0wbnKNAH/lMz1
                            MD5:960E28B1E0AB3522A8A8558C02694ECF
                            SHA1:8387E9FD5179A8C811CCB5878BAC305E6A166F93
                            SHA-256:2707FCA8CEC54DF696F19F7BCAD5F0D824A2AC01B73815DE58F3FCF0AAB3F6A0
                            SHA-512:89EA06BA7D18B0B1EA624BBC052F73366522C231BD3B51745B92CF056B445F9D655F9715CBDCD3B2D02596DB4CD189D91E2FE581F2A2AA2F6D814CD3B004950A
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.c.e.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD3FC.tmp\Parallax.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):924687
                            Entropy (8bit):7.824849396154325
                            Encrypted:false
                            SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                            MD5:97EEC245165F2296139EF8D4D43BBB66
                            SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                            SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                            SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                            Malicious:false
                            Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                            C:\Users\user\AppData\Local\Temp\TCD3FC.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):282
                            Entropy (8bit):3.51145753448333
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXKsWkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6svymD0wbnKNAH/lMz1
                            MD5:7956D2B60E2A254A07D46BCA07D0EFF0
                            SHA1:AF1AC8CA6FE2F521B2EE2B7ABAB612956A65B0B5
                            SHA-256:C92B7FD46B4553FF2A656FF5102616479F3B503341ED7A349ECCA2E12455969E
                            SHA-512:668F5D0EFA2F5168172E746A6C32820E3758793CFA5DB6791DE39CB706EF7123BE641A8134134E579D3E4C77A95A0F9983F90E44C0A1CF6CDE2C4E4C7AF1ECA0
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.a.r.a.l.l.a.x...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD43C.tmp\Quotable.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):966946
                            Entropy (8bit):7.8785200658952
                            Encrypted:false
                            SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                            MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                            SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                            SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                            SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                            Malicious:false
                            Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                            C:\Users\user\AppData\Local\Temp\TCD43C.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):282
                            Entropy (8bit):3.5323495192404475
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXhduDARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyxdumymD0wbnKNAH/lMz1
                            MD5:BD6B5A98CA4E6C5DBA57C5AD167EDD00
                            SHA1:CCFF7F635B31D12707DC0AC6D1191AB5C4760107
                            SHA-256:F22248FE60A55B6C7C1EB31908FAB7726813090DE887316791605714E6E3CEF7
                            SHA-512:A178299461015970AF23BA3D10E43FCA5A6FB23262B0DD0C5DDE01D338B4959F222FD2DC2CC5E3815A69FDDCC3B6B4CB8EE6EC0883CE46093C6A59FF2B042BC1
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .Q.u.o.t.a.b.l.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD46E.tmp\Berlin.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):976001
                            Entropy (8bit):7.791956689344336
                            Encrypted:false
                            SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                            MD5:9E563D44C28B9632A7CF4BD046161994
                            SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                            SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                            SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Local\Temp\TCD46E.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):278
                            Entropy (8bit):3.5270134268591966
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXa3Y1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyt1mymD0wbnKNAH/lMz1
                            MD5:327DA4A5C757C0F1449976BE82653129
                            SHA1:CF74ECDF94B4A8FD4C227313C8606FD53B8EEA71
                            SHA-256:341BABD413AA5E8F0A921AC309A8C760A4E9BA9CFF3CAD3FB2DD9DF70FD257A6
                            SHA-512:9184C3FB989BB271B4B3CDBFEFC47EA8ABEB12B8904EE89797CC9823F33952BD620C061885A5C11BBC1BD3978C4B32EE806418F3F21DA74F1D2DB9817F6E167E
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.e.r.l.i.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD47F.tmp\Retrospect.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):1623260
                            Entropy (8bit):7.867463315196704
                            Encrypted:false
                            SSDEEP:24576:bimPI+bGSIB3FKbFGTCpavIOuaR0Um9BbbjE68+xiMNcayWSvHo5R/m:OmPI+6fB3Abk8Q5tHmAsiMNccSvIr/m
                            MD5:126269588DEC71F54D53B563106D0500
                            SHA1:E4E27B005A9728617832F0F2645980CC2CE6EC52
                            SHA-256:0C11107C6CF799125DB9352E2F3A0D2B9ED5D55CBBEAED66D79464058598D94B
                            SHA-512:667F9CA3929926397ED5B43DF4859B8C52973F2603405763308D931C32C4DA831A144ED7041096AFC7CDD291B2978622DED5DD4C16C6BFB0F18235E05B212E5A
                            Malicious:false
                            Preview:PK.........Z&A........a.......[Content_Types].xml...r.`...[a.:%..R.v..p.gh..$d...^../.[0.e..=d....B...c.._?~._>$..}...2.t]...D.ty...I........._....T.M.I..,..APLo.$,z.,J.wf.<...e>..p.=.G......eZFiyT...8....E...P}y}..,.w;...\]k.....o......9(.E<.....>..I;....|.Lq.g....]..g......~>W.<....0/?.I.....g...U.V..3....l.O........m.l...T.....h.GE.......'K....$...z.E..(.Gc.....N......>...b....Z...Y.f.13k..:af..Y..13...........8L....o...s.....k...l.k....K.Z..i[..7mk...m._........~.../.^...{..Z...r@........P.@.....Z..d....R..e.O..jY.S.,..Z..T-K}....Z-^}.}iyS_C.C}.6.w.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_.....}iyS_C.C}C...*....Y.R..uwY.S.,..Z..T-K}...>U.R..e.O..W..o./-o.kha....N.LP..e.O...,..Z..T-K}...>U.R..e.O..jY....w./-o.kha.odC}#...s"kY....K}...>U.R..e.O..jY.S.,..Z..j.x.....M}.-....P....9..,..\[w..>U.R..e.O..jY.S.,..Z..T-K}.Z..N...M}.-...m.o.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_............3..;S0A='...>.k...jY.S.,..Z..T-K}...>U.R..e..V.W.

                            C:\Users\user\AppData\Local\Temp\TCD47F.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):286
                            Entropy (8bit):3.51951639572024
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXeZkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnykmymD0wbnKNAH/lMz1
                            MD5:77DEBFBA0B5B6B234F571A6A97E744F3
                            SHA1:51DD22B67F86F9F21E791D7B08810C297DE4756B
                            SHA-256:DDEA979C345BDB9F5D33D673CD74C84B2C25A16DE1CAC1D2311FBB52E011C786
                            SHA-512:428E2C1D370D783B481EA64E3700942F9F74E4B1693793078C8F51E8644A5A8B39DEEFF79A84E3A2C1EBF6A6A5694C26F86D19542FD3DC334A81FA94386E19A0
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .R.e.t.r.o.s.p.e.c.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD49F.tmp\Atlas.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):857650
                            Entropy (8bit):7.84356939318248
                            Encrypted:false
                            SSDEEP:12288:RiQJnhBiU81d9WbQPHxV9uqraiDFihVRR5cJJeYiaFUV0CoTz:RiwhE8bIXkvQIjRR+nDmVK3
                            MD5:9A0B4CB63DD4E749EE4258F897FF42EE
                            SHA1:BD0F90AAD36C7DB69A57179B9702B13D8C83AABF
                            SHA-256:9C5471CD01C213E94E699E12331194370D8E3F4FC37776CAACDCF7CCB8949A2E
                            SHA-512:407AB455623FD3911E6B00CF0A23333979D7E29E7DFB0A759A3FF162B12894C843C51EFF6E1F99BB721851ABB122052ED7F141053FF4F5D955D7842B3600AA44
                            Malicious:false
                            Preview:PK...........JE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK...........J.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Local\Temp\TCD49F.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.5321161173982487
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXWwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyNymD0wbnKNAH/lMz1
                            MD5:7A218A379D40D2E5944DF3D26A11273C
                            SHA1:53780A0EC7DAF776E1A5C66FE40483E46CDA52FA
                            SHA-256:D1CEBEB92A3F7E0EA94AC966FF80ABC0BDE8B1087DAC1A197EF74C065F38565C
                            SHA-512:7A935202731A8E711C0FD9FDCDA720D0988DE608AD0B489D6AEC5F52D58EF76DEDD432414CF57F4B2E8FFEC9BB914B8B3BD80BB3CAE44DAB9A43ABB1944E64C3
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.t.l.a.s...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD55F.tmp\Savon.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1204049
                            Entropy (8bit):7.92476783994848
                            Encrypted:false
                            SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                            MD5:FD5BBC58056522847B3B75750603DF0C
                            SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                            SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                            SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                            Malicious:false
                            Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                            C:\Users\user\AppData\Local\Temp\TCD55F.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.5364757859412563
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXARkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnywMymD0wbnKNAH/lMz1
                            MD5:CD465E8DA15E26569897213CA9F6BC9C
                            SHA1:9EA9B5E6C9B7BF72A777A21EC17FD82BC4386D4C
                            SHA-256:D4109317C2DBA1D7A94FC1A4B23FA51F4D0FC8E1D9433697AAFA72E335192610
                            SHA-512:869A42679F96414FE01FE1D79AF7B33A0C9B598B393E57E0E4D94D68A4F2107EC58B63A532702DA96A1F2F20CE72E6E08125B38745CD960DF62FE539646EDD8D
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.a.v.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD581.tmp\Facet.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):738429
                            Entropy (8bit):7.8235726750504355
                            Encrypted:false
                            SSDEEP:12288:MIA7gJFzMeFZaq2fscBNVRFCToZr5RCmUQHr+kRBhFF0s9XH44qTxQXMI:hA7gJFzZ2xBbmsZdRC4Ck19X44qyMI
                            MD5:8EBD58005DAF9C4EC15AC2530D3A4A30
                            SHA1:D11B9F2B85F20EB3DB28C4D9C9FDD909848E3E05
                            SHA-256:D3AB94FDC32B10903AD444F6F3518F93C3D7348FB945168DD8140C74BB7D7E26
                            SHA-512:00A3A6F8A8D10F4BAD87C3BEAE299D0E28931593EF0FB4145711B1D164A3351A8EF131DA0F26AAB9C3EB7AC214B69E1F03CB52E0E1EA95EB444664D5B0B998E9
                            Malicious:false
                            Preview:PK........e.$A}.4+.....k......[Content_Types].xml..n.@.E_.y.ac $..,........-..g@.u.G.+t.:......A1......=..._..d.....Y:.B...t.e.8]..].....s.M.=.....6...&Z.D.?.u..,."Q.].. W.....p0..Q.Z........Rm7....}\.{.W^.....Z3/N...o.....1'.T.o.HYw?....._,.<<c.qnn...8.:.B9.."^...U.O*q.....>..-]..O...-.q..Y.M...:.M+...}..y..{.0..V'K6.K?Qqz........c^..~GN.*s_..Q=g[k.....8..XCN..'....k.u.u....+..r...!.A....!.Q....a...7U.*uH...!gi=..Y.[.v{&.......q.=.[.v{....k.5.........4Y9..3Y).....v..mi...Wi.~.=G.....t.?.S......bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`...[..u...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C.&2.k...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C..d...*&T9..\..q...W.\...r.?.... .W.C...&+h.r&+f.R.%X..K..-.`.h....e.......zu9JR..7..Y=..6.?PK..

                            C:\Users\user\AppData\Local\Temp\TCD581.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.516936518213681
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXOpCRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyLymD0wbnKNAH/lMz1
                            MD5:B49384CBC2C04035CAFFB84C03499751
                            SHA1:43E0C785D194C56EA45833373095E7C7AE8246DB
                            SHA-256:82CD4A0EF475B600B835565B188702CB4B6CCF0398C13FE27C40C6788396739F
                            SHA-512:34E085D409BF33837A86EDEC219B5C1F8A5AF698CC77D96996DB725464064822C51173828B1C54ED789CD51B5E4CE1EC10A2CB6D62CF1C67211EC4B60023B0C3
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .F.a.c.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD5A3.tmp\Wisp.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):787354
                            Entropy (8bit):7.849038074328931
                            Encrypted:false
                            SSDEEP:12288:RBbqz121ANZ40EdYNyNv3GaNBlHT3pxozHUt3HnpHQPegZ+dNu+7TrlpocfYFWCH:qDNhEYNyJNBlT3pxoz0tAtZ00j
                            MD5:BBACB56BBFFA78CD4A21A9A6B331D84A
                            SHA1:5A854FB2FDFB3BD38DDE1AC7C832BA0FFD46F4F1
                            SHA-256:BD9DE870D21C8A5336ADC759EBFB740E105764810DD4B5B88BCA6213C9133CD7
                            SHA-512:59D798652E181582593B44015803A13F9838EE1C5971D2992F968D314CDB80B77A9869344D9D1FD26C2D8AFC4574DD9145E795DCFDA706E6CF1B49CAB6402C7B
                            Malicious:false
                            Preview:PK........x.%A}.4+.....k......[Content_Types].xml..n.@.E_.y.ac $..,........-..g@.u.G.+t.:......A1......=..._..d.....Y:.B...t.e.8]..].....s.M.=.....6...&Z.D.?.u..,."Q.].. W.....p0..Q.Z........Rm7....}\.{.W^.....Z3/N...o.....1'.T.o.HYw?....._,.<<c.qnn...8.:.B9.."^...U.O*q.....>..-]..O...-.q..Y.M...:.M+...}..y..{.0..V'K6.K?Qqz........c^..~GN.*s_..Q=g[k.....8..XCN..'....k.u.u....+..r...!.A....!.Q....a...7U.*uH...!gi=..Y.[.v{&.......q.=.[.v{....k.5.........4Y9..3Y).....v..mi...Wi.~.=G.....t.?.S......bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`...[..u...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C.&2.k...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C..d...*&T9..\..q...W.\...r.?.... .W.C...&+h.r&+f.R.%X..K..-.`.h....e.......zu9JR..7..Y=..6.?PK..

                            C:\Users\user\AppData\Local\Temp\TCD5A3.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):274
                            Entropy (8bit):3.541057232141982
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXrpRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnybvymD0wbnKNAH/lMz1
                            MD5:92A2AE68F98D9D3037FB248C57EAE3AF
                            SHA1:7C4EA71979CF442503A45F3738BAF060FCD84999
                            SHA-256:A2EF06AAEEE6AFECA584F93CD70B018FE915C222D232EED569E990293BB72C41
                            SHA-512:F9B75F836E072A6F94B61F3673D4D435D5985345872BF428E5777EDD02AD6DB1BE78C9DC04EF4F178DAC9ED9DC41FB4A7352E34AD11264258E8DB21ED6517A90
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.i.s.p...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD5C3.tmp\Ion_Boardroom.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1593982
                            Entropy (8bit):7.907400454215888
                            Encrypted:false
                            SSDEEP:24576:zT2WTsZasyuJiyV0mDUoHLgwPjvgpEtrYpXjdHo8dJNgR6MxNTkdXylo:/KYlO3BpPTgpEtkpXJTgHxWuo
                            MD5:407ACAACDD935B4C82A2D4AF73D07744
                            SHA1:E7AB195DF6F9BFD7676C34503E337194DC7631DD
                            SHA-256:ED85105C65F81EC015215B76ECBD46BEE4CAAA17AD716393DFD15D5DCD57A3E4
                            SHA-512:03D30E2357319A8153D242EEE035DDFDA718CE93E00C0D99ECF82C1387D1FE1A436111E13AD1CE67214C87CF4709D68FF452C041772A43CB242786ED4090370A
                            Malicious:false
                            Preview:PK..........AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                            C:\Users\user\AppData\Local\Temp\TCD5C3.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):292
                            Entropy (8bit):3.549050193282821
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXiXAKSwRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyX3qymD0wbnKNAH/lMz1
                            MD5:D7052608155B2599CDB50B8F9AAD7BD2
                            SHA1:F7213641CDC854DD1E7812BCCF9BD918188149F1
                            SHA-256:577A765CD1FBE2B62887AD32EE0CF7DCD6FCF166772AFB5895F5E11C0C1386AB
                            SHA-512:173AA81483025EE6A2FA042C8B281226D27E0AB4CF7E61A09FDA3897445CE90D300C9E2173AE10BC051F60CD3576B343F963FB482DC7C6529488AE8E82A5A107
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.o.n._.B.o.a.r.d.r.o.o.m...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD5F3.tmp\Circuit.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):1463634
                            Entropy (8bit):7.898382456989258
                            Encrypted:false
                            SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                            MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                            SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                            SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                            SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Local\Temp\TCD5F3.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):280
                            Entropy (8bit):3.5286004619027067
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXOzXkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny6WymD0wbnKNAH/lMz1
                            MD5:40FF521ED2BA1B015F17F0B0E5D95068
                            SHA1:0F29C084311084B8FDFE67855884D8EB60BDE1A6
                            SHA-256:CC3575BA195F0F271FFEBA6F6634BC9A2CF5F3BE448F58DBC002907D7C81CBBB
                            SHA-512:9507E6145417AC730C284E58DC6B2063719400B395615C40D7885F78F57D55B251CB9C954D573CB8B6F073E4CEA82C0525AE90DEC68251C76A6F1B03FD9943C0
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.i.r.c.u.i.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD623.tmp\Gallery.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1091485
                            Entropy (8bit):7.906659368807194
                            Encrypted:false
                            SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                            MD5:2192871A20313BEC581B277E405C6322
                            SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                            SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                            SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                            Malicious:false
                            Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                            C:\Users\user\AppData\Local\Temp\TCD623.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):280
                            Entropy (8bit):3.5301133500353727
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXp2pRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyZ2vymD0wbnKNAH/lMz1
                            MD5:1C5D58A5ED3B40486BC22B254D17D1DD
                            SHA1:69B8BB7B0112B37B9B5F9ADA83D11FBC99FEC80A
                            SHA-256:EBE031C340F04BB0235FE62C5A675CF65C5CC8CE908F4621A4F5D7EE85F83055
                            SHA-512:4736E4F26C6FAAB47718945BA54BD841FE8EF61F0DBA927E5C4488593757DBF09689ABC387A8A44F7C74AA69BA89BEE8EA55C87999898FEFEB232B1BA8CC7086
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .G.a.l.l.e.r.y...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD634.tmp\Wood_Type.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1649585
                            Entropy (8bit):7.875240099125746
                            Encrypted:false
                            SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                            MD5:35200E94CEB3BB7A8B34B4E93E039023
                            SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                            SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                            SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                            Malicious:false
                            Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                            C:\Users\user\AppData\Local\Temp\TCD634.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):284
                            Entropy (8bit):3.5552837910707304
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXtLARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnygymD0wbnKNAH/lMz1
                            MD5:5728F26DF04D174DE9BDFF51D0668E2A
                            SHA1:C998DF970655E4AF9C270CC85901A563CFDBCC22
                            SHA-256:979DAFD61C23C185830AA3D771EDDC897BEE87587251B84F61776E720ACF9840
                            SHA-512:491B36AC6D4749F7448B9A3A6E6465E8D97FB30F33EF5019AF65660E98F4570711EFF5FC31CBB8414AD9355029610E6F93509BC4B2FB6EA79C7CB09069DE7362
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .W.o.o.d._.T.y.p.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD6C3.tmp\Droplet.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1750795
                            Entropy (8bit):7.892395931401988
                            Encrypted:false
                            SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                            MD5:529795E0B55926752462CBF32C14E738
                            SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                            SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                            SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Local\Temp\TCD6C3.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):280
                            Entropy (8bit):3.528155916440219
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXcmlDuRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyMmloymD0wbnKNAH/lMz1
                            MD5:AA7B919B21FD42C457948DE1E2988CB3
                            SHA1:19DA49CF5540E5840E95F4E722B54D44F3154E04
                            SHA-256:5FFF5F1EC1686C138192317D5A67E22A6B02E5AAE89D73D4B19A492C2F5BE2F9
                            SHA-512:01D27377942F69A0F2FE240DD73A1F97BB915E19D3D716EE4296C6EF8D8933C80E4E0C02F6C9FA72E531246713364190A2F67F43EDBE12826A1529BC2A629B00
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.r.o.p.l.e.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD6C4.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):304
                            Entropy (8bit):3.599289509037855
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXwSil6RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyAflgymD0wbnKNAH/lMz1
                            MD5:2D8509303418A7C7E5C2590D70FA6BBC
                            SHA1:BB75B99280F7955E7E45133EEC2D61D6D04C3722
                            SHA-256:F6D3A404DC524E41E261C12BFB002762E2F3275E3F4FFF6533C481F15873C0F8
                            SHA-512:9FF24BBB10CFD783E579518F1FA5B6FE340E0544CC2EC613D378B6A2FD95DEE5CBE964CD74ED5ADB9E093958E12B7B755D6E8E114CC2BB34A17F3B5214E966C6
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.y.T.e.m.p.l.a.t.e._.0.2.8.3.6.3.4.2...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD6C4.tmp\myTemplate_02836342.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):1824766
                            Entropy (8bit):7.941741037170679
                            Encrypted:false
                            SSDEEP:24576:jS2WTsZasyuJiyV0mDUoHLgwPjvv96H8D86IRZ2s4p/H2rDCg+tuXlYMErpGzwZN:OKYlO3BpPTvc8oFZ29/Rg+rrDLr
                            MD5:C5A07069AD7E82F3AEB099F346C4FF62
                            SHA1:39A58834FD8A25AED63FB83F0C00712AFC3BD2F5
                            SHA-256:EB7806D9DC3D2ABF82A061709BCD9DB8DD98FA060E66DAF6820D1FA81BB5B845
                            SHA-512:343FB8BFFA01801EED7289A513564B55B0045FF3D0A842A819CECE416C53C2398D0A0D9B55397BF2EAD5393638085AB6AB83ECB2C701F532BD55C0FED4C98EEC
                            Malicious:false
                            Preview:PK........l.%A.f}......p......[Content_Types].xml..n.@.._......8i.'......}.......(y...H}......3Fi..%.......3..._...j.`.2....cod.(...r...w{s..)...]..3..APF.61...6ug.Y...... 7.....d<..Q.V6.N......{.0.U5...>.-..Ko.nw.f...'.....!.s.=fw.{PaW.. ..82.;.<..os....n....>...w..%....P...v...v....'....m.m..3.[.._...:[,...h..!~s..^..Y..E.....^.9Y.j.....#x......3....=....b}4O.*....k7.+.&.Xg.X.X..XSN.KN.+N.7.X....!..CR....I]...>....L...!=...9..!L.0.v.gEo\.......w..No.a.C.q.}<.........a..n./......e.-)h9a..}i.}.."-..C.C.Xq..0?..M4.........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......4....&T......Wlw.b....}..+.A\...q......~.WK.Z^..........>.h..`......}......k..s.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G.....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ...-Z.>X.2.....>8..S.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ..

                            C:\Users\user\AppData\Local\Temp\TCD7A1.tmp\Slate.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2357051
                            Entropy (8bit):7.929430745829162
                            Encrypted:false
                            SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                            MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                            SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                            SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                            SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Local\Temp\TCD7A1.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.516423078177173
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUX7kARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny5ymD0wbnKNAH/lMz1
                            MD5:5402138088A9CF0993C08A0CA81287B8
                            SHA1:D734BD7F2FB2E0C7D5DB8F70B897376ECA935C9A
                            SHA-256:5C9F5E03EEA4415043E65172AD2729F34BBBFC1A1156A630C65A71CE578EF137
                            SHA-512:F40A8704F16AB1D5DCD861355B07C7CB555934BB9DA85AACDCF869DC942A9314FFA12231F9149D28D438BE6A1A14FCAB332E54B6679E29AD001B546A0F48DE64
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .S.l.a.t.e...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD840.tmp\Damask.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2218943
                            Entropy (8bit):7.942378408801199
                            Encrypted:false
                            SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                            MD5:EE33FDA08FBF10EF6450B875717F8887
                            SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                            SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                            SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                            Malicious:false
                            Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                            C:\Users\user\AppData\Local\Temp\TCD840.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):278
                            Entropy (8bit):3.544065206514744
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXCARELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyy6ymD0wbnKNAH/lMz1
                            MD5:06B3DDEFF905F75FA5FA5C5B70DCB938
                            SHA1:E441B94F0621D593DC870A27B28AC6BE3842E7DB
                            SHA-256:72D49BDDE44DAE251AEADF963C336F72FA870C969766A2BB343951E756B3C28A
                            SHA-512:058792BAA633516037E7D833C8F59584BA5742E050FA918B1BEFC6F64A226AB3821B6347A729BEC2DF68BB2DFD2F8E27947F74CD4F6BDF842606B9DEDA0B75CC
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.a.m.a.s.k...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD851.tmp\Depth.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):2332136
                            Entropy (8bit):7.9547975506532795
                            Encrypted:false
                            SSDEEP:49152:5HQKNdoI77mfXP/mDZLGkkgrODG1MHKr4nNtOmtu0:5HNjoygXnm0jgrODhqrsNcmtu0
                            MD5:2AECC99B664F840799028A20703C3E21
                            SHA1:0018EAB0CE4900220607F4F80B506AA2F7F89C17
                            SHA-256:DF93F14304E35E460EEC7F8464AE2C2B0BFFA84D860D4857F41E0F07A3F023E3
                            SHA-512:E0BD3A86C7AF6B7202E8FBA42BCA27FBB17A21AC94A685A38C8A45F5AE35F350AE18D6B107F553DC95774FAE47F8BD8926F76DDD840BB7EB8E51E5CF2269AA1C
                            Malicious:false
                            Preview:PK........fdlB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Local\Temp\TCD851.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):276
                            Entropy (8bit):3.5344681868414707
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUX4+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyocymD0wbnKNAH/lMz1
                            MD5:C601540411B7C0E6DE93621C69A0B71D
                            SHA1:B1F855540B73B163B6FD15B227C0B1D0EDC51AA9
                            SHA-256:6690E31622155199015B15E94B39C52BEBD081611F4AE0A9E3299CC56AF8EE33
                            SHA-512:90B14C2D325A091CA3A8CAAE2B4888F79BE0CD9C7E73E3B27A73F5043BB26491ABEEBEC9E25BB27F0E11B7E8F3E5E706F7D0623759301C4FAF0BCA7BCA8F66E2
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .D.e.p.t.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD96E.tmp\Integral.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):3446188
                            Entropy (8bit):7.939078022105486
                            Encrypted:false
                            SSDEEP:98304:hAABj6t8mC7x/pS6+X3Bzx37OjbqOMhbEsMWII5:ct8mC7x/pS6uBzp5NhAsMWt
                            MD5:AD1C52DB4C29726B3A2D28DDA1110F76
                            SHA1:46A0656C55202A4ADFAAC7E98E9E1340C4A1FD55
                            SHA-256:7973C1386416C251569ACC3CDBFE04DA848262A9A2DA998F915E000BFD6B52B3
                            SHA-512:95C3F09611F977EB3F146C9844D7B96AF3E8123CF3393884CD10EFE7C250F446A565EDAFED1CF1FA6DCAC4D7EADAFACAD134D2A75A8CFB74462F62F5EA8B7400
                            Malicious:false
                            Preview:PK.........Z&A........a.......[Content_Types].xml...r.`...[a.:%..R.v..p.gh..$d...^../.[0.e..=d....B...c.._?~._>$..}...2.t]...D.ty...I........._....T.M.I..,..APLo.$,z.,J.wf.<...e>..p.=.G......eZFiyT...8....E...P}y}..,.w;...\]k.....o......9(.E<.....>..I;....|.Lq.g....]..g......~>W.<....0/?.I.....g...U.V..3....l.O........m.l...T.....h.GE.......'K....$...z.E..(.Gc.....N......>...b....Z...Y.f.13k..:af..Y..13...........8L....o...s.....k...l.k....K.Z..i[..7mk...m._........~.../.^...{..Z...r@........P.@.....Z..d....R..e.O..jY.S.,..Z..T-K}....Z-^}.}iyS_C.C}.6.w.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_.....}iyS_C.C}C...*....Y.R..uwY.S.,..Z..T-K}...>U.R..e.O..W..o./-o.kha....N.LP..e.O...,..Z..T-K}...>U.R..e.O..jY....w./-o.kha.odC}#...s"kY....K}...>U.R..e.O..jY.S.,..Z..j.x.....M}.-....P....9..,..\[w..>U.R..e.O..jY.S.,..Z..T-K}.Z..N...M}.-...m.o.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_............3..;S0A='...>.k...jY.S.,..Z..T-K}...>U.R..e..V.W.

                            C:\Users\user\AppData\Local\Temp\TCD96E.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):282
                            Entropy (8bit):3.52879087534807
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXG+kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny2nymD0wbnKNAH/lMz1
                            MD5:28404EC391B6387F3F2CF0A5BAE7D20E
                            SHA1:1DFAD8A962FAD4D55E2070689F3EEF4780C677FF
                            SHA-256:D870840CE4C7EE578CE1932C463B7760E31ECDF143CFBB9C194F488953E3BA70
                            SHA-512:EE7B29C3F389F25A515E2FC58E6A96617024CE74BBCF2926A5A679B536DBA10D925BDD9EE0089590658B3A20BFD8DBEBE48577A20C9CD93AD2B085BB4C8A3E82
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .I.n.t.e.g.r.a.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD97F.tmp\Madison.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2443359
                            Entropy (8bit):7.927032974390551
                            Encrypted:false
                            SSDEEP:49152:2HZkYR3gdOwBkskdDT+FQDGn5zpoLU0izCPOYZSKgdE6qFnm3DP+ulUnW:2jRkOlskJpDO5zpoKzZBKga6YmzWulUW
                            MD5:960696AF7BBDF3A98F282FD51A641797
                            SHA1:D884A5875C64C8F3B011E0754BEA633ACACEFBE6
                            SHA-256:CBFAC1EE697AB73485822088E25CEDB92D495B0B9423464CEBAC2FE3989212FC
                            SHA-512:9000DD85A0B2EBF5BE41D6C9785D69462D4D1B097D49CF2A57A432AB5D784BB9C95ECF1EB9F7CCC88D0CE47C580014E038D7A716FD1F8C094D2E6A1A42F3F0A3
                            Malicious:false
                            Preview:PK.........k.JH...O...VP......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-q.......0..*!......R5/..Xu..C...5.{H.o/.2.....}.*.V..,..^.n.....c.K.....:...e...(.,..\YgE*.9,6a...b#.a.?..Li.tO?=._....%...`N.........{.j........u..\..9^h.T.<.$.<.#...p.V'......f..r.......Kggx...x....E...H.m.6.)._.2S...l....8..,.fHP}.M.......I.B....c.....4.......=ebN.R..Q=.~EN.*.4.x.v.........rf.8..Y..)g.3.3..g.O.e...7Q.B........L.7..v.6;..v....d....M.Z...ZkWC]k.".k.];u..K.Wk...>Wk.#..Z.| t.6tC}C...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7lJ..ZZ8.7rC}#...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7jJ..ZZ8.7vC}c...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7nJ..ZZ8.7qC}....}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7iJ..ZZ8.7uC}S...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7mJ..ZZ8.7sC}3...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7kJ..ZZ,..ztyJ.<}.2.e..._....PK.........k.J.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70........

                            C:\Users\user\AppData\Local\Temp\TCD97F.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):280
                            Entropy (8bit):3.529695717494243
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUX0MAkRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyEMVymD0wbnKNAH/lMz1
                            MD5:52829318BDC6E0269BFB0626D2D1C1E2
                            SHA1:80F597C31152B771AADA76DCC598DC7D0162ECA3
                            SHA-256:A73279946A11C61E07A92A61FEB90A2B741B9CCA0F86C718B79E4BD06C18456D
                            SHA-512:3D4FF52AF0CF12F36675D5BBD1679C2B03CF11DD944489369DD23764EEEB79DA19944C605B93F1A04F278DE3E8C98437B59EC4FC4675819614C50E222D3D001C
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.d.i.s.o.n...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCD9FD.tmp\Main_Event.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2924237
                            Entropy (8bit):7.970803022812704
                            Encrypted:false
                            SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                            MD5:5AF1581E9E055B6E323129E4B07B1A45
                            SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                            SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                            SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                            Malicious:false
                            Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                            C:\Users\user\AppData\Local\Temp\TCD9FD.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):286
                            Entropy (8bit):3.5434534344080606
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXIc5+RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxny4KcymD0wbnKNAH/lMz1
                            MD5:C9812793A4E94320C49C7CA054EE6AA4
                            SHA1:CC1F88C8F3868B3A9DE7E0E5F928DBD015234ABA
                            SHA-256:A535AE7DD5EDA6D31E1B5053E64D0D7600A7805C6C8F8AF1DB65451822848FFC
                            SHA-512:D28AADEDE0473C5889F3B770E8D34B20570282B154CD9301932BF90BF6205CBBB96B51027DEC6788961BAF2776439ADBF9B56542C82D89280C0BEB600DF4B633
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.a.i.n._.E.v.e.n.t...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCDCF.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):252
                            Entropy (8bit):3.4680595384446202
                            Encrypted:false
                            SSDEEP:6:fxnxUXivlE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyydGHmD0+dAH/luWvv
                            MD5:D79B5DE6D93AC06005761D88783B3EE6
                            SHA1:E05BDCE2673B6AA8CBB17A138751EDFA2264DB91
                            SHA-256:96125D6804544B8D4E6AE8638EFD4BD1F96A1BFB9EEF57337FFF40BA9FF4CDD1
                            SHA-512:34057F7B2AB273964CB086D8A7DF09A4E05D244A1A27E7589BDC7E5679AB5F587FAB52A2261DB22070DA11EF016F7386635A2B8E54D83730E77A7B142C2E3929
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .a.r.c.h.i.t.e.c.t.u.r.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCDCF.tmp\architecture.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):5783
                            Entropy (8bit):7.88616857639663
                            Encrypted:false
                            SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                            MD5:8109B3C170E6C2C114164B8947F88AA1
                            SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                            SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                            SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                            Malicious:false
                            Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                            C:\Users\user\AppData\Local\Temp\TCDDD8.tmp\Mesh.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3078052
                            Entropy (8bit):7.954129852655753
                            Encrypted:false
                            SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                            MD5:CDF98D6B111CF35576343B962EA5EEC6
                            SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                            SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                            SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                            Malicious:false
                            Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                            C:\Users\user\AppData\Local\Temp\TCDDD8.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):274
                            Entropy (8bit):3.5303110391598502
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXzRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnylymD0wbnKNAH/lMz1
                            MD5:8D1E1991838307E4C2197ECB5BA9FA79
                            SHA1:4AD8BB98DC9C5060B58899B3E9DCBA6890BC9E93
                            SHA-256:4ABA3D10F65D050A19A3C2F57A024DBA342D1E05706A8A3F66B6B8E16A980DB9
                            SHA-512:DCDC9DB834303CC3EC8F1C94D950A104C504C588CE7631CE47E24268AABC18B1C23B6BEC3E2675E8A2A11C4D80EBF020324E0C7F985EA3A7BBC77C1101C23D01
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .M.e.s.h...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCDDE9.tmp\Celestial.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3295051
                            Entropy (8bit):7.9549249539064
                            Encrypted:false
                            SSDEEP:98304:RMKPrL1cgIF6jyoKfszvzC2UFsp3SUwDyMdghJU:RLPrGgIF6jJKAvO2UAiwU
                            MD5:5978107C3CB2A4A8427E643D0A5587EB
                            SHA1:A3A865B6D128E7C9C5821DF03B9EDFE136F53D17
                            SHA-256:DDCEAEC2A8E652B60CFA4D5D4C7895D70AD25A214D70DE884302C8FE18F53910
                            SHA-512:D9E0B9D52665F4C1E4B6CC32E6DEBA4C0CBC9309728415AC9588DDD84CAD47A90567192D24BF7FF2F5DD7836A559F396B5015ABF3E085ABC9B813FF365388D65
                            Malicious:false
                            Preview:PK..........1A.f}......p......[Content_Types].xml..n.@.._......8i.'......}.......(y...H}......3Fi..%.......3..._...j.`.2....cod.(...r...w{s..)...]..3..APF.61...6ug.Y...... 7.....d<..Q.V6.N......{.0.U5...>.-..Ko.nw.f...'.....!.s.=fw.{PaW.. ..82.;.<..os....n....>...w..%....P...v...v....'....m.m..3.[.._...:[,...h..!~s..^..Y..E.....^.9Y.j.....#x......3....=....b}4O.*....k7.+.&.Xg.X.X..XSN.KN.+N.7.X....!..CR....I]...>....L...!=...9..!L.0.v.gEo\.......w..No.a.C.q.}<.........a..n./......e.-)h9a..}i.}.."-..C.C.Xq..0?..M4.........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......4....&T......Wlw.b....}..+.A\...q......~.WK.Z^..........>.h..`......}......k..s.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G.....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ...-Z.>X.2.....>8..S.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ..

                            C:\Users\user\AppData\Local\Temp\TCDDE9.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):284
                            Entropy (8bit):3.5058612801050892
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUX1kRELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyYymD0wbnKNAH/lMz1
                            MD5:1F4035219DC6A0E9FD3A3164C6B6D0E6
                            SHA1:C6CFB52EC8764F3B27782310DD74A71AB8EFD34C
                            SHA-256:6AC194049AB034406AD36F9C4436CFC74BF03664A3C025F91D642779D15B9DFC
                            SHA-512:1D86B380200A41547E2FF9A00CEFAB5895F88BD777EAF3981A0406B1CFD2139069D922A88963431EA781FB766A8410957A33816F8E27F57C1EBA85507540F715
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.e.l.e.s.t.i.a.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCDE5.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):246
                            Entropy (8bit):3.5039994158393686
                            Encrypted:false
                            SSDEEP:6:fxnxUX4f+E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyvGHmD0+dAH/luWvv
                            MD5:16711B951E1130126E240A6E4CC2E382
                            SHA1:8095AA79AEE029FD06428244CA2A6F28408448DB
                            SHA-256:855342FE16234F72DA0C2765455B69CF412948CFBE70DE5F6D75A20ACDE29AE9
                            SHA-512:454EAA0FD669489583C317699BE1CE5D706C31058B08CF2731A7621FDEFB6609C2F648E02A7A4B2B3A3DFA8406A696D1A6FA5063DDA684BDA4450A2E9FEFB0EF
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.a.b.b.e.d.A.r.c...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCDE5.tmp\TabbedArc.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):3683
                            Entropy (8bit):7.772039166640107
                            Encrypted:false
                            SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                            MD5:E8308DA3D46D0BC30857243E1B7D330D
                            SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                            SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                            SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                            Malicious:false
                            Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                            C:\Users\user\AppData\Local\Temp\TCDE6.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):252
                            Entropy (8bit):3.48087342759872
                            Encrypted:false
                            SSDEEP:6:fxnxUXXt1MIae2E3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyfMIaRGHmD0+dAH/luWvv
                            MD5:69757AF3677EA8D80A2FBE44DEE7B9E4
                            SHA1:26AF5881B48F0CB81F194D1D96E3658F8763467C
                            SHA-256:0F14CA656CDD95CAB385F9B722580DDE2F46F8622E17A63F4534072D86DF97C3
                            SHA-512:BDA862300BAFC407D662872F0BFB5A7F2F72FE1B7341C1439A22A70098FA50C81D450144E757087778396496777410ADCE4B11B655455BEDC3D128B80CFB472A
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .P.i.c.t.u.r.e.F.r.a.m.e...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCDE6.tmp\PictureFrame.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):4326
                            Entropy (8bit):7.821066198539098
                            Encrypted:false
                            SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                            MD5:D32E93F7782B21785424AE2BEA62B387
                            SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                            SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                            SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                            Malicious:false
                            Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                            C:\Users\user\AppData\Local\Temp\TCDEE5.tmp\Vapor_Trail.thmx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3611324
                            Entropy (8bit):7.965784120725206
                            Encrypted:false
                            SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                            MD5:FB88BFB743EEA98506536FC44B053BD0
                            SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                            SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                            SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Local\Temp\TCDEE5.tmp\content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):288
                            Entropy (8bit):3.5359188337181853
                            Encrypted:false
                            SSDEEP:6:Q+sxnxUXe46x8RELpmlJ0+3FbnKf68dADryMluxHFpwwl:Q+sxnyO3UymD0wbnKNAH/lMz1
                            MD5:0FEA64606C519B78B7A52639FEA11492
                            SHA1:FC9A6D5185088318032FD212F6BDCBD1CF2FFE76
                            SHA-256:60059C4DD87A74A2DC36748941CF5A421ED394368E0AA19ACA90D850FA6E4A13
                            SHA-512:E04102E435B8297BF33086C0AD291AD36B5B4A97A59767F9CAC181D17CFB21D3CAA3235C7CD59BB301C58169C51C05DDDF2D637214384B9CC0324DAB0BB1EF8D
                            Malicious:false
                            Preview:..[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .V.a.p.o.r._.T.r.a.i.l...t.h.m.x.....C.o.m.p.o.n.e.n.t.:. .P.P.T.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.P.P.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. .{.F.i.l.e.P.a.t.h.}.....

                            C:\Users\user\AppData\Local\Temp\TCDFA.tmp\BracketList.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):4026
                            Entropy (8bit):7.809492693601857
                            Encrypted:false
                            SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                            MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                            SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                            SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                            SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                            Malicious:false
                            Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                            C:\Users\user\AppData\Local\Temp\TCDFA.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):250
                            Entropy (8bit):3.4916022431157345
                            Encrypted:false
                            SSDEEP:6:fxnxUXsAl8xoE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxny8A8xoGHmD0+dAH/luWvv
                            MD5:1A314B08BB9194A41E3794EF54017811
                            SHA1:D1E70DB69CA737101524C75E634BB72F969464FF
                            SHA-256:9025DD691FCAD181D5FD5952C7AA3728CD8A2CAF20DEA14930876419BED9B379
                            SHA-512:AB29C8674A85711EABAE5F9559E9048FE91A2F51EB12D5A46152A310DE59F759DF8C617DA248798A7C20F60E26FBB1B0FC8DB47C46B098BCD26CF8CE78989ACA
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .B.r.a.c.k.e.t.L.i.s.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCDFB.tmp\Content.inf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):256
                            Entropy (8bit):3.4842773155694724
                            Encrypted:false
                            SSDEEP:6:fxnxUXDAlIJAFIloE3QepmlJ0+hdADryMluyS6Bkls0Lwv:fxnyMlI7loGHmD0+dAH/luWvv
                            MD5:923D406B2170497AD4832F0AD3403168
                            SHA1:A77DA08C9CB909206CDE42FE1543B9FE96DF24FB
                            SHA-256:EBF9CF474B25DDFE0F6032BA910D5250CBA2F5EDF9CF7E4B3107EDB5C13B50BF
                            SHA-512:A4CD8C74A3F916CA6B15862FCA83F17F2B1324973CCBCC8B6D9A8AEE63B83A3CD880DC6821EEADFD882D74C7EF58FA586781DED44E00E8B2ABDD367B47CE45B7
                            Malicious:false
                            Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .C.o.n.v.e.r.g.i.n.g.T.e.x.t...g.l.o.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.\.S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........

                            C:\Users\user\AppData\Local\Temp\TCDFB.tmp\ConvergingText.glox

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):11380
                            Entropy (8bit):7.891971054886943
                            Encrypted:false
                            SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                            MD5:C9F9364C659E2F0C626AC0D0BB519062
                            SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                            SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                            SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                            C:\Users\user\AppData\Local\Temp\cab11F.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):22594
                            Entropy (8bit):7.674816892242868
                            Encrypted:false
                            SSDEEP:384:L7d2l8FbHaaIKbtv1gDISi8E0GftpBjEZRFLrHRN74bUll7PK/pd:LUlCIOt/8Pi6Zv4bMId
                            MD5:EE0129C7CC1AC92BBC3D6CB0F653FCAE
                            SHA1:4ABAA858176B349BDAB826A7C5F9F00AC5499580
                            SHA-256:345AA5CA2496F975B7E33C182D5E57377F8B740F23E9A55F4B2B446723947B72
                            SHA-512:CDDABE701C8CBA5BD5D131ABB85F9241212967CE6924E34B9D78D6F43D76A8DE017E28302FF13CE800456AD6D1B5B8FFD8891A66E5BE0C1E74CF19DF9A7AD959
                            Malicious:false
                            Preview:MSCF....2.......D...........................2....?..................0...............ThemePictureAccent.glox.....0...........Content.inf.o.@D..8.[.........B.....?. $...K.....~....aZ.WA"...k.......Z......."......"..X.fpB 2@d..87.[.A......p..e.'......F..P^%.%.RK...........T%0..........9..+8 ...&.q.....+.......^.fad^^n...d.....s1..... .3j.c-c7..y<.....6........C5n.KG...Rs[lt..ZkwI.!..Uj.ez_!A^: /.;.Rl4....^..<6..N...'.YY.n*.E{.`..s.7..z.......L.y.Y.....q.kx.....[5.+<to......1...L.r.m..kC.q.k.1..o.w8s.....xh.@.b.`l\...}z1.6..Y.</DY...Z5..D...0..4.;..XAA..0qD..E.....h...C..hH......S..Z.\.VBu......Rxs.+:RKzD......{......a..=......).<.....d.SM.......c!t.4.h..A=J~.>q?Hw.^.....?.....[..`....v.nl..A.u...S!...............c......b.J.I.....D...._?}..or.g.JZ#*."_``.>.....{...w......s...R.iXR..'z....S.z.\..f.....>7m..0q.c-8\..nZw.q..J.l....+..V....ZTs{.[yh..~..c........9;..D...V.s...#...JX~t8%......cP^...!.t......?..'.(.kT.T.y.I ...:..Y3..[Up.m...%.~

                            C:\Users\user\AppData\Local\Temp\cab121.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):19288
                            Entropy (8bit):7.570850633867256
                            Encrypted:false
                            SSDEEP:384:5ZII4Hf+7G8E0GftpBjCwBFLrHRN7bcClvQyUTL2mH:pG8PicgbcAvU+mH
                            MD5:B9A6FF715719EE9DE16421AB983CA745
                            SHA1:6B3F68B224020CD4BF142D7EDAAEC6B471870358
                            SHA-256:E3BE3F1E341C0FA5E9CB79E2739CF0565C6EA6C189EA3E53ACF04320459A7070
                            SHA-512:062A765AC4602DB64D0504B79BE7380C14C143091A09F98A5E03E18747B2166BD862CE7EF55403D27B54CEB397D95BFAE3195C15D5516786FEBDAC6CD5FBF9CD
                            Malicious:false
                            Preview:MSCF....H.......D...........................H....?..................................VaryingWidthList.glox.................Content.inf...O.....[.... v.q......R.....>.%i.I.HhD.V...qt.....'....N...!..aw$(J.%(..A..h......l|.D.p9`..Y09.:.u....p. :,.*.YD=0.p. ......w.........*..<..;.....u.."......7[....8.....?^........-..;q.|.....B....PJ....r.K#.#.0'...}.........+gpR...T....5.iu.^I...A\..gK....}..z.B.nT.../.m.......N....E'1.E.\..o.....W..R.#.#...8.7...R.SbW-...%......$.obj.F..W_@....sY!........s.O..."k. ..b....j....v...P.\....7d...|"J.T...2p..m.&..r..,2.).....X.`...xt].U...b.h..V.....|L..N.Z.O#....o...1R.w30.g..?;..C.T.:$..MGY.C"i\.f..#..<.k...m..s.w. ..Ga].....wt.h|.Ta<.......(SO.]9.%a..Z... r._JH.=O...P.9a.v.....Kj.".T...m...4.?...F...$...y.....hbW.UA..u.&)....py.C{.=t.....n...}|H3A9.=..W..JJ..y./Y.E.M9..Z..w. .HB.YoIi..i.e..9;n...SpHw,....f....d>..g.m..z...... ...f...KP.M..U.....~vFD.fQ.P?......2!.n.....`@C!G...XI.].s,.X.'...u.E.o..f

                            C:\Users\user\AppData\Local\Temp\cab155.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):22340
                            Entropy (8bit):7.668619892503165
                            Encrypted:false
                            SSDEEP:384:GByvLdFHny7G8E0GftpBjE8upFLrHRN778lvQyUTL2mm2y:Oy3HkG8Pi6887mvU+ma
                            MD5:8B29FAB506FD65C21C9CD6FE6BBBC146
                            SHA1:CE1B8A57BB3C682F6A0AFC32955DAFD360720FDF
                            SHA-256:773AC516C9B9B28058128EC9BE099F817F3F90211AC70DC68077599929683D6F
                            SHA-512:AFA82CCBC0AEF9FAE4E728E4212E9C6EB2396D7330CCBE57F8979377D336B4DACF4F3BF835D04ABCEBCDB824B9A9147B4A7B5F12B8ADDADF42AB2C34A7450ADE
                            Malicious:false
                            Preview:MSCF....4.......D...........................4....?..................1...............ThemePictureGrid.glox.....1...........Content.inf....K..5.[.... V.q......B.....?.h.i.J.D...Z...>.....i~...A...Z....H.hy.D..X.....>...L.I..`. z w0}.K`.C{h....W\../.U..p\%...B...;............9..8.^M.....].lP.p...|..?..M....E..S.`..-n........Q'.'.o..C}=..?`.bQ...J"0f.. ....k3n..F.Pu..#...w].`<...."D.].-.#+):..fe..=<.M...4..s.q.f._.=.*T.M..U.[R.kbw.,......t6_I...~.X..$_.q....}2..BR...).[...<.l.3........h%....2.$`>..hG...0.6.S......._3.d~1.c.2g....7tTO..F.D.f.Y..WCG.B..T....Gg&.U'....u.S/......&6w..[bc.4....R.e..f.,....l."........I....J.=~...$x.&2...+,-.;.v.'.AQ.fc...v._..rZ..TYR...g?..Z..!.3mP dj...../...+...q.....>..../...]P.z?DW&.p..GZ....R5n......,..]{].0m.9...o.{...e."...8VH....w"%;.g\.K..p.}....#r.u..l.vS...Y.7U.N*-E@.....~....E...x.....C.......{NP....5Ymk.*._.K...Z...f..;.......b.....,._@B..\.S..d.'\rs..].}.5"XJU.J..'.zk}.+P.)C.X.?9sx.D....(K....P^N_D...Z.........

                            C:\Users\user\AppData\Local\Temp\cab167.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):21357
                            Entropy (8bit):7.641082043198371
                            Encrypted:false
                            SSDEEP:384:zdx+NRrogu6fzCI7Th7G8E0GftpBjEzZq4FLrHRN7/Oll7PK/pB:/+NRrFf/G8Pi6zZb/GIB
                            MD5:97F5B7B7E9E1281999468A5C42CB12E7
                            SHA1:99481B2FA609D1D80A9016ADAA3D37E7707A2ED1
                            SHA-256:1CF5C2D0F6188FFFF117932C424CC55D1459E0852564C09D7779263ABD116118
                            SHA-512:ACE9718D724B51FE04B900CE1D2075C0C05C80243EA68D4731A63138F3A1287776E80BD67ECB14C323C69AA1796E9D8774A3611FE835BA3CA891270DE1E7FD1F
                            Malicious:false
                            Preview:MSCF....].......D...........................]....?..........{.......................rings.glox.................Content.inf..|^.....[......P........<.$.."..0R..xa.Ax#B..d... ....K,.....^.H.....H.........&.j.\f.. ..,....,..!k..R..e..!...E...........................><.RB.....~h...........Q................g..M|,...x.....qV7.u..\...F-N.{-..X..&Zig.~..{.A.p.Z...X..{,-n............`$.%.ND.....>].6cvZ.%d..*a.$..-.K.Hf....L..;.#...H....U,........P.@.*-$C.,.g...%YJE..$.jP........b...Y<..[U...MF]F.K...1... x.}3w.o.#,.}T.....w5+...=.=...c.F^....OM.=.......G_{n.*...WC.w!......{/.~.}..s..6_......)..Xy...4.....<..XZJ........#~._i....%..fM.V.?.q...q.....7...B..sVt...(.:..c....~.e...kGZ...C..(J..o...`...?.)-.T.l....&...gR.$.....g.:...2.e%F.....x....z0...K..a8B...........D..]....7....~.".DR...r)...}b)e.>.\h~f...(}.c........Q...o5H.........C.KC.(.L.l................R..a.pg{..\.......-b........}.C......qTS..%..r.lG..Q.1..Z.>a.D...tC..LV...Rs.C.M18x.:......%O.

                            C:\Users\user\AppData\Local\Temp\cab18E8.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 8162257 bytes, 2 files, at 0x44 +A "content.inf" +A "Organic.thmx", flags 0x4, ID 28519, number 1, extra bytes 20 in head, 266 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):8178537
                            Entropy (8bit):7.998487287228825
                            Encrypted:true
                            SSDEEP:196608:Uu4B2pbfn0wQZOGTHYuFdzCACe9QWPNZKPmMsDfB8D6T:UuTVfn0BcGTHl9Ce9QWPNZKPmHB8eT
                            MD5:9AED2FBBB427D6FA1A4C0D8909CB3F3F
                            SHA1:2A8BD0BC0B19EA4D194C442A56A4F3C5A5B24846
                            SHA-256:8FBA95D2C1904DFD921417CE8829FA9198CB650E7B1C0E7344743A7007BC22F9
                            SHA-512:DEE6625E3AD33F52A4F9BE4386C718901406A1B834C7BD3CA93D2886F61A26427029FD2C7719925AE7C40C8CEED58C2CB0876A3AA0FB73412BCE6845188F92FA
                            Malicious:false
                            Preview:MSCF.....|.....D...............go...........|..?..........}..................N.. .content.inf.!.........N.. .Organic.thmx.G....{..[..........@....?.TDJE.E..hi.<.$.*.z.....Bh.....>y....~<......33EE.`...V..\.....Q..k..~BjE.6.L...Hn.@d.+.v.....X.y..D..6j...!.e.D%....,...d..rG2..E.".xA../ .....@....`....7.y.$...P..h..x.....-.N.............@...L......:J......h......M....0.<..../........T..1....7N...S.@...*...5.V.`c....B...._.M...7.._.O:....C....iv.........L....R.....F../..,....1.?3B..0O.o..t.....#Q.$%.....f......6.......V[..7.~1...Q..t....m4.&F....p......w...Y.<~~...m..m..t._...|..q.9..._>..^......<(g.Ig..a..i..4.....cUb.JK....[].G..........y..S.P....B.....,+.KL.+,....R..cQz.*.r.r..f....WO....z..w.&.....x.).9xf......i.nLG>.^_Y....U... !'...F.....5R.A/..........).....p..i..z......Ul.(.e....3.G....U`M.#v...`af.../.,yw>...|.....h=3...w&.U...l..;(.d1...BTO...u..h.#....P...T..X..d_|..t...?..1..+......k......}.....LR.-...7t..4.....}j...B\..c'.5br..R....M....F

                            C:\Users\user\AppData\Local\Temp\cab227.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):307348
                            Entropy (8bit):7.996451393909308
                            Encrypted:true
                            SSDEEP:6144:7vH3uG+yiWx0eVJyORloyyDqnHefzOs81MrXLXx7:b36yiWH/LRS2CJl1
                            MD5:0EBC45AA0E67CC435D0745438371F948
                            SHA1:5584210C4A8B04F9C78F703734387391D6B5B347
                            SHA-256:3744BFA286CFCFF46E51E6A68823A23F55416CD6619156B5929FED1F7778F1C7
                            SHA-512:31761037C723C515C1A9A404E235FE0B412222CB239B86162D17763565D0CCB010397376FB9B61B38A6AEBDD5E6857FD8383045F924AF8A83F2C9B9AF6B81407
                            Malicious:false
                            Preview:MSCF....tq......D...........................tq.. ?..........|..................Mn. .Banded.thmx............Mn. .content.inf..;.u.i..[...............?....^.j.{j.B...$M/!...W....{!..^0x/.6...&............w......$.B..J.?a.$=...P..L...d..........+./.\..E:h.....-.$..u-.I..L\.M.r..Y..:rtX:....8...........+8.}{......&.-..f.f..s3-P.''.r...Z-"/E../...^%^N(,.$..$.H..O........q>...|.|......y..m.)u....`.....z.n..-.[.5....xL....M...O..3uCX..=4.....7.yh...dg.;..c.x.4..6..e..p.e"..,.!.St{..E..^I.9j....;..`.Y..#.0..f...G.....9~./....QCz.93..u%hz.........t9.""........)..7K.c~E!..x.E.p...[......o..O.j.c.......6.t{...".....t9V;xv....n<.F.S2.gI.#6...u..O..F.9.[.L.....K....#..zL..I...o....k...qog.......V..BKM..#.bET.)..&4..m.w...*....E.a[.Q.y.B...w...r.nd...)...<..#..r[4.y...#.z.....m?.2K.^...R{..m..f......r?]..>@...ra$...C+..l].9...."..rM9=......]".'...b&2e...y..a..4....ML..f...f"..l..&.Rv=2LL..4...3t_x...G....w..I.K....s.t.....).......{ur.y2...O3.K*f.*P(..F..-.y.Z...

                            C:\Users\user\AppData\Local\Temp\cab323.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):295527
                            Entropy (8bit):7.996203550147553
                            Encrypted:true
                            SSDEEP:6144:nwVaEqsf23c9shf6UyOGgDWDn/p3fd+zkPWnvGL3n9bQnkmVheyqtkl:MlPfW6sVEDn/pPdhWnvGL36zyyqal
                            MD5:9A07035EF802BF89F6ED254D0DB02AB0
                            SHA1:9A48C1962B5CF1EE37FEEC861A5B51CE11091E78
                            SHA-256:6CB03CEBAB2C28BF5318B13EEEE49FBED8DCEDAF771DE78126D1BFE9BD81C674
                            SHA-512:BE13D6D88C68FA16390B04130838D69CDB6169DC16AF0E198C905B22C25B345C541F8FCCD4690D88BE89383C19943B34EDC67793F5EB90A97CD6F6ECCB757F87
                            Malicious:false
                            Preview:MSCF.....B......D...............P............B..p?..........{.................M.. .Basis.thmx...........M.. .content.inf.`g..td..[...............5..$..WM.....R.......H\.+\./^...x.^..h..MU..\........v........+......g...$.......g.....~....U].7..T..1k.H...1...c.P.rp.6K..&......,.............U4.WoG.w.....;.....v..922.;]..5_-]..%E]b..5]... (..H..II..ttA4Q..BI!|...H.7J.2D....R.......CXhi`n....6..G.~&.[..N...v..Z"t.a..K..3..).w...._@.}.}.v.......4......h....R;.8.c&.F...B^....Q.....!Bm2...F.`.......M;...#.{....c...?...e...6t..C.-.E.V.v%I..H.....m.n...$D.....vU'.....=6}~...Gw...Y..?.@......G.....k......z...5d.h......1.}..O*;e..t......Y.0...3.v).X.-.2.....~....14.[.w=I....hN....eD..7G.u.z..7.do..!....d..o.wQ.:....@/.^..<e.-..=\.....6.C.'.rW$..Cp.M3.u6z......Q.F.9.5....juc..I...m4]7L....+n......).t......2[.3.p.:.....O5y..wA........^..!..H....{..S.3w.!&.'.;...(..|m.x.S..Z.j..3...n..WU...../w.......xe=.+.D...x..qy.S.....E..... ...uu.`.,..<.6[p

                            C:\Users\user\AppData\Local\Temp\cab343.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):261258
                            Entropy (8bit):7.99541965268665
                            Encrypted:true
                            SSDEEP:6144:9blShNYrHNn0JU+D+kh8CIjXHWC7X0nZLC9Ge2KY/WfI:9ZSTYrtn0Sk+CIDHWC7chVKYx
                            MD5:65828DC7BE8BA1CE61AD7142252ACC54
                            SHA1:538B186EAF960A076474A64F508B6C47B7699DD3
                            SHA-256:849E2E915AA61E2F831E54F337A745A5946467D539CCBD0214B4742F4E7E94FF
                            SHA-512:8C129F26F77B4E73BF02DE8F9A9F432BB7E632EE4ABAD560A331C2A12DA9EF5840D737BFC1CE24FDCBB7EF39F30F98A00DD17F42C51216F37D0D237145B8DE15
                            Malicious:false
                            Preview:MSCF............D...............nJ...............D.................."..........M. .content.inf....."......M. .Metropolitan.thmx...cVtP..[.....`Q..B.....=.T.....h.."...Z..|..}hZK.V....Z..Z................?..v...[S$."...H......^u.%.@...>....... f.........1.5......*&lm.tZ.msz:...Noc....1....D .........b..... ..3#pVp....}oo]{m......H*[%i.GNHB1D<......(*# ....H"....DP..b(B.<.....v......_..`.7..;.}............/.p}.:vp....~l0..].........S....G?.....}..U.;......dNi..?........-c..J.z....Z...._.O.....C..o.,......z....F....sOs$..w9......2G..:@...'....=.....M..am.....S......(`.._....'......[..K"....BD...D...^1k.....xi...Gt....{k@.W.....AZ+(,...+..o......I.+.....D..b. T.:..{..v.....g..........L.H.`...uU~C.d...{...4.N.N..m8..v.7..3.`.....,...W...s.;.fo.8.Y...2.i...T&.-...v8..v.U.Y=...8..F.hk..E.PlI.t.8......A.R....+.]lOei..2...... gS*.......%8H.....<.U.D..s.....>.....D_...../....l.......5O1S~.........B.g.++cV.z.f .R.Z.......@6....(..t^5"...#G...

                            C:\Users\user\AppData\Local\Temp\cab354.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):276650
                            Entropy (8bit):7.995561338730199
                            Encrypted:true
                            SSDEEP:6144:H2a+HFkDF8gpmMt4kzwVVqhSYO6DITxPWgJl1CFExwXyo7N:mlZgFtIVVTuDExeWuv7N
                            MD5:84D8F3848E7424CBE3801F9570E05018
                            SHA1:71D7F2621DA8B295CE6885F8C7C81016D583C6B1
                            SHA-256:B4BC3CD34BD328AAF68289CC0ED4D5CF8167F1EE1D7BE20232ED4747FF96A80A
                            SHA-512:E27873BFD95E464CB58B3855F2DA404858B935530CF74C7F86FF8B3FC3086C2FAEA09FA479F0CA7B04D87595ED8C4D07D104426FF92DFB31BED405FA7A017DA8
                            Malicious:false
                            Preview:MSCF............D................................D..........~..................M. .content.inf............M. .Dividend.thmx..).}.b..[.....`.........?.R...T../..............4..yy....{...f.h..\U......sy.gV0Q.@..A..@..3a.A}........7.q.......8......R....sJ)E..ENr.S*B.1..).s.r.J.D.b."..........(.....E$.V........y.5.L....;gY..QK/nni..x..3.<..Q.Q..K.I.....T.z.,F.....{.p.....;8._.&../...........X...}.;[Gk..._.i`m.u.?...s.w...4.....m......l....5..n.?..c..m...,.....{.k.?......sC.............e..1....oL.8./......1._.K:.]..&......O............qo.....Dd/c...6.q.*......V.v........h....L..h..C+..V..;O.(7Z]{I%....S3.{h....\...b.......5.ES......Z.4...o.c`..YA....9i....M.s....Z3.oq`....>.i..@.@n.a...x.3.zp.<....vU/.|^CvE...aD.P&mhvM>.p..B~....."._.......v-.m..w..?._..=...:...k....i.}x.6....Y.i..n....h...j......LZ.....fk..f0.y.T..Vl.;...s.......B6.f.'z.c.\W?...4U)..aJ.;O....L.d7.J.V#Q.....\J.F.?].d}!..y].6..%..~....|......5...'N.#.....t6.,.E.O."..0fyz....

                            C:\Users\user\AppData\Local\Temp\cab355.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):271273
                            Entropy (8bit):7.995547668305345
                            Encrypted:true
                            SSDEEP:6144:zfdvQnJMwXse4Vradf3mrC7woyWbjKlCVC7K:zfJwJse4VrS1AK
                            MD5:21437897C9B88AC2CB2BB2FEF922D191
                            SHA1:0CAD3D026AF2270013F67E43CB44F0568013162D
                            SHA-256:372572DCBAD590F64F5D18727757CBDF9366DDE90955C79A0FCC9F536DAB0384
                            SHA-512:A74DA3775C19A7AF4A689FA4D920E416AB9F40A8BDA82CCF651DDB3EACBC5E932A120ABF55F855474CEBED0B0082F45D091E211AAEA6460424BFD23C2A445CC7
                            Malicious:false
                            Preview:MSCF....Q.......D...............y...........Q...XJ..........{..................M.. .content.inf.(..........M.. .Frame.thmx.1....b..[.........B.....6....ZZ}....BH..-D..}..V.V-........Z..O.....H.f..........;..@d.`......!..=;.,bp..K.q....s.y....D.qZ)p......D...r.S....s=B.4.).8B....4.a6 ...~........."....#.....}....n.Q.1cH.%c/.U....E..E...!..Da*.p....X..G..:.....1.@.....W.'...._........W.c...<.v.k.....&.8......?.h.>d._:-.X.......9..tL}........3.;.N3.D~......>.^?..|:...}......oT.z.......w..[..}:...._fu........Kk.......L..9..p..e..^......K.%...Mapqhvv..E&.^.....[...9|"l...9...U......!..w..Nya...~C.yx...w.K..q.z.j.W?t.......DY.x.S2.....]..na.Qj...X.K..^...S.hK.W...Z....s.0...NF...8C.......j.'Zc...k.%...l....S.....OW..o.Qf.x...X.;<.rO].....W.m.e....T.1.6........".....Q.3........l..v.."..I...&......w..4vE...c.s[.3.m..8.q$.....a...)...&:6..,..#..?....;.!.....~.UP.r=.}h.&U......X...]..X.e\u.G<....E....lG.@.*Z...10.D@.]....z+-.S....p..Y.PK.:.S..p.....1E`..-

                            C:\Users\user\AppData\Local\Temp\cab3B7.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):222992
                            Entropy (8bit):7.994458910952451
                            Encrypted:true
                            SSDEEP:6144:k8/c2cF9GTLqsTmYstUdx+dwb2ooiVOfiI17zWbQ:jbzqGdpbZ/Mf3h68
                            MD5:26BEAB9CCEAFE4FBF0B7C0362681A9D2
                            SHA1:F63DD970040CA9F6CFCF5793FF7D4F1F4A69C601
                            SHA-256:217EC1B6E00A24583B166026DEC480D447FB564CF3BCA81984684648C272F767
                            SHA-512:2BBEA62360E21E179014045EE95C7B330A086014F582439903F960375CA7E9C0CF5C0D5BB24E94279362965CA9D6A37E6AAA6A7C5969FC1970F6C50876582BE1
                            Malicious:false
                            Preview:MSCF.....'......D...............]............'..H?..........z..................M{. .content.inf..l.........M{. .View.thmx......R..[...........@...G...I..(J.....B....Q!....}Ju..(BR..._|.5.%.....6m...........?.w{.rm,....#....;Ba#.:v...Dv.."u.v{!...f}......!......:.S.......".z.f.......==.n.0Km0eh.Kbm.C.r.6.........d..h.....{..w..}....2sb...rvm..x...0(..B... ...BH.r#.@..d".*..F+...Q.sx.....?...d.d.eZ2W2.2d...q.I....4.e4....#.....K...3...1.p.y......>.~V....cm....n^..b.{..._D?..AG...'...k.L&..h}=p.....Wl....(.......>.~.].....'.4.W{......../......7.....'.s...w...6..hn..e.2.).l]u.v4...GF.X..X..X....G.i.\..y.g&.<&ti......Sp,j.....>I..S..%.y..........S..-).+...>...D..............[...d...jt.~<x.a(.MDW..a..ZI.;+..!,.$...~>#...).R4...K.$.Zm......b...........{..._..A{.}..r...X...T.ZI.T.).J...$.".U,.9...r.z.)......}...()<....m....QS.p...;?..5.W~2r.EZu..P.1.%'l.........+/6.Mm.|2....Ty..f.o.S.....3J.._...X,..m....:..1.<GqFy.QA9W4.=....n...ZP...O.\.[...:8.%.^..H.....

                            C:\Users\user\AppData\Local\Temp\cab3B8.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):230916
                            Entropy (8bit):7.994759087207758
                            Encrypted:true
                            SSDEEP:6144:OTIPtMXmJWnzPS3pqnkeuJXW+FNx1a72rLiQxEBTR:750nz63/FJRFLISnp+Bt
                            MD5:93FA9F779520AB2D22AC4EA864B7BB34
                            SHA1:D1E9F53A0E012A89978A3C9DED73FB1D380A9D8A
                            SHA-256:6A3801C1D4CF0C19A990282D93AC16007F6CACB645F0E0684EF2EDAC02647833
                            SHA-512:AA91B4565C88E5DA0CF294DC4A2C91EAEB6D81DCA96069DB032412E1946212A13C3580F5C0143DD28B33F4849D2C2DF2214CE1E20598D634E78663D20F03C4E6
                            Malicious:false
                            Preview:MSCF.....F......D................g...........F...?..........|..................L.. .content.inf.zG.........L.. .Parcel.thmx.>2...R..[...0...........7....B+...BH....{...^.../.....B{...1....+".....<.....$........{.......sD"..j...}... P..w..U..f...6.x8. ...C..F.q.7....T.6p......B.P..L..g......A..43.W`.....{{...u.4...:.bb.4"X..m..)$..@(H. H.tBPTF..,.&.B.'...6..2...n..c%...Z@.(.@.......(.<i.i....P......?......o.......F.M.L......i.....C..7..../.....MQ.0..l.U.s.Fu.......1...p.;.(.}..ogd..<.._.Z......._.......O.J......97...~<...4.c....i..........'k.5.......Q.$..C..E... ..5.7....N.a.[ns6hi..kM....?....X......*9q...!O\....0....n.^s.9.6..............;. ..r...rf..C6z..v #.H...O...v/.sl....J.m%.L.Dp.e....*uO..g.y....f...].5.*........W.....h^[..w.|.=.ru.|.M..+.-.B...D.Ma....o.<X SnI....l...{..G..,..y5\W.@..y.;.y ...M..l.....e..A...d.e!.E..3.......k1.......6gY).../....pQ..?..s.W.)+R.S5..../.0..vz.^.......k.....v..9..A.NG...N~#..$.B...*s,(.o.@.ar.!.J.....

                            C:\Users\user\AppData\Local\Temp\cab3C9.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):550906
                            Entropy (8bit):7.998289614787931
                            Encrypted:true
                            SSDEEP:12288:N4Ar9NyDhUQM0Hk86V1YnOIxQ9e6SJbj2OjK:jAG8wa5Qw6SZ2Oj
                            MD5:1C12315C862A745A647DAD546EB4267E
                            SHA1:B3FA11A511A634EEC92B051D04F8C1F0E84B3FD6
                            SHA-256:4E2E93EBAC4AD3F8690B020040D1AE3F8E7905AB7286FC25671E07AA0282CAC0
                            SHA-512:CA8916694D42BAC0AD38B453849958E524E9EED2343EBAA10DF7A8ACD13DF5977F91A4F2773F1E57900EF044CFA7AF8A94B3E2DCE734D7A467DBB192408BC240
                            Malicious:false
                            Preview:MSCF....*#......D...............Q...........*#...D..........~..................M{. .content.inf............M{. .Parallax.thmx.9... y..[......(..b.P...E.Q*.R.".RTH.%.T..F......u.{.*+.P.....FK*0].F...a{...D4`D..V.../.P,....2.Mx...u......0...E...{A-"J...)jl_.A..T......u.Y....ZG:....V.A.#~.. ..6..............o..X..<.... .......C.ce.f!nA.).p...p........n..................'6w6H6s.j....l...{?.h..........]..l.....v....%..l}A..................3...W_73.j......6...F.../..qG.?........H..).........7.&km....`m2..m.W.q.<../~<..6*.78..X~.e+..CC*w...T...6....AB..l..._.f......s.e....2....H..r.R.Z....a.,..\Q.q..._SJJ....7.S.R....=f..>....9=....NnC.....].-...\..Z..q..j...q.....Nj..^'..k...Zl.~PRvpz.J..+.C...k.z.w=l.#.............n...C..s.kM.@B{..vL.e....E..(/......f...g..=..V...}...).=s.....y!.,...X.[..[.....\31}..D%...%..+G66.j.v./.e9...P;.o.y..U+...g.g.S.../..B._L..h...Oi.._...:..5ls>>........n6.F.Q..v>..P.r:.a..Z....a...x..D....N...i..=L.u......<;Nv.X/*.

                            C:\Users\user\AppData\Local\Temp\cab3FB.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):640684
                            Entropy (8bit):7.99860205353102
                            Encrypted:true
                            SSDEEP:12288:eV7ivfl+kbkIrWu+2aoRjwv/cSUWauGPo2v65s4QqcT3ZCCz6CSj8aC:fdhr1+3y4MWaC2CO4V+3ZCCDsO
                            MD5:F93364EEC6C4FFA5768DE545A2C34F07
                            SHA1:166398552F6B7F4509732E148F93E207DD60420B
                            SHA-256:296B915148B29751E68687AE37D3FAFD9FFDDF458C48EB059A964D8F2291E899
                            SHA-512:4F0965B4C5F543B857D9A44C7A125DDD3E8B74837A0FDD80C1FDC841BF22FC4CE4ADB83ACA8AA65A64F8AE6D764FA7B45B58556F44CFCE92BFAC43762A3BC5F4
                            Malicious:false
                            Preview:MSCF............D................4...............?..........~..................M. .content.inf."..........M. .Quotable.thmx..^.u.n..[...............&...U..F.......UU.M.T5.UUQS..j..#>43fD.....`....Vr......19'...P..j.-...6n.0c....4$.c....$.4.k3aQ$.lCN.#.[.."qc....,Z...,Qt@!.@...... ...H.......9.9.y.{....[.`..s3.5.....B....W.g.d...[uv.UW..............P.8.(.?......3.....'/F...0...8.P. .O..B....K...g..L.......#s...%..|4.i....?.3b.".....g...?.........2.O23..'..O~.+..{...C.n.L......3......Y.L...?K...o......g....@.]...T..sU.....<.._.<G.......Tu.U2..v.&..<..^..e.].cY;..9.%..}...I.y.;...WM...3>.:.=.|.-.AtT2OJ.I.#...#.y....A....\]$r...lM.%5.."...+7M..J.....c...".&$.... Y.r.B;..81B. +H...b....@7K.*.F.Z...v..=..ES.f.~.."...f..ho.X.E.a`~*...C>.&..@\.[....(.....h..]...9&...sd.H .1.x.2..t.rj..o..A..^qF.S9.5.....E.{...C|.w.c/V...0Q.M...........O.7;A4u...R..Z.B.7a.C`....p.z.....f!|.u.3t....2e.wWH..'7p....E_...e.._;..k....*&E.^.f=V..{*..al.y:.4a...+.g...-..>e

                            C:\Users\user\AppData\Local\Temp\cab40C.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):698244
                            Entropy (8bit):7.997838239368002
                            Encrypted:true
                            SSDEEP:12288:bUfKzAwwP7XAMWtr4FvMRt4lX0hnBdThiSb32+TdysrQgn7v4EemC6:sr7AMkJ34xu1bm4ZrQaY6
                            MD5:E29CE2663A56A1444EAA3732FFB82940
                            SHA1:767A14B51BE74D443B5A3FEFF4D870C61CB76501
                            SHA-256:3732EB6166945DB2BF792DA04199B5C4A0FB3C96621ECBFDEAF2EA1699BA88EE
                            SHA-512:6BC420F3A69E03D01A955570DC0656C83C9E842C99CF7B429122E612E1E54875C61063843D8A24DB7EC2035626F02DDABF6D84FC3902184C1EFF3583DBB4D3D8
                            Malicious:false
                            Preview:MSCF....lh......D...............P...........lh...?..........|..................M. .Berlin.thmx............M. .content.inf..lH.lj..[...............7.I..)........P..5x.B/^y5.xk^^......D.F........s....y...?D.....*.....&....".o..pl..Q.jm?_...6......=%.p.{.)S..y...$......,4..>#.........)..."-....K....4.E...L=.......4..p.c..nQ.0..ZO.#.....e.N..`U......oS....V..X[t.E)|.h..R....$..}.{.F.7....^.....w.,...5rBR.....{.......mi...h.b......w+..;.hV......q..(.7&.Z.l...C."j........[-E4h.....v&..~.p$|\X...8.....Fj'%,.)6w...u|C..,y..E..`*Up../(....2.(....Z.....,.'...d..s..Z....5.g.?Nq..04...f...D.x....q+.b.."v`{.NL....C..... ..n......1N+.I.{W9....2r.0...BaC.....O..=...k..."..8.D\jK.B...Aj....6,B..2...I.. B..^.4..1.K+.....DP...Mr....9..x[...>........?.Zd..'._2.._..>..'.F..#.w...2..~.|........q_Wy.W.....~..Qex.km/..f......t.q..p..gm.|.x.... ,.#\Z....p....a.}...%..v.J.Es......I.b.P?...0......F.x....E..j..6.%..E..-O.k...b .^.h.Cv...Z....D.n.d:.d.F..x...[1...B..

                            C:\Users\user\AppData\Local\Temp\cab43D.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 437097 bytes, 2 files, at 0x44 +A "Atlas.thmx" +A "content.inf", flags 0x4, ID 18422, number 1, extra bytes 20 in head, 27 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):453305
                            Entropy (8bit):7.997509772969848
                            Encrypted:true
                            SSDEEP:6144:Ggji1e3pEwbB2Y02HSiPTiGE74Go8D6CFQQ5sIxrV2CnOzIt5E6H7f1ADW0QFQhX:GMP9JTHjPuT9+KKIKCnO16bfGGStAM
                            MD5:271FF904CEB8B5383B45ECF0DA6A9238
                            SHA1:6B89CCC79D98A96AB00D045E2CF5FD495CB03193
                            SHA-256:1D9C6C49026503E16D584633211DF49B82191F3988F466C7F12D29C8AE5E4E4B
                            SHA-512:3E5197D4F1A24BC903DBF8A0CD3CA9EFB6CBFE725C31EEA454EA1B4D355229E55B4F51F3B13BFB24D32BB6DA6F85B7CB6E31289AD8DE6C9C9F1C4C1491AFB9D2
                            Malicious:false
                            Preview:MSCF....i.......D................G..........i...P?..........{.......2..........J.. .Atlas.thmx.....2......J.. .content.inf....p..[.....P.........&......U...U5.U.T....jP......5....hf.h................g.......s....Mx....Hg...BH.u.%.Q..4i...*.4T.RV.C.b[.F..m..P:.d....xT$.,...............(..{...f.e0..l$ba"..../... N..a~....GyD?..A@|...... ....R.H.....?IL@...P..{...\......Y.21..K.-....D......J../.yj.w..5....=<M.SkB..\w..0.}...>u...m.+ O.{....+....q..:}.=.X.=H...<.~T.kE.-.z..r...7...R\Pad..+r..VW).....t.kje..~Mf.SK+v..........*....o8..<.q...p..4.%K]......:Z.T............V.h.l...._G..m.tl8R....Ma.....l..W0y........U.....Y`.....b.I......cz(u2..\..G.....F.zU..$T.v....HAdN.yo..r...{...j.....]...LM.|.I..ajr..[%..u.Go5vwK..Vod$.)..*...3...)....;1....'?.@.[N.c...b.%S.....ea.svj......I.b.x.....q.i....9o...#.lb.9x..4...b.{iU.N.B...sU.Y.*.....;uXY....1....&.(.........?.v...~...)....j~..}...F..v..Q..w}..i.ci.....|.{......../552......H......k.....

                            C:\Users\user\AppData\Local\Temp\cab43E.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1072808 bytes, 2 files, at 0x44 +A "content.inf" +A "Retrospect.thmx", flags 0x4, ID 59128, number 1, extra bytes 20 in head, 50 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1088984
                            Entropy (8bit):7.9927994027199425
                            Encrypted:true
                            SSDEEP:24576:h2WZfFbGSoB3Pf/u/V1HTysuGrieyhhwSvxqi6Spqsgx:h2WZfF6NB3XM1z9rALvOS6x
                            MD5:C4AF49F2FBC299AE7D3B8285BC0890C9
                            SHA1:BB302051A8E305DFB910AC26D23A67A805C3893C
                            SHA-256:30AEC7F9ECDAD690A2CB38BA6A2E07C8158175140B76F17AAE7D828A42A727A7
                            SHA-512:8402A0C75FC6AFD3B6C86794C5F7EAE0B78475989C6B556C89C762F9F312F0F58878C008D0A9CEF28EFFE341F4CF9192EE197575FAA3DA3B1D2189878C13ABF8
                            Malicious:false
                            Preview:MSCF.....^......D............................^..0?..............2..............M.. .content.inf............M.. .Retrospect.thmx.Z..,\..[...............#..0.j.`TU53..U.UU56QS..P.......}"NDCfF.....`.*e3. ...E.....p.....6,.7P...m..!..<.....WKDh.{...<.(&o.F....6AC...D.Tp6o.....#<C\.............A.6.\.[tNX...........jK...O.=.;...............A...?......4.-$....3.@..&....74A6.5..........br.............&...K.`...)....................$..q....sq..w...C............3......co.|..H.sOn.....9_.......33...~......._....h...`..`.o.0.....rTD.$'...A...d.........V.\.....=1Ocj.y.$G..IN.....Y.,.._U..Ul....b.e......%..?."tm>.hE..hM....(.gI.b.G....?..5."A.?.[.3C.7K...B...l-].I._.VJz.V.<z..v.{z.H%.."yg....!_.BUsc.O..7.!y..A.......W....uB.................e.y...N.>.v..".u.?....v5......n.`mja....i.....zwRC..-^.|\.....a..P.(......2.f.J....-...g.f ..O....b.C..A.....f...S....:..@._E=..]C....I......=..-\...]...u..d0...2._..|B&...(......-.y.y7.O..K4.r.t?.6._...e..f.e..G.U......n3.8....g

                            C:\Users\user\AppData\Local\Temp\cab50D.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1377563 bytes, 2 files, at 0x44 +A "content.inf" +A "Ion_Boardroom.thmx", flags 0x4, ID 26781, number 1, extra bytes 20 in head, 49 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1393811
                            Entropy (8bit):7.998039489696127
                            Encrypted:true
                            SSDEEP:24576:pI4ga3jIAemcNjI7L6+iXZ4vI+arjU/QxJMT+wBeXTKgd:Rga9JcNM7L6+oZiyU/Q7G+KeXTKgd
                            MD5:0F56B43D83616D6A60134BF50F9E684E
                            SHA1:2DBCBDC795F5FB637D73099F27C5BE2B6103C060
                            SHA-256:9F4CD66A196D3874BA6BC74F9320F4EADDE09586DCB0AE00ADF0A56EC3EEE5F4
                            SHA-512:776F63994648A96C763E883D318B2889E7A3A32C21BAE8E001CDB9E8F8E2C434939C3BFA221956A715DA206BFB9FC837DEBED2EEE532A59523D783F6865BDF75
                            Malicious:false
                            Preview:MSCF............D................h..............x?..............1...$..........M. .content.inf.~R..$......M. .Ion_Boardroom.thmx.f...<l..[...................]...............p..]....XQ....;X...sQT-(`>N....#.@..w..6@.....;.!{@YP.........(..C...!M...(8.a. .e..24...R.,.x.........."."....DU$..3...]...{....Tr]W....`.........h.0............{.T........#.6.....?.........X...@.........o..6.../?.....Q...p.....p...c.../.2....H?.`.r...........<C...P.W..6..$V..~0..f.....%.;....(_.g..4......o./.......&..._....&.......<..~.K.g..6.H..HX.lAqk.b...k..cNS.l\3.......L,.y.3%,..,.....mx.?...3.........#kFR..33g.....B~l.#........'W.Y.c..4.^...yWo.f....+.Q.|....'-P..|e.')..+.UVL.......+...b..2B.E..*.-.....M..x.Sw.>..}+v.[S.......2.K...~...&Q{F.s.C..`-....[...Y...3/.........%..T.m...V.h.EU....W..2.......osEC......5.9.C....2.i-...|..4.H...=An/.w.L\s..o.o.@c.g..0r.U`K.4.H.....U.K.1.................R..p..*~.=>......I.!f..6...T./.3..s9D.yu/..O.Q..M.U1t..&.km.w..m/.Q.<G..R..

                            C:\Users\user\AppData\Local\Temp\cab51E.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1065873
                            Entropy (8bit):7.998277814657051
                            Encrypted:true
                            SSDEEP:24576:qehtHA3nsAOx7yN7THwxdGpkw8R60aTcua5U4c:hhmnsBMNAxdGpV5za5Uv
                            MD5:E1101CCA6E3FEDB28B57AF4C41B50D37
                            SHA1:990421B1D858B756E6695B004B26CDCCAE478C23
                            SHA-256:69B2675E47917A9469F771D0C634BD62B2DFA0F5D4AF3FD7AFE9196BF889C19E
                            SHA-512:B1EDEA65B6D0705A298BFF85FC894A11C1F86B43FAC3C2149D0BD4A13EDCD744AF337957CBC21A33AB7A948C11EA9F389F3A896B6B1423A504E7028C71300C44
                            Malicious:false
                            Preview:MSCF....q.......D...........................q... ?..........{...%..............M. .content.inf.Q_.........M. .Savon.thmx...O>.o..[..............&.5....UUcC.C....A...`TU...F....".54.E.....g.-.7-D....1g...p.6......@..w(....h'?.....(..........p..J.2n$4.........A......?...........@.C.W.R.5X..:..*..I..?....r.y..~!.....!.A.a...!........O.........5.x<C...?.?....C.C.......'....F../....../.$................4.7...................P...(.w.}6.........7.....01.1r........._..?.............'.._..JOx.CFA<.........*0..2.?...>F.../...;..6-8..4...8&yb....".1%..v'..N...x......}.gYb..~L.....f[..!......Y.G.....p..r...?.p...F.Vy.....o.Whll...+...M.V...:.]...B.%.H....n..@.].zaVxf...y{.@....V.t.W....$Kp-.....7W.J..h..0A3mK.=.ub..R...W......*'T2..G#G,.^..T..XZu...U. ...76.d..#.I.JB.v...d...%.....6..O.K.[.:.L.\.....1.D..2a.>f......X...b5...ZgN.u.f...a!..."...sx....>..?.a.3.8.^._q..JS1.E..9..Lg.n.+....lE.f:j.9)Q..H1=..<.R.......{c>:.p[..S.9h.a.gL.U....8.z..z.!.....2I.~.b..2..c...

                            C:\Users\user\AppData\Local\Temp\cab52F.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 471473 bytes, 2 files, at 0x44 +A "content.inf" +A "Facet.thmx", flags 0x4, ID 35621, number 1, extra bytes 20 in head, 23 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):487545
                            Entropy (8bit):7.997899883595182
                            Encrypted:true
                            SSDEEP:6144:mPoUL7rdGbRXiXMDCVcP0EO3bozD1icl+CabWQRgqOqqs/eMFq8qZumLXvjKUUo6:2D9QdiXMbMxUti/RbWhqcMw8WKUUovC
                            MD5:B4312FCA4A8A21F8905311D4427E87BB
                            SHA1:50B314F6CE6D4508557444E04E6265B7353D1087
                            SHA-256:4087D3C1E0D93567E67FC8F17CD3AD5587C2FC203B1BBEB8D7A01A750D54E924
                            SHA-512:6F828DEE15B3351CD15C5B9388AFB117B61ABDBC45559A7CC0106173E5BC2088BABC551474E9F27D183F5DBB3273520A1029B5FC514984FFCB473273C1A6F6F9
                            Malicious:false
                            Preview:MSCF.....1......D...............%............1...>..........{..................N.. .content.inf.}D.........N.. .Facet.thmx.]..].k..[......@........&...Qm.UU.A0.U...UU.S.TQS...............XU....>.2...l...K.#........OH.i.w...lX.m_./..._.......q.]s..-.v.kw.M$.v.aq.&..S.n..ad.....D.....hF.........n..@e.$.Z....".G.z........@@..o)o.:...8. .8........p.o........I.........._........9...Qd....i.A....Sp...)...7 .....qSAq.........o.....p>.......?...........y......'...OFk...`b........A.....?(f.....O.4...xO..s...xz...._.H..R....(.........e......5:7..-.9.3^G.....]....WSES..,..9....A..C.r.....d#....I....T.M.=...V.z..|p...[Y....=.Y.m.L.g.w..|....[..M..q...5......]....;.T......c...\|.6.o.QO1>Kb.&.2.B{kA......B.k..sU3{.~.2.. o#.RW...R..J.M.G....b.r.8.,$T.%.V.....h......\:....|<..t...~...-$.....J..#..8q.z..d...aB..<..[?...+msH.B5..t.....(..|...x.=..........\0.iKl.,..-...QTd...H_...`.5.........p......Iw$..?.q....S=0..p.V.........p.]n*j.s+.$..P+..t....f...k..Tv.fj.

                            C:\Users\user\AppData\Local\Temp\cab54F.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 480282 bytes, 2 files, at 0x44 +A "content.inf" +A "Wisp.thmx", flags 0x4, ID 56119, number 1, extra bytes 20 in head, 25 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):496354
                            Entropy (8bit):7.997206654807112
                            Encrypted:true
                            SSDEEP:12288:ZqKfByFV1zSEVKRLYSh6YaYJkImjMjmf0fPae/:Z5QFV1GRbhvaYKB0fy8
                            MD5:AD2D82C2A623C1176D25727003F474A6
                            SHA1:2E1D67BFC138A7533E13B19FB1747FED47305104
                            SHA-256:34A36FF02892FD8F89C77992EC7A7EB0FD1459483ECCBBEE139C38646E8685FF
                            SHA-512:1D0D19CE2A144C6DCC18E894BF2DCC8D47AD4BBCFE93D371686572E1D2DB5954685496681311BDA429684EEEFAB874391A351B0670A7124200C1D49D6717A9F8
                            Malicious:false
                            Preview:MSCF.....T......D...............7............T...>..........z..................N.. .content.inf............N.. .Wisp.thmx..;.V.x..[...............5.!$$.AA.{i..%."../.5x.y.^........{...0dD.h......v.......K..@.5.'..@X..c.O..X.vv.#....^.A.j.~gH...%....:...H..a....j..I...;j &..UB.P.@...a..%..............6..}..A.3IA%..=...|.c.gh.$u`.a...A.Ax@`C` . ...... ...Kj,..d= ..)...D."<".B...w3.. .....oV.....5....$...4;Y..A..G.....4.7...?.. ....w..i....'...s.9.o..;.=.\...0o... ...\......?.......%..............;."..<..h...g'.3;.r.....1.....Y..{.`..S+.+.-.....v.N\I.....mM.s7Q/.....}.. .0....k.E....j.....Xv..i8.d=.O... 7^o..qo.t..w..{....W.N.-.f68.j..Z..gP.."i..(tA..]e.^...f.M...d...JQf....gM.U........dN.:..Wsq.R..Y....l..d8..D~..v.U;..'f3*#.6...}.....%...s....FG.......y.ALV..>...Z...%..V91.`|..3uB..4..}L.R.+.....(k.i&....."..^....D.$$.k..;.*........U..J..Z...}..5Y}`....'.w.<..44.U9....8.\g...{.y".4..@.n.t`...u..7[.z.t.`..ZQ.K._.@a.z!T.VqlR..Y.Q.cMe.a f+...#.. .cpH.,#I;.)n<y.<..l

                            C:\Users\user\AppData\Local\Temp\cab570.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1097591
                            Entropy (8bit):7.99825462915052
                            Encrypted:true
                            SSDEEP:24576:UE9BMy98gA4cDWHkSrDans3MfEE6w8OaVuCibol0j41dwD:UE9Bdy3D4keQWt7w85VuVoaj4/Q
                            MD5:BF95E967E7D1CEC8EFE426BC0127D3DE
                            SHA1:BA44C5500A36D748A9A60A23DB47116D37FD61BC
                            SHA-256:4C3B008E0EB10A722D8FEDB325BFB97EDAA609B1E901295F224DD4CB4DF5FC26
                            SHA-512:0697E394ABAC429B00C3A4F8DB9F509E5D45FF91F3C2AF2C2A330D465825F058778C06B129865B6107A0731762AD73777389BB0E319B53E6B28C363232FA2CE8
                            Malicious:false
                            Preview:MSCF............D...............-,..............x?..........}...-...RU.........M. .Circuit.thmx.....RU.....M. .content.inf.g...&|..[......=..R.....=.*,.!QA?h..Q.!....Uk!.HJ.......VKuk.....q.w.w.U.....;...K.@.URA..0..B..|rv.ND(.`{..@.1.}...s?.....-...O.(V.w..1..a.....aW...a.Z..aX....5.I...!..........(. ./.d...me.( ..f.........w.......Xp.s....c..vB.98.....C.J......V ..ML.M...B.n.>...|....u!.5@t..q4....(K...u qL.S....>/%v%.2..TF.].e..'..-..L.N..c].a..(WU\o.%^..;...|o.6..L..[..;&....^p.Lu.sr,-.R=.:.8.>VOB...:.?$.*h.o....Zh.h....`.B.c.../K......b^...;2..bY.[.V.Q8....@..V7....I0c.cQN7..I.p..}..!..M....1K....+....9.2......a..W.V..........;.J .i......]%O.-......CeQ.0.c....MbP3.0.w..8w..Y...|...H;#.J.+M......>.`y..aWk|.i.BF.pJv;.....S..6....F.....RLG~..........J.=......"..........H.....h..o...u........M.6F?.F.p.B.>./*l....J.R..#P.....K......<iu..gm^..n...#c..zO"7M.O......4'>A..(.E.Cy.N.)....6.tx.r[.....7.......m.t..E?.....5.5.6.\..{.V.T.D.j..=~a^.I

                            C:\Users\user\AppData\Local\Temp\cab582.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):723359
                            Entropy (8bit):7.997550445816903
                            Encrypted:true
                            SSDEEP:12288:NPnBZX7wR3tMwYqNDQGnXTtfzO5U7yo6O7bLhe8yE3LLDok4a:JBMbYE7xzO5U917bLh/DL3oJa
                            MD5:748A53C6BDD5CE97BD54A76C7A334286
                            SHA1:7DD9EEDB13AC187E375AD70F0622518662C61D9F
                            SHA-256:9AF92B1671772E8E781B58217DAB481F0AFBCF646DE36BC1BFFC7D411D14E351
                            SHA-512:EC8601D1A0DBD5D79C67AF2E90FAD44BBC0B890412842BF69065A2C7CB16C12B1C5FF594135C7B67B830779645801DA20C9BE8D629B6AD8A3BA656E0598F0540
                            Malicious:false
                            Preview:MSCF....?.......D...........................?...`J..............3..............M.. .content.inf..+.........M.. .Wood_Type.thmx......r..[.........................!.wwwwqwwwwwwwwwww..."....+......nR..x..\..w..r.5R.....(|.>.$e3.!..g....f..`9NL......o./.O.bxI...7.....|........6.n."J.....4^g.........?...................o.......s3.....8. .T.j...._.Z.Q.t.k,(o.c.t.......?Z....`o........?.a....6.)....6b..../.t...........Mz....q}......C.......+{.......o...K.tQjt............7.._....O.....\....` ..............@..`....%..t....V.]........m..m....u..1.yr;..t..F.'..+{....zqvd.g._..$H..Vl...m..../....g..rG.....:*......8....h...[...a06...U.W....5.Z.W..1I..#.2.....B3...x....$PRh...\{J.c.v.y..5+Y.W.N..hG......<..F..W.d8_....c...g....p|7.]..^.o.H.[$Zj..{4......m.KZ..n.T%...4.Z..Y."q7?kuB......U....).~.......W%..!.e.U.mp.o...h...?.w...T.s.YG#......Y.}....Z.O.i.r,...n..4.\....P..m..=....f........v....g....j...*.wP..4.VK.y.z...C..oum.b.1......?.Z.>.7.!?......A..Q>..Z....-

                            C:\Users\user\AppData\Local\Temp\cab592.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):953453
                            Entropy (8bit):7.99899040756787
                            Encrypted:true
                            SSDEEP:24576:9B1Onw3vg7aeYPagzbJ5Vhv6LnV2Dhl7GEYqVjcyd:vww3o7BYPJbJ5Vh6UCqZfd
                            MD5:D4EAC009E9E7B64B8B001AE82B8102FA
                            SHA1:D8D166494D5813DB20EA1231DA4B1F8A9B312119
                            SHA-256:8B0631DA4DC79E036251379A0A68C3BA977F14BCC797BA0EB9692F8BB90DDB4D
                            SHA-512:561653F9920661027D006E7DEF7FB27DE23B934E4860E0DF78C97D183B7CEBD9DCE0D395E2018EEF1C02FC6818A179A661E18A2C26C4180AFEE5EF4F9C9C6035
                            Malicious:false
                            Preview:MSCF....]M......D...............=...........]M...?..........}..."..............Li. .content.inf............Li. .Gallery.thmx.].(.Vq..[.....0Y..........v.....w.wwwww.wwwwww.w.....".83....y8..mg...o*..U..N(..@uD.:O<........{.G....~~.....c.c.5..6./|G .@#1O.B.............PT@...b.d.~..U....B.{.........0.H.....`.H.`..'S.......Ic..W..x...z....... .........g......._....o......S......p...$....._........._...K......x..?.6.U~...'./.r.................../.......5.8..2........2b.@j ....0.........``....H... ,5...........X........|..Y.QoiW..*|.......x.sO8...Yb....7...m..b.f.hv..b......=...:Ar.-...[..A\.D..g..u....].9..M...'.R-`.....<..+.....]...1.^..I.z..W{.._....L.. ...4;..6O.....9,.-.Vt+b/$7..}.O05.Y...-..S.....$*.....1."Z.r;.!..E.mMN..s .U...P%.[.P...cU...j...h.d.../.s..N/..:..X*...p5.7\}h.Q ..._.F.X.C..z$.nV..+.k..|.@.L...&.........^#.G.a..x..w!wx.8e+..E. i..$?9..8...:......|..[."..y..&y..?...W....s..._...3Z0c.....i.q.........1c.jI....W..^%xH.._...n.......&J..

                            C:\Users\user\AppData\Local\Temp\cab654.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1310275
                            Entropy (8bit):7.9985829899274385
                            Encrypted:true
                            SSDEEP:24576:NN3M9UHpHZE4aubaPubP3M6d71FdtmFAjq+54/79LVzG+VnS:NN3M9UJHZE4abPyU4JtmFCq+q/7JlVS
                            MD5:9C9F49A47222C18025CC25575337A965
                            SHA1:E42EDB33471D7C1752DCC42C06DD3F9FDA8B25F0
                            SHA-256:ADA7EFF0676D9CCE1935D5485F3DDE35C594D343658FB1DA42CB5A48FC3FC16A
                            SHA-512:9FDCBAB988CBE97BFD931B727D31BA6B8ECF795D0679A714B9AFBC2C26E7DCF529E7A51289C7A1AE7EF04F4A923C2D7966D5AF7C0BC766DCD0FCA90251576794
                            Malicious:false
                            Preview:MSCF...........D...............9..............XJ..........}...6..............M.. .content.inf............M.. .Droplet.thmx..m7.>J..[...............2.QQPIj.*.."o^R.H5*^...^(e.W...R..x..^`..m...."..+.....{o.......Q.-....$V.N>...T]..L.... ..N.h..dOY.......S......N.%.d..d....Y.....e..$...<.m...`............@....=.z..n..[...,G..1Fn.qPDH{C<...3.Q...2..r..*...E.E.E.ErM"&a..'..W....:...?I..<.I..6o.`.d.?!..!..._.4\.._.E..).._O.S....; ..#..p.H.....c....o\.K..?$U.e.........!...J.v.....gNe._..[....#A.O.n_.....gm:P._.........{@..-g..j.69b.NH.I.$Hk?.6.n...@......'.C.._.U..:*,j.-G.....e.#.Sr.t.L......d[.[...s.....rx.3.F[.5o..:....K*.x..)M.fb...3IP.&h.Q.VX^%U.......x..l......@6.k.P..zSW.?....F..[L...4..b.l.w."&.....`.j...i.5}".~.-.....{\.:...o.'H\*+)....3.Y......\...f:.;....e........4't7..f...w..j...3....N..9`.J...P..?.....=3_.y]...f.<.......JM5.}Q/ .F.a..Z.._yh......V..>m .......a....f....!.hz..\.....F_..'z...,....h.=.......=.o..T....3.e..........$..g.2.

                            C:\Users\user\AppData\Local\Temp\cab655.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1593091 bytes, 2 files, at 0x44 +A "content.inf" +A "myTemplate_02836342.thmx", flags 0x4, ID 49870, number 1, extra bytes 20 in head, 56 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1609163
                            Entropy (8bit):7.9984205861574775
                            Encrypted:true
                            SSDEEP:24576:lAqpS8Oo3NP518YJ7quri1kR0BnuLtBz1GS1fB9z29q4Gdu7BR/jKg5rp:lAWAGNPLJ7qugk6o3AlGdcR/jjrp
                            MD5:EBCF724F8885692BB8E2EE2406AADC02
                            SHA1:73B0B931B5D05C2A4B490925E2A54E4A7DEEBA36
                            SHA-256:80ADC8C9EDE235AD8CD45EEACE2F40227ABA01D9FEF261756F4A4C44EAFB146B
                            SHA-512:71FCC0E5CF084F673C805EC51DFC68C4B93E85E7D593449E6F9732CAEC32F004F24300A251BA8CBABF1774DBF732FDCB9CFB164B3A77CA0CAD14C2825B78EE68
                            Malicious:false
                            Preview:MSCF.....O......D............................O...>..............8...0..........N.. .content.inf.....0......N.. .myTemplate_02836342.thmx.y.5.|z..[..... b..RP....E..(*.5..J I1.I.P.j...t].mT...2]...k..."...0f....H.h..........F..\.....'D....2...m..&.A...g....Y..".}...t......!.B$..;..(D...F...*....(...............@.?.Hj....T.............Mr.........5..E?G&.....?........M....N.........4....p......$...?.5.y.........8.a....#.....+...q....#..E....?2..u........hw.Y..............q.....................j.t......hS.m..?...._.s....k.....j.n.o."..5.44......q.up.g.X..U......kp.S..4....0..0{.(D..d.X|...#s&7.........M?.Rv-9.~....bvd. .p.C.B..V.f..;.8V..g..e.#f.._f.......`F.....#!.",[.B.7..$....-j.......kO..a..QG<B...2./.>...|..\.+J..x....(.....v.+.:PfO.;..T..Zo<.......]..3..C....LW.0:..8....+....P.k.r.._........PC.......J$...N5.a._g..Zw..!!'5....W.v.....r.gO..&6..w....Cc)..H.7.;...WCXu..j%..0......x...mEo.._8.^....+.h._W...z.3.+s..[..9.cV...\l}wLc3i.Q.3.M....x

                            C:\Users\user\AppData\Local\Temp\cab761.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1766185
                            Entropy (8bit):7.9991290831091115
                            Encrypted:true
                            SSDEEP:24576:O/gjMj+RP9Q07h9F75a0BXjBccHMVk2Hq2SkGa0QglyZtxmdPP2LcSUtfgfp16Yx:kJ6RP9Q07/X5V7yVF0QgktxAPutUt0zP
                            MD5:828F96031F40BF8EBCB5E52AAEEB7E4C
                            SHA1:CACC32738A0A66C8FE51A81ED8E27A6F82E69EB2
                            SHA-256:640AD075B555D4A2143F909EAFD91F54076F5DDE42A2B11CD897BC564B5D7FF7
                            SHA-512:61F6355FF4D984931E79624394CCCA217054AE0F61B9AF1A1EDED5ACCA3D6FEF8940E338C313BE63FC766E6E7161CAFA0C8AE44AD4E0BE26C22FF17E2E6ABAF7
                            Malicious:false
                            Preview:MSCF............D...............)q..............0?..........{...H..............M.. .content.inf.;.#........M.. .Slate.thmx.p.+..P..[......U..............p..K.!.......*...K..w..v........=....D$r...B....6 ...X.F0..d..m.s...$$r........m.)6.m3....vXn.l..o...a...V......Ru.:=2M.........T.....4S`EP......\..r,..v...G.P......'._H0]..%_............X.P.,.............H.?.-.H..".......M..&..o....R........<......`...D.H.._.G.Qv..(.*.U,.9..D...."..T..i.e../.e.."....,S...o.X.....c./..V....Z..o.O..2....{...+... ....0.@J.R.Q.m.....{.....h?u.q.O{...l.d)..Yk`.....#...u.-.m..#CXwrz4..7.>......v.E:.#.oGSKS.TX.Chm.4aQ......avH..{..j+@6[k].....`c..W8..j.v.Zh.]....4......K..#Hzyd..K}.....H|<H..\(l...+..%Z......~.S:^..d>..1..H%..7N-v.....Wu.*..b^.B.....k0gc.2.{.!...E7.}3.d...{.Ye...&#f6...:2......v..&!..k0d.p.b...,..$.....Y..60...h.N}.r...<[./........{...Es..&.nf.....2.@Fh3.9.G....l.[.C..SD/6.H.K....}..m....M..........gl.P.]..I......5....e.c...V....P...[.=.......O.eq+

                            C:\Users\user\AppData\Local\Temp\cab800.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):1881952
                            Entropy (8bit):7.999066394602922
                            Encrypted:true
                            SSDEEP:49152:6Wp9u/ZAvKz7ZFCejPiSmYXKIr6kBwBUA:6W6Bn7ZFNiiKo2l
                            MD5:53C5F45B22E133B28D4BD3B5A350FDBD
                            SHA1:D180CFB1438D27F76E1919DA3E84F307CB83434F
                            SHA-256:8AF4C7CAC47D2B9C7ADEADF276EDAE830B4CC5FFE7E765E3C3D7B3FADCB5F273
                            SHA-512:46AD3DA58C63CA62FCFC4FAF9A7B5B320F4898A1E84EEF4DE16E0C0843BAFE078982FC9F78C5AC6511740B35382400B5F7AC3AE99BB52E32AD9639437DB481D1
                            Malicious:false
                            Preview:MSCF.....x......D...............l............x..`?..........|...D..............M[. .content.inf...!........M[. .Damask.thmx...o.PI..[.............../.TU.jj0..3jCUPU.jF...m.UU.P}.....PU..*........w..#....E..].................A.. w.$..@..'g.......6%:..r9..d.M;M+.r.8[d{.s..dh..(P..........!.. ..ne..f.Nc..#..Y..q....KB}..b].@..F.&.t....E.........@&.m......$w......q...:.H....p.p.....?.9x.. .....?...ao....I....................o......g.u..;."....O;....{..(k..._.w/.Z......Jb..P.O?...........?....F....ty..72......! #....v..J......?.....!,.5.7..Em.....is.h.. \.H*)i1v..zwp.....P.....x].X{O//..\....Z>z....6...+..a.c...;.K..+...?014..p.w%o^.....]...MguF...`....r.S.......eF..):.dnk#.p{..<..{..Ym...>...H......x.}.hI..M....e......*G.&.?..~.~G6.....+...D..p...._...T....F6.[Cx./Q..Xe.>.;.}>.^..:..SB.X..2.......(A..&j9....\\.......Haf+]Y...$t^Y=........><.w....tL../E...%6.Vr~MI...l.....<.0.I....7.Q8y.f.uu...I.p..O..eYYS.O......9..Qo.......:..........o.............{

                            C:\Users\user\AppData\Local\Temp\cab801.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 2042491 bytes, 2 files, at 0x44 +A "content.inf" +A "Depth.thmx", flags 0x4, ID 63414, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):2058715
                            Entropy (8bit):7.997107658057165
                            Encrypted:true
                            SSDEEP:49152:5IgXLOTa1MKe/VpMDaIWRzU3lLqvaF1buL7rNQVxE:WgXaMMrViuIWtUkvGoHr+W
                            MD5:A6DE20BA06CD7C8AAB98F8C03BBD49F7
                            SHA1:CEDA0FE1EEA124EADC13606B5624373B922D24EA
                            SHA-256:AD50810112E08B981E967A5984DAB3DA6C4AAA890316BA38D44F39D80CCBB4E6
                            SHA-512:54FC0A7C2BEB082677882E0BC128CD77F13CC8E3C3C286056DB2D5FDC608865ADD3C3FDC4A8AFFD120E3A98128BC15FCE7FE7D90121A5462A66F8FCA0F93AABA
                            Malicious:false
                            Preview:MSCF....{*......D...........................{*..`?..........{...H..............Mn. .content.inf..#........Mn. .Depth.thmx...8.hx..[.....@8....@...=.R.I.:...-..a$IA*.a...Z).D(....u...$Z..G;Nkw.7F...........v.+.L@..":..A.mb.......u.@......`r..+........N...j..>...j}.....bG^.I!.W$C/@X..............j.H.... .1.).....9........ii6..:.m_.X.u.?.47.i...+mx...&:.7n....M...."~...m....f..oD.....\l..9N..w.2...9...4...:..6....k..?L.....'.....y....gY3....__9..~t.......3m.u.......~......f.......O....K....r:u..Y....-.H.w.].^]M...F.oz.........~.3....#fk.E@.R....z...yC.6............"..._..i:<S.?.@.z.Y....*..-..?...t..b.. ....m..9l.7.....(..w.....V.G4..Kf.$f).....ym..4sk.,..c.........j=...f.n.F...r.*C..=#.....+..?../C...t2..v;H{. F..V.u....:(....\...r$Y.q.&o. .1..q.`w......-..I.......~.+.d./.[w(...u..Y...I]..H...xI...?....dE....{.C.[z.....L...#..~......e.......]..l: .; ....8.P.9B....d.o.9\r....V.[BpW...u..|...e|e...{.x.}.tz..N<G(...N9.._|..a.?.....E.Ck..u../v3...N?.

                            C:\Users\user\AppData\Local\Temp\cab90D.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 2738786 bytes, 2 files, at 0x44 +A "content.inf" +A "Integral.thmx", flags 0x4, ID 26156, number 1, extra bytes 20 in head, 106 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):2754858
                            Entropy (8bit):7.998611101143596
                            Encrypted:true
                            SSDEEP:49152:3+eO6OYqspfKnz1J4qgcvFhud2BbPI6fp4q7+lyip3vyUM5ZCFwNn3zMiSfM:386mEfGn4jcvFhD1p4uw1pqUDmn3wiUM
                            MD5:57399106826184403A379F7A9A869AD3
                            SHA1:591AD2D06F93A793441DD6FD18EB7DF02549D7CE
                            SHA-256:3779E325D94B6FA8023669DA99CF47A3169E6648913018886647ECB9E6F735E9
                            SHA-512:70789E2D81F52D734AFE2446EB7E4925E354FCE37BC4BBB4CF0BAE7D215144FE81857A507AFF107740B8AB824A1662812A5D450961C02F9BEF2D3E1768C99F69
                            Malicious:false
                            Preview:MSCF....b.).....D...............,f..........b.)..>..........~...j..............N.. .content.inf...4........N.. .Integral.thmx.h.J`.}..[..... ...Rf....O..{.K........Bx]...t.&..7.........n.A]....!.El7.h..........F..DBX..E+4.....d..Wy.!fR.x).=.U.=...4..U....y.]4y..h.^..i.J2..V.O......@....T......~.u........5..}C....~....,.......S.....n/....<*p.}._...N......O.!...?.......DO.8.........cF..~.......e}...>...I.._.g>............n....[..1....W....7w..........A1.q....................B....{_..:..sm..5.9;G7..i...NM..9.G.O..G...=+.<.........#${..#.r..9.....UN^..W.A...{ts....u...e.^...W.u.[.K.q.y....I8....N...<.W..*.Epu6...V....|.u#.k8S!}...8......v..;4Z.z...o..#./....\.......=.un..~..g..X.:&,.eK. n0.....H.L(..y..H..|..Y.L..\.V.'.-..M...\..-.[%.m......x!O;..sw.z6.....bx]|l..YU@....K..J......\.....Y&..L[.'...i.v..4".5L'...G.z.0E.k.l.%.U...1<...K.....(Wn7.}.j::..e......?{.&...'U.n...O4...4..rS.....F.)......l..G.4)=.7...v...w...bw.L.....E.;3.......e....)c.E......

                            C:\Users\user\AppData\Local\Temp\cab92E.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 2132545 bytes, 2 files, at 0x44 +A "content.inf" +A "Madison.thmx", flags 0x4, ID 44832, number 1, extra bytes 20 in head, 75 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):2148753
                            Entropy (8bit):7.9987997302874785
                            Encrypted:true
                            SSDEEP:49152:3S7Eynda/aPhPWgYPaNu/I757rju1RAVRe3i89Y7NAc4gdCCg:3S7EyCatWBaNuwi1RuRg9YhT4wVg
                            MD5:466E5851E601CEFA5F84681011165ED0
                            SHA1:0FFCC96B7FCB497CC8494F94703EB60452815414
                            SHA-256:C8B322819A2F84BF80ACD654AAAAC3E08DEBB533B1086021078EFFBA27968A37
                            SHA-512:E10D1D40F5A56E13CDF533E2A544BC762BBDEC2C08178E7129684E13F93DBBAC834C4606BC5821A8D28D48AF4CC855B5DF92D66207D3F85254867C4813D3D164
                            Malicious:false
                            Preview:MSCF....A. .....D............... ...........A. .P?..........}...K..............Jrl .content.inf._H%........Jrl .Madison.thmx..H..dp..[.....@.........5...lIT...\..S.J........Y..BDQQ..P.`B.., Uq.$..>.Q..."..;..<q.....B...2..!..m7h@..z. @#\{.)N...A..$Bd.F.4..6...n{.1%..Cp#e.g.....\..l2..C]n......#sn...s{....$.............lj....}k.( ......(.p.......G...C.C9FQ.X.|..F..L.31.f.../..kP..Q.(..T/.3..E..Q.(..f9................[?..._3+.P.B9...2.B).7>)...........1.S.....(9.>.m.....~s....3.>..L...>K...._?..Y...7......?V.w..3.."e...%..../.9jJ).Q..v,.V..G.....>}gU.:../......H5.f......l7T[U...E..i.Pe...m...4h..g.wp....^...{7......=<.{.{%.ma...{Y^..~.R.xD.....u.;.|S.."....u......N......4.^.2<a~..!.!e.c.L.J1L.jv.l..7.1....R(dhOU.*....m..._Yu.S.s.k.;..}..p.4...k....<}b..=(U.-..k.........4..3.......Rwf.3..N4.r.....r..[4...c....b....i..OI...h.2l%..3..YWt..P......{...b.94l.>.x..Ucx..W.k....Z.|.D..js..|.%.~b.vjs..f..V.f.v...?.O...C.W..e.b...7.i..rv]k...>uO.... H..KHI8I..O

                            C:\Users\user\AppData\Local\Temp\cab93E.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):2527736
                            Entropy (8bit):7.992272975565323
                            Encrypted:true
                            SSDEEP:49152:NFXdpz4d98p/q5jA4q+9Uf5kx6wHR8WfPJZVhWzH4dRze76YP9nJ7yyAInT76nSY:NFXdKx5sM9SmxHKexZVhutJJVpCSqa0Z
                            MD5:F256ACA509B4C6C0144D278C7036B0A8
                            SHA1:93F6106D0759AFD0061F73B876AA9CAB05AA8EF6
                            SHA-256:AD26761D59F1FA9783C2F49184A2E8FE55FCD46CD3C49FFC099C02310649DC67
                            SHA-512:08C57661F8CC9B547BBE42B4A5F8072B979E93346679ADE23CA685C0085F7BC14C26707B3D3C02F124359EBB640816E13763C7546FF095C96D2BB090320F3A95
                            Malicious:false
                            Preview:MSCF.....R&.....D............................R&.8?..............Z..............M). .content.inf..,........M). .Main_Event.thmx......R..[...............=.1.^xa..^...../..^x....QA^"....^/.I.{/F..F..........6Vn. ..._Hmc......<....#.{.@.....Xl../Y....Ye..'V.f.S.Vf.T..0t+..y...5O...{.....-.dT...........!...[ .ns..k.....QAA.. ....B..u.`.....{.\u8.0.....@t........K....@..w.......>...-1F...........1.E....O............_M.m..CP.O......X......g......].../..:C...Q...i.._"...M..1o...S../...9....k;...}S........y..;1o....1h......t.CL.3...].@...T...4.6.}.....M...f...[.s.."f....nZ.W......0.c.{.`.^..Oo.[.JT.2].^.f..a....kO......Q..G..s.5...V.Wj.....e...I,]...SHa..U.N.N.....v.C.....x..J{.Z.t...]WN...77BO-J......g......3:i..2..EFeL.,n..t:..,~4gt.w...M.5.'h.L..#..A&.O.ys%K.Z....F.PW..=jH...jGB.i..j.J.^.#.\n...J@.....-5.f.1jZ68.o...H2.......$O...>..ld&,#$.&_....yl.fkP$.........l....s....i.tx.~<.z...>..2.Gx..B..z.E.3.N<....`$.....b..?.w.[.X..1.=q!.s......v.......r.w

                            C:\Users\user\AppData\Local\Temp\cabBC.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):22008
                            Entropy (8bit):7.662386258803613
                            Encrypted:false
                            SSDEEP:384:M7FUtfIdqSHQs7G8E0GftpBjED/C4RQrFLrHRN7TT8DlvQyUTL2mH:sWgdqR2G8Pi6D6YQZTTMvU+mH
                            MD5:ABBF10CEE9480E41D81277E9538F98CB
                            SHA1:F4EA53D180C95E78CC1DA88CD63F4C099BF0512C
                            SHA-256:557E0714D5536070131E7E7CDD18F0EF23FE6FB12381040812D022EC0FEE7957
                            SHA-512:9430DAACF3CA67A18813ECD842BE80155FD2DE0D55B7CD16560F4AAEFDA781C3E4B714D850D367259CAAB28A3BF841A5CB42140B19CFE04AC3C23C358CA87FFB
                            Malicious:false
                            Preview:MSCF............D................................?..................................architecture.glox.................Content.inf..q5.^...[.....0y......../..CL.C5.Q..U5g.z....UUUMPC...C..P....T.....=..s..4c...-3H..E...2..2*..T...../.i.;$..............%...................'h.........#0.......[........c.h.....O...%.61...[.J..:.,^....W.]$..u...N.R.....H.......:%I.g5Kd.n6...W2.#.UL..h.8NN../.P...H.;@.N.F...v."h..K.....~.....8...{.+...&.#A.Q'..A.....[NJ.X.....|.|.G5...vp.h.p..1.....-...gECV.,o{6W.#L....4v..x..z..)[.......T.....BQ.pf..D.}...H....V..[._.'.......3..1....?m..ad..c(K.......N.N.6F%.m......9...4..]?...l6..).\p;w.s....@...I%H.....;\...R......f...3~:C...A..x....X...>...:~.+..r@..."......I..m.y..)F.l..9...6....m...=..Q.F.z..u......J].{WX...V.Z.b.A0B..!....~.;Z.....K.`c..,X.MFz....].Q.2.9..L."...]...6...JOU..6...~../......4A.|.......i.LKrY...2.R.o..X.\....0.%......>H.....8.z..^....5d|...4|...C......R28.E......a....e...J.S..Ng.]<&..mm

                            C:\Users\user\AppData\Local\Temp\cabCD.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):20457
                            Entropy (8bit):7.612540359660869
                            Encrypted:false
                            SSDEEP:384:KyeISBuydn5rpmp77G8E0GftpBjE/kFLrHRN7ngslI66YVj:KHISBvd5rpmFG8Pi6/6nK666j
                            MD5:4EFA48EC307EAF2F9B346A073C67FCFB
                            SHA1:76A7E1234FF29A2B18C968F89082A14C9C851A43
                            SHA-256:3EE9AE1F8DAB4C498BD561D8FCC66D83E58F11B7BB4B2776DF99F4CDA4B850C2
                            SHA-512:2705644D501D85A821E96732776F61641FE82820FD6A39FFAF54A45AD126C886DC36C1398CDBDBB5FE282D9B09D27F9BFE7F26A646F926DA55DFF28E61FBD696
                            Malicious:false
                            Preview:MSCF............D................................?..................................chevronaccent.glox.................Content.inf..O.$N...[.........B.....?.....$Zy..Zkr...y<.....Di-.aVX/....h..-.~........#.../.Fz....T...p....A..eHMe[..p...=................f..../%o......F@..=..$.B!....}.0..g..^vlI......f.W.F...Nm..2`...)...,.HL4.nsl.F.ir.k..e.!^.j2.v.iT....t...*..!h..Y...2Q..-.x.,.Xj.U.cj,....9.....)..W..n3f.......(cH.D.4M.!.+..4..3r..y......|r..@.PD.R..#...F..nJAR..1{-.....u3..$..L.b+h....:lZ.>....q.?. ~l..^.%.m....a...cG.h.?.|.?7.'....b.G.4..'..A...o.Z...//..?...d..*.....C..Z.....]Yv.g.]..... .........]x.#=.../.7;R.j....G.....zq=O`[.'5g.D.u..)..../../.v.JmCW.da....3.f..C.z%...S=....;A.q.|....z.E.aRu........ k..J"+.f.S.@.........eD4....\0..t./U..%.H..........M:..U.......J...Z..H.DG..u^..D..P....`.^b.........`c......#.....c.?...#..C.V.&.'..f.'...f.[..F.O..a...&..{TiXg4; .X."..0...B.#..^..........N"..w.@f...gd.S..K.....E....ZR...;.twR>.z.

                            C:\Users\user\AppData\Local\Temp\cabCE.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):19893
                            Entropy (8bit):7.592090622603185
                            Encrypted:false
                            SSDEEP:384:v3Zh3VlkpSIcgbA8E0GftpBjEmm3UFLrHRN7GYvlvQyUTL2mTAp:v31qp/A8Pi6mUqGGvU+mcp
                            MD5:EF9CB8BDFBC08F03BEF519AD66BA642F
                            SHA1:D98C275E9402462BF52A4D28FAF57DF0D232AF6B
                            SHA-256:93A2F873ACF5BEAD4BC0D1CC17B5E89A928D63619F70A1918B29E5230ABEAD8E
                            SHA-512:4DFBDF389730370FA142DCFB6F7E1AC1C0540B5320FA55F94164C0693DB06C21E6D4A1316F0ABE51E51BCBDAB3FD33AE882D9E3CFDB4385AB4C3AF4C2536B0B3
                            Malicious:false
                            Preview:MSCF............D................................?..................c...............TabbedArc.glox.....c...........Content.inf.;....Y.[.........B.....?.T..ZD...........^C...U.R<Z....z+.I.....Z..-.V...f.....lB..\P.....=.-p....w ...\.kD..x'v..T..A..............".8...d.........FD.ZL.h..T...bp.)9B.v..i..VX...&..\..7.s..qy...l........Rty.Y...rU..>.9...8....L..\.^x.kDU.|TJ..{kN.G..E..$.kvy?.. mv......P..4.....q.1.6<u....e..dD...4.1E..Xi.5.=....1.P.c.K~S...YMO:.?..cL.g.tq\.(b1....E..0A.i..C...BT.m.S......:...}.&U..#QL..O.O../..K......=..........0a..O............BYP......>f.......iu...7.K..;QO~.t....%N.s.]>~#../7YN.....C..9.=cY.......y..U5.....,.....u.....#_..SG.`NR*.....?*..d.R.k.rX$...&.... ..h.4T.D^k-xA...............Hz..ep)e..4..P."fo Ne...o.....0n.Exr.........H..v...A.."..%)2......5...".}j.o8...E.HRQ;}.. .._L.+.jz....{.U..}...=B.o.^..vZ.:5.Z.M....y{\(...N..9...EB*MG...!N.vy..^...nE..2..@.;.4..C..t.4....h..O.8.=.m./...|Lu.|mCU..b.^.n39.h[M...%D{..w.1

                            C:\Users\user\AppData\Local\Temp\cabD0.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):20554
                            Entropy (8bit):7.612044504501488
                            Encrypted:false
                            SSDEEP:384:zEAH676iPi8+IS5iqn7G8E0GftpBjExDxIHFLrHRN7Ke/ll7PK/pGaz6:zEhG8+ISrG8Pi6xDxCKoIGaz6
                            MD5:486CBCB223B873132FFAF4B8AD0AD044
                            SHA1:B0EC82CD986C2AB5A51C577644DE32CFE9B12F92
                            SHA-256:B217393FD2F95A11E2C594E736067870212E3C5242A212D6F9539450E8684616
                            SHA-512:69A48BF2B1DB64348C63FC0A50B4807FB9F0175215E306E60252FFFD792B1300128E8E847A81A0E24757B5F999875DA9E662C0F0D178071DB4F9E78239109060
                            Malicious:false
                            Preview:MSCF....:.......D...........................:....?..................................PictureFrame.glox.................Content.inf........[.... '.q..@.........<./..+./. ...."o.o./..{^a.7^.D.HA....^J... ...........T%q..b...+pz.n.=....jT.+M..=H..A...py.3.........H...N...[..%..~....>.%....3.r...wx.....0.....7..94..2..45..7f.......D.. ...[...f.:H..../N..4.....8.....:x.I....u|.`."...\..N..%.M#..^v$.*....T.m.....?.-.wki.X..8..F.G..Y.^8...-....+.&.+&.No...e!.#.8.....YF.......<w.....=.Q.S..7....MW....M..9A.3..c..L....|.E-Y....]n".|....b9..l@.d.T...a.f...~.&k.[..yS..q..]L}..)w.....$.@..v...[9..X....V...a.NK....m9.5.....Kq.;9`.U.e...8.<..)Y.H........z.G...3n.yWa.g.>.w!e.B8:......f..h..z....o.1<.RT..WK...?g .N..+..p.B.|...1pR_......@...a....aA......ye..8...+M.l..(.d..f.;....g........8R.\.w.:ba....%...|p....`lrA.|....a.U.m=ld......7....#..?Dq..D.....(.5.K.a..c.G..7..]hF..%:}......}J.j$.....4...l];..v>.&j........Y.vk..$1.@X$...k...9..?...z..![..../...).a.=....aZ^.3?....

                            C:\Users\user\AppData\Local\Temp\cabD1.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):20235
                            Entropy (8bit):7.61176626859621
                            Encrypted:false
                            SSDEEP:384:j3W3yGyjgbA8E0GftpBjEHvFLrHRN7pDAlI66Yv1:j3WFyAA8Pi6HVpDZ66c1
                            MD5:E3C64173B2F4AA7AB72E1396A9514BD8
                            SHA1:774E52F7E74B90E6A520359840B0CA54B3085D88
                            SHA-256:16C08547239E5B969041AB201EB55A3E30EAD400433E926257331CB945DFF094
                            SHA-512:7ED618578C6517ED967FB3521FD4DBED9CDFB7F7982B2B8437804786833207D246E4FCD7B85A669C305BE3B823832D2628105F01E2CF30B494172A17FC48576D
                            Malicious:false
                            Preview:MSCF............D................................?..................................BracketList.glox.................Content.inf....7r...[.... G.q..@...B.....?X!.A.......!........X..Vk.JK...Z..=......PD.....P....5...jp..+..T....b.)np5.7.....Zz........... ..!.....S......1....`....h......T?.Nq../......z....[..:..5f;....O...d.FxD...4...Z....[..a...w..W.[..P...5.]...6..."...+t].!...2\%%`Q.\..)...=>.)......a.$.2.,...2,.Lw.?..+..qf....h....T/B.....}T.E...'.%.....,.......X....b..gt.hPYc|.....a...j...=...{..a.`!8!..|...L.T..k..!,.R.z/W....{..,...+..w.m..sQ..7<x..B....?....\.)..l...d...}.....v..W.C..'=p1c.Z=.W.g.e....&wm..N,..K.T../.oV../=9.}.....".28...r.Q....dzj{....S...1m...x9_...2PXpa...Q.n.$z...c..SGq...k......}kPE..*...3.|.5A.>..6.......+)qCB....q....qNkGe...W]..o..Z...J.<.i......qq.8....q..BE.(...._h.U.\@3.F...KdO..=1j+....).*Q.|B..Z..%......LDYk....j.....{klDW..#CVy}...X..O!..}..s..&..DC.....tL.j..b.......[...n.'..1..Xc...9Q..gM.....n..3...v.....~.).

                            C:\Users\user\AppData\Local\Temp\cabD2.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):22149
                            Entropy (8bit):7.659898883631361
                            Encrypted:false
                            SSDEEP:384:b98FG/zdCbf7BOEawSi8E0GftpBjEPTFPxFLrHRN7S5ll7PK/pA2:N/zAbDae8Pi6PFPSRIA2
                            MD5:66C5199CF4FB18BD4F9F3F2CCB074007
                            SHA1:BA9D8765FFC938549CC19B69B3BF5E6522FB062E
                            SHA-256:4A7DC4ED098E580C8D623C51B57C0BC1D601C45F40B60F39BBA5F063377C3C1F
                            SHA-512:94C434A131CDE47CB64BCD2FB8AF442482F8ECFA63D958C832ECA935DEB10D360034EF497E2EBB720C72B4C1D7A1130A64811D362054E1D52A441B91C46034B0
                            Malicious:false
                            Preview:MSCF....u.......D...........................u....?..................................HexagonRadial.glox.................Content.inf.........[.....`........./.mT.T6...CP..z5...0.PcUmCUSUCU.Q.P.0..f............^...H..2e.[..8...ld......*F.%.j.w!R..NA.L............ .r..z....$&.........P.=.r...O...e..dfv_.i%.C....^......?..x...+d..].B.3..EU...|Cc..z.`lQp..fr.....8!;.8.p.ZwH\.........~..T.t..]..H.]..S.2..Vt.....r.H../..-8........!:.Y&..|A..J.U...-.%..k..U...4m.. .q../..b.8.vc~......_q1.?..Bh.v.....L..I.$I..s.".u.. Y....I^5.v...3.......].^)b.t.j...=...Ze~.O...|.}T.._9c........L....BV.^......X..?.....{.>.j..5.m...d.7........g[..f.nST...i..t..|.T.jjS..4p.Pxu..*..W...|.A)..|9;....H.e.^.8D..S...M..Lj.|...M.m+..H.....8.&-....=.L.....n.v..M.9...l....=r......K.F.j.(.(xD.3..r'9.K..-...5..Z..x....._....a[...J...`.b_a\\j.ed..\.3.5....S.T...ms.....E...Xl.y.LH=...}..0.T...04.4..B[..H.....B{B9.h..=.8Mn.*.TL.c..y.s.?.c9$l...).h).6..;.X../_>Pl...O...U.R..v.dy$A

                            C:\Users\user\AppData\Local\Temp\cabD88.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):2591108
                            Entropy (8bit):7.999030891647433
                            Encrypted:true
                            SSDEEP:49152:ZSBBeAefkpB5iXfQJgi7JBaCCRZ3cM2VDHkvSJO6qzI1tE9Rn:EBI6gbCkMPDHKSJO6qsP6n
                            MD5:BEB12A0464D096CA33BAEA4352CE800F
                            SHA1:F678D650B4A41676BA05C836D462F34BDC5BF648
                            SHA-256:A44166F5C9F2553555A43586BA5DB1C1DE54D72D308A48268F27C6A00076B1CA
                            SHA-512:B6E7CCD1ECBB9A49FC72E40771725825DAF41DDB2FF8EA4ECCE18B8FA1A59D3B2C474ADD055F30DA58C7E833A6E6555EBB77CCC324B61CA337187B4B41F7008B
                            Malicious:false
                            Preview:MSCF.....D'.....D............................D'..D..........z...^..............M7. .content.inf............M7. .Mesh.thmx....&~j..[.....0.................]............ww,v.\....D......3m..m!f..0..E{..?..`..A...k.:....I..........|bmG.FS...f.;.J.vzb.......R.......-....|.......ESD.....".4M..M..t.N....y..,..#.4.5.2.......'.8.Q..3.D..T....!.......&rJg...s........(..9........Dw..'....9.-..G.c............E.. .O.....a..O.._..s..)7Wz~....bJ..D...o....0..R/.#...?.......~6.Q?....?y...g.?............TP..r-...>....-..!.6...B.....\../...2....4...p$...Oge.G.?.....S.#x(..$.A~.U.%f....dJ..S.f{.g.._..3{.fm2.....Z.\o&.[k.m....ko.8..r.-.Go.OQ..'!6..f.L...Ud.$.q*.L.....R.. J.T&4g...7.2K...#k.[.].:....lk.....;c..DRx.`..&L..cpv*.>.Ngz~.{..v5.\...'C.<R:.C8.|.fE{......K...).....T...gz}..rF..Q.dof7.....D.f=cm...U|.O.]F...5zg(.. ....S..._?D....^..+.i...Z.....+X..U!4qy..._..`I..>./.W.7......=.O....BG..=..%9|...3.?...}.$"..H..u...0.......a..:t?.....8...Z..#g.=<.e.`\......KQ..U....

                            C:\Users\user\AppData\Local\Temp\cabD89.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 2871083 bytes, 2 files, at 0x44 +A "Celestial.thmx" +A "content.inf", flags 0x4, ID 12122, number 1, extra bytes 20 in head, 101 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):2887155
                            Entropy (8bit):7.998455532594825
                            Encrypted:true
                            SSDEEP:49152:qUwqNNZTcomaX/9ImsCnslPrLI6hzr6BifW7JR4uyIpT/hwnXRtJWmMm1vVGoyqP:qvqR5ms9noPrEKzWB0WMuyIpT/hwnXXF
                            MD5:D7751432D989378FF1072BE65D877256
                            SHA1:90B5BB3EB8B2098E759D52211188B2BDC26E1A1F
                            SHA-256:A1ACF9D982A2531697766E894FAAB8AD73690E87EC341097FB0F5682E1B76E21
                            SHA-512:95A305228692F1ACCF57220C201172588B866D8A0733BAC7EAE6A6FBD4DE8870B4E984F4B677AD6CC8CF03A64D39B90E05EC4A17277E166AF3A5FD8DB7A3714C
                            Malicious:false
                            Preview:MSCF....+.+.....D...............Z/..........+.+..>..............e...KG2........Ns. .Celestial.thmx.....KG2....Ns. .content.inf..P1,k..[.....@........./.UUUUCUU5.UUUUCUUU5PUU.AU4.3464a.D3hU.....W.gnqw....I$<'dN9..3).;yI>H'..g.....'..?.....oh...\,wn..A.a..R}.+...H.r.L..._............m(...j'......$.:......o..*).....@.....B4f..|.....4...`.{#.s./.W.^\.L..]4[.e.[@P.A.....E....ZC.ZOr>.iB....{-.{..R.p..G6.i(.....n.H..k.v..]..,.F.Y].m...s.|8^.....O..C...{.v.Tb....E...ir;Gr...2-!@..3uF%.ec.z8}...*VsS.?.....3.V..8p...L....7z..=...y.....6..\......9..-..OY.1...E.{.o.gw.1.....-...(..Q...;.C\...t.I.c[...6...\.S....,V...2.Z..&...\.$......./=~...UG.V.D..........Ry.ri.....=..........d..+...u...)gY_..........?....m8i..J..~<Ej..*.$).c.../h..'.....yH...g.2.._. .....5z....g..Qa\....w....0.v.O7U...YY2O..4.0.Z..4.-J..a.D.DqY..@3... ...}......].PH..".n[.[....f..+V...lu..%.&.MX(...T...Vl....+6..B....^.f.e..i.J2.{...aM.b.."...|...uV..n.8?.}.X..L....*.e1=E...Y......t

                            C:\Users\user\AppData\Local\Temp\cabE3.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):31083
                            Entropy (8bit):7.814202819173796
                            Encrypted:false
                            SSDEEP:384:0XbSq3W46TVZb5fOFo1HtZwGqtRT44hS+nyBoiuFgbA8E0GftpBjEcBFLrHRN7Ku:0XpOflfOFo1DMr/iuuA8Pi6cfKjW66b
                            MD5:89A9818E6658D73A73B642522FF8701F
                            SHA1:E66C95E957B74E90B444FF16D9B270ADAB12E0F4
                            SHA-256:F747DD8B79FC69217FA3E36FAE0AB417C1A0759C28C2C4F8B7450C70171228E6
                            SHA-512:321782B0B633380DA69BD7E98AA05BE7FA5D19A131294CC7C0A598A6A1A1AEF97AB1068427E4223AA30976E3C8246FF5C3C1265D4768FE9909B37F38CBC9E60D
                            Malicious:false
                            Preview:MSCF....[:......D...........................[:...?...................A..............CircleProcess.glox......A..........Content.inf......9.B[.....@*........!...(A.D..K.W.wwpwJj\.K\w...]...K.!.....@0..?,...}won`... ....&I..(;.....X.u..^.R..^......_:....W>f\....T...B..i`|q.....................i.5....(........0q7@.@..F...?A.`.....,L.......5.+../56..a`....1C5..9.*I.N.......@|<+./......... .ya....>l.,t.......y.y5...FF.,F..jCA...SA..H....8u.L..eM?.w8.......~^.Mr.[...(.._......u..+.......j..TJ.:<.3.X`...U.bz...[...r-...[...+..B.......}...\'.i...C.8.B_...c.8</..s.....VQ.Y..m.,.j~;y ...2.5.VQ...K..jP..2..r-...HA...."..9).7.....5.E._.wq.......!.+n+.f...s].4M'.1&...5....4..k..NV.M1.7`a..<.P4.|.mrd.i.R...u...............v.}..n\.C$.....[..2c.^..W..g..._.0.C.o....%.z.!.;.@y.`\..UO#i.)...Q...........L. .\:_..H.{.W...@...T.4..A.a...Wo?o$4.....#.V.s8M.Gh..p?A...Y.....)...........r|...!..o9...8..%#.[....;...3<Z...g....~.Z....,.(...qA.'x#..xC..@...HOuW.[.[....c.........

                            C:\Users\user\AppData\Local\Temp\cabE4.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):25314
                            Entropy (8bit):7.729848360340861
                            Encrypted:false
                            SSDEEP:384:75V23GNhfG/YvmBqWDP7G8E0GftpBjEB1vrFLrHRN7mKll7PK/pRU0:LS/Yvc7TG8Pi6BLm6IS0
                            MD5:C47E3430AF813DF8B02E1CB4829DD94B
                            SHA1:35F1F1A18AA4FD2336A4EA9C6005DBE70013C7FC
                            SHA-256:F2DB1E60533F0D108D5FB1004904C1F2E8557D4493F3B251A1B3055F8F1507A3
                            SHA-512:6F8904E658EB7D04C6880F7CC3EC63FCFE31EF2C3A768F4ECF40B115314F23774DAEE66DCE9C55FAF0AD31075A3AC27C8967FD341C23C953CA28BDC120997287
                            Malicious:false
                            Preview:MSCF.....#......D............................#...?...................#..............InterconnectedBlockProcess.glox......#..........Content.inf...<.:#.$[......O..........5f.P.5CU..6..jT..U..U..UM.T.........h................-... .......6...`.....G...........'.,DN:........... "..4..1u.....%.u..{{,....@lp..}..`.......Z...K.....Z..... Z4.<?..C.BF.....k.!Hl...]...Tvf..g....)...vny6.'..f....Z.R.`.......+....!..!.....:..4fj....."q..f..E..^!k.....M.c....R...B......g...~.........o.'.7,.e.,..7.R.e,(.+..+:....Q....f...P.H.I..U.....Jl...l...z.]7...C...<...L.,..@...i.{..e]K...2..KRW..7.-'.G.l!.n7..J.v.C...%/.....q...@..l..e..$..N..sg8]oo.(q(_.?.X.s...Ua..r0...Rz.o.eT.j...b*..}",n.qou..M.[.;%../c.x.4.z.2*.U.]..D...h...-R.$.=\3..P......N.mP......J...}BPn...g]d.5k..C.ee.ml...\.g...[.......<..6$.%.I#S9..I...6.i........_..P.n....c$.3..zw.hF......_{.+...o...[.&........&...M..m.....;....0....D7...4nQ.=/.._`._.nh.D.m..h.+....8..p..q.4.w.\...iy...*...lN6F..c.

                            C:\Users\user\AppData\Local\Temp\cabE7.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):21791
                            Entropy (8bit):7.65837691872985
                            Encrypted:false
                            SSDEEP:384:PWew5RNDcvPgbA8E0GftpBjE0hsyaFLrHRN7BD9lI66YR:P3GRNDcEA8Pi60hsyABDo66g
                            MD5:7BF88B3CA20EB71ED453A3361908E010
                            SHA1:F75F86557051160507397F653D7768836E3B5655
                            SHA-256:E555A610A61DB4F45A29A7FB196A9726C25772594252AD534453E69F05345283
                            SHA-512:2C3DFB0F8913D1D8FF95A55E1A1FD58CE1F9D034268CD7BC0D2BF2DCEFEA8EF05DD62B9AFDE1F983CACADD0529538381632ADFE7195EAC19CE4143414C44DBE3
                            Malicious:false
                            Preview:MSCF............D................................?..................................RadialPictureList.glox.................Content.inf....8....[.... $nq......C...../U..........a......S.Q...Q....j............(..z,.g.........^...Y..D... #i.TH5.<.=N..$..7.p".7.............`.3..1~,=,(.d8.Z.1....4'G.....!W^gClf._j.-N..&k.....Y3` =.(S..B^...i.zB.U....0O..h...I.(.......L...5.X.8.Sc<=>w.=.?&.....mR.......x.......mpW.T..^.FU...SN.C)......vsa.,x......,....E..i>..[g...#t...M..GR.9..$/4.:..q.bc9..x{bC.0..K.)..t.Y.&.v.d.16.B..c..or..W.,.B.........O.0..k.v........*F+..U.w...d...o8......A).}...#......L.!?.U.r.^.$...e.(..PG)8..+.9.5.l}.)..b.7+. 4....-.lC...|..j..Q.,.....7.W...|;j...%...:...|H..........<..%...K.....Fy.q$.k..}..8.9.M.u.?$].......r.....e.|..._..iT.;Dq5[....f.s..P.......e.T....!Y{.....t.wm..A..w-..7...3..T.:8.4.a[.Oo.. V.l.@.}..........E.&..J.....+..+.9)9<.._R.Hb.....V..Qu....:v.t.Li.0..J..V..b...!..N....-mD..c..(.[&o>.M.b..H.q..lk../..........W.8..z..B...

                            C:\Users\user\AppData\Local\Temp\cabE8.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):21111
                            Entropy (8bit):7.6297992466897675
                            Encrypted:false
                            SSDEEP:384:wWZsOvbMZGgbA8E0GftpBjEtnFLrHRN7Dfll7PK/pirk:xZRvuzA8Pi6t9DPISk
                            MD5:D30AD26DBB6DECA4FDD294F48EDAD55D
                            SHA1:CA767A1B6AF72CF170C9E10438F61797E0F2E8CE
                            SHA-256:6B1633DD765A11E7ED26F8F9A4DD45023B3E4ADB903C934DF3917D07A3856BFF
                            SHA-512:7B519F5D82BA0DA3B2EFFAD3029C7CAB63905D534F3CF1F7EA3446C42FA2130665CA7569A105C18289D65FA955C5624009C1D571E8960D2B7C52E0D8B42BE457
                            Malicious:false
                            Preview:MSCF....g.......D...........................g....?..........}.......................TabList.glox.................Content.inf....t....[......@..C...../.U5...........6...`.....T..>3.................=..09`..t......a..Y..BI.Z....=.'0...%...T..........H...>.:A.r......n..p...Pf.h...I.8... ....M.]&.#.vv'.....[c......g....>"......<c..f....i...sb!Z..iu<.%|......q.....G28.h-...7.....W.v...RtdK..F~.0.3.'.e..b7.c......a.3.....a\..]...gp8.+.u/}.w.qF........8.=.=|....\~..S.-q}]0...q.B.H.^J...!...a'.2Tn!..."..%........=.e_-.....{o..%o...a`.w..L.5..r.....e.8...pO..RE.Wgr..b.%.E...O.......8s...E....Um].C..M.....[...H.FZ..4...eZI.$..v.3<]..r....B..............8i......e<.D...Q4.q.^S.....H.b.......r.q..0o.......2..PP,."...JI...xU`.6f..K..Q9.Q..h..t....AI.S6...7............X..`dv..r..S....),7ES....#.....(...\.nh...X.ps%l..F...."<_....q....v........_.e.....P.........|&..fi..4..@..^0..v.]7.......^. ."..}(...w.g.X...=<....p.......L...P..XV....@:....N...Y....

                            C:\Users\user\AppData\Local\Temp\cabE86.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
                            Category:dropped
                            Size (bytes):3256855
                            Entropy (8bit):7.996842935632312
                            Encrypted:true
                            SSDEEP:98304:wh7I1aeH9YvgK+A+a7GiiQzP4YZDpQ2+Sd6Y:w21ay93aypQzzhpBL/
                            MD5:8867BDF5FC754DA9DA6F5BA341334595
                            SHA1:5067CCE84C6C682B75C1EF3DEA067A8D58D80FA9
                            SHA-256:42323DD1D3E88C3207E16E0C95CA1048F2E4CD66183AD23B90171DA381D37B58
                            SHA-512:93421D7FE305D27E7E2FD8521A8B328063CD22FE4DE67CCCF5D3B8F0258EF28027195C53062D179CD2EBA3A7E6F6A34A7A29297D4AF57650AA6DD19D1EF8413D
                            Malicious:false
                            Preview:MSCF....Gm1.....D...............cM..........Gm1..D..............o... ..........MP. .content.inf...7. ......MP. .Vapor_Trail.thmx..n...N..[......L........7...+I..x...P7/...BH..Rm.\yqi.x..B....{.m.............=.....p.%.@......BpV.[......C.4..X./..Y.'SB..........0.Gr.FG.).....R\...2..Jt..1..._.4_B..................cn7H.-.....Q...1..G{G.~.. '.$......@.(....=@=..`....@.@.A. ....'.4`. .@....D...'....S.s..9.7" /....?.aY.c.........LG....k...?_.....P.....?.1.....FB..m..t...['......:...?...W..../~..z.Tr...X.@...._....3..N..p.....b...t.....^..t...~..t.8A...t_....D..3R.Z.=..{.A.8).3-5..v.isz....0A~%.s.D.4....k.K......8......)R.}f.E..n.g&:W...'E....4%T..>......b.y..[..zI....e...j.s....F.....|7826U.C.,..BY.U.F.f......"..#.m..,..._...#.\.....gPP.2.}Kas......g..3.d0.Z.Z.]..n......MY]6.....].m..D.6...?.n.20.,.#...S...JK..#.W.%.Z4.....i..CBf...../..z......n.N...U.....8t...ny...=.!..#..SF..e...1.P..@.Qx*.f.;..t..S.>..... F..)...@.Y..5j....x....vI.mM....Z.W..77...

                            C:\Users\user\AppData\Local\Temp\cabE9.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):26944
                            Entropy (8bit):7.7574645319832225
                            Encrypted:false
                            SSDEEP:384:sbUX16g8/atF4NB3TJOvqeMRD/8svIZj/OwgbA8E0GftpBjEYwFLrHRN7mYll7PY:sbhg8yY4nMZK2hA8Pi6Yum4IVR
                            MD5:F913DD84915753042D856CEC4E5DABA5
                            SHA1:FB1E423C8D09388C3F0B6D44364D94D786E8CF53
                            SHA-256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
                            SHA-512:C48850522C809B18208403B3E721ABEB1187F954045CE2F8C48522368171CC8FAF5F30FA44F6762AFDE130EC72284BB2E74097A35FE61F056656A27F9413C6B6
                            Malicious:false
                            Preview:MSCF....0*......D...........................0*...?..................t,..............ConvergingText.glox.....t,..........Content.inf..C..)t-[.....@.........=...xxA. ...E^....x.x.^.......x..^^...DF.......s..d.P.....5.;..]...2.t.w.....O9.G..;.'.T....@I.,.q.u.3..P...9... ....`J.......g.(....).,.h0.....$.3..;.._.....~.de.jj.....U..K.0....`.@.H.1.x.Z.@..q....?....x.wW.....+am8A".....I..)..]...s..-z.2S+|.Cb.t6f],.n.LV......OVg....O.at|..-..x.....:....]s...u..g}.P..v.3....^.".%..%...#.2.....l00...n.......r8.p.....^.....n.)..,..t.^$b...b.q.W...F..R...n.-.+..'........Aw=._OwH....8.:s..{.#..{N.hW..`.._........Wy....>U.?....-.8tg...=..y..@.,.v|......l...t..l#{...H....9..|......~...De..#@y.&K....U...q.c.zK..D.<pV.....Ql..&Y...=#...w....r.`#2....Ug.J(..T...KmW.@...!....j:......M......!..E.7#s.t..F.aU..N....-.i......|w.lr..G.n.,.......=Kl.-m.?F.....v]?.......{q.U.t...<.|..u.....3R.`.t.T.>;v.....KQ...S...7..1...N.kN.y.)v.....3H:..D.{.+.(......u..^W&.

                            C:\Users\user\AppData\Local\Temp\cabF9.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):21875
                            Entropy (8bit):7.6559132103953305
                            Encrypted:false
                            SSDEEP:384:k73HRpZA6B3ulrnxtRT7G8E0GftpBjEdHqlFLrHRN7uhFlvQyUTL2m4c:k7XRgIkrG8Pi6dmuNvU+mp
                            MD5:E532038762503FFA1371DF03FA2E222D
                            SHA1:F343B559AE21DAEF06CBCD8B2B3695DE1B1A46F0
                            SHA-256:5C70DD1551EB8B9B13EFAFEEAF70F08B307E110CAEE75AD9908A6A42BBCCB07E
                            SHA-512:E0712B481F1991256A01C3D02ED56645F61AA46EB5DE47E5D64D5ECD20052CDA0EE7D38208B5EE982971CCA59F2717B7CAE4DFCF235B779215E7613AA5DCD976
                            Malicious:false
                            Preview:MSCF....c.......D...........................c....?..................................ThemePictureAlternatingAccent.glox.................Content.inf...3.....[.... .qq...........\<.^......o."......f.o...x.{..q..^.MH^...........{0.K....4pX.i...@6A4X.P.01d....'p.......zA.......... .......7.......a. `.=!@- ......>G.s.k~@.a.lfha:m....1...@.,G`....{....W..N..qs.......j.+TrsT.l.9..L...1+...d..-u..-.......).#u&...3......k.&C...DdZ.'.......8..<PF..r.eq.X6...u..v...s5.m.Q.l.G%.<.]....RV<...S..Dv..s.r.......dh.N.3-.Hf'.....3.GZ..E.kt.5......h...|...?!.L....~.)..v....:2.../F.,....o.qi.i7..E.|.mh.R_.@A.FO@i.....Feo...x.l...{E.\W9|V...=#..3..(......tP.:i....Ox.U.N...%6...p.6&.....<zh.z.|.<Z.?.k....y7m...F.Z$-.:.l.h...{T..7....?..T...d,r...z?../...`/Z......a.v@)....u......V..v.:.._.|.'..[..O.s.OAt-."b.In"..I...J*.~H.:-...?..uV....dZ;z:.l.{.E.,.Q..i]:.0r.I.y..f...../j.wN...^R.....u....>..}....f.f...]A..C~;/....%..^#..N.a..........99.....`.....%..iS....S......$....)

                            C:\Users\user\AppData\Local\Temp\cabFC.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
                            Category:dropped
                            Size (bytes):23597
                            Entropy (8bit):7.692965575678876
                            Encrypted:false
                            SSDEEP:384:y6aR//q0bJi/Uj+957G8E0GftpBj/4YOFLrHRN7LxhKll7PK/ph:y6I/Li/UjmVG8PiZ4YsLxh6Ih
                            MD5:7C645EC505982FE529D0E5035B378FFC
                            SHA1:1488ED81B350938D68A47C7F0BCE8D91FB1673E2
                            SHA-256:298FD9DADF0ACEBB2AA058A09EEBFAE15E5D1C5A8982DEE6669C63FB6119A13D
                            SHA-512:9F410DA5DB24B0B72E7774B4CF4398EDF0D361B9A79FBE2736A1DDD770AFE280877F5B430E0D26147CCA0524A54EA8B41F88B771F3598C2744A7803237B314B2
                            Malicious:false
                            Preview:MSCF............D................................?..................................pictureorgchart.glox.................Content.inf.W..y....[.............../.jC....U.CUUUTU.5...jjPU..MP....T..0*....o0.......Y.=....P.({.3.p..."pA!>r../3.q..7...........!...TO....(..%......6...3E?....~......CZmndse.Qy....p....h....=.:5...F..%.E.&.v.`I~. ..%._..b]..Y..Q..R.........nN.q8c..a..L..X/.M...PP.q..SpZ.K]>D"Pf..B.c....0..|I.Q.,.g/..Kev.../..=......w..}3.....(....+#T.....K`N.u..Z.....rriK.(...(...6.<R.%.]..NX..b..].C.u....++......Ia.x. .7....J.#............w>....7..R...H>....@%....~.yA.......~.UB..*. .P..$...-...v.....=M."....hw..b....{.....2pR....].C..u@=G."Y..;..gc/N.N.YB.Z.q.#....$....j.D.*.P..!.)S.{..c....&'E.lJ%.|O.a...FG.|.....A..h.=c7.)d.5...D...L...IQ..TTE.*NL-.*M..>..p0.`......m..,.w#rZ..wR\@.Wn..@Q...}..&...E...0K.NY....M.71..`.M./:.>..._L..m...,U.l....._fi...nj9..,..w.s.kJ.m.s.M.vmw.!.....B.s.%.-').h.....)c.l....F..`3r...-.....0..7..&N.....n.#H...<7

                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Presentation.LNK

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:35 2023, mtime=Tue Oct 1 12:06:36 2024, atime=Tue Oct 1 12:06:31 2024, length=58333, window=hide
                            Category:dropped
                            Size (bytes):530
                            Entropy (8bit):4.710703786226438
                            Encrypted:false
                            SSDEEP:6:4xtQl3xx2gEBHfOUB1jAlsgMCruRMAalAljAluxmwvNB8W0ruRMA1qWl/QmKtFtv:8g8jB/OUBhTBCOjAiMwtttzHBmV
                            MD5:CC3BB76F7F4E2CDE212CBF56CF2A7CFC
                            SHA1:9F828A7F25CAA53E4F57523A71A23A9A8F3D77C9
                            SHA-256:83B67B1F7B91302D7132774F70A903BC05158628889BA525ADA28DE9E4F0DD7F
                            SHA-512:17EA33E7D3C23302DE6E2EE4BC6A72276CA314368FCE3AA8B5BAB6BC30923856093820F55958546615A5E3F20F3BA51842D6EBD32F952F29C5F6CB23A1F25290
                            Malicious:false
                            Preview:L..................F.... ....,......"......... .............................r.p.2.....AY.h .PRESEN~1.PPT..T......DWR`AY.h..........................I.8.P.r.e.s.e.n.t.a.t.i.o.n...p.p.t.x.......W...............-.......V............F.......C:\Users\user\Desktop\Presentation.pptx..(.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.r.e.s.e.n.t.a.t.i.o.n...p.p.t.x.`.......X.......506013...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Generic INItialization configuration [folders]
                            Category:dropped
                            Size (bytes):59
                            Entropy (8bit):4.427146388668159
                            Encrypted:false
                            SSDEEP:3:H+ceRDFSm4lAHeRDFSv:Hg7g7c
                            MD5:8EBECEAE8A01DA3B4424969A129094B5
                            SHA1:CEB417C16F5467D414B495DFAB9BF678EC6F60FB
                            SHA-256:7C4838495A06710D016DDC81A83087850052566BF9849770A75A9ECA60103CCD
                            SHA-512:174A3624BF97B2989D2F6DAFF872964BD934DFC1A9A498C103BFDD504952A9B8413B4AD63ACC55584D7707347C165F72B8A968AC8327D13577DD80110BCD6458
                            Malicious:false
                            Preview:[misc]..Presentation.LNK=0..[folders]..Presentation.LNK=0..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):1824766
                            Entropy (8bit):7.941741037170679
                            Encrypted:false
                            SSDEEP:24576:jS2WTsZasyuJiyV0mDUoHLgwPjvv96H8D86IRZ2s4p/H2rDCg+tuXlYMErpGzwZN:OKYlO3BpPTvc8oFZ29/Rg+rrDLr
                            MD5:C5A07069AD7E82F3AEB099F346C4FF62
                            SHA1:39A58834FD8A25AED63FB83F0C00712AFC3BD2F5
                            SHA-256:EB7806D9DC3D2ABF82A061709BCD9DB8DD98FA060E66DAF6820D1FA81BB5B845
                            SHA-512:343FB8BFFA01801EED7289A513564B55B0045FF3D0A842A819CECE416C53C2398D0A0D9B55397BF2EAD5393638085AB6AB83ECB2C701F532BD55C0FED4C98EEC
                            Malicious:false
                            Preview:PK........l.%A.f}......p......[Content_Types].xml..n.@.._......8i.'......}.......(y...H}......3Fi..%.......3..._...j.`.2....cod.(...r...w{s..)...]..3..APF.61...6ug.Y...... 7.....d<..Q.V6.N......{.0.U5...>.-..Ko.nw.f...'.....!.s.=fw.{PaW.. ..82.;.<..os....n....>...w..%....P...v...v....'....m.m..3.[.._...:[,...h..!~s..^..Y..E.....^.9Y.j.....#x......3....=....b}4O.*....k7.+.&.Xg.X.X..XSN.KN.+N.7.X....!..CR....I]...>....L...!=...9..!L.0.v.gEo\.......w..No.a.C.q.}<.........a..n./......e.-)h9a..}i.}.."-..C.C.Xq..0?..M4.........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......4....&T......Wlw.b....}..+.A\...q......~.WK.Z^..........>.h..`......}......k..s.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G.....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ...-Z.>X.2.....>8..S.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):787354
                            Entropy (8bit):7.849038074328931
                            Encrypted:false
                            SSDEEP:12288:RBbqz121ANZ40EdYNyNv3GaNBlHT3pxozHUt3HnpHQPegZ+dNu+7TrlpocfYFWCH:qDNhEYNyJNBlT3pxoz0tAtZ00j
                            MD5:BBACB56BBFFA78CD4A21A9A6B331D84A
                            SHA1:5A854FB2FDFB3BD38DDE1AC7C832BA0FFD46F4F1
                            SHA-256:BD9DE870D21C8A5336ADC759EBFB740E105764810DD4B5B88BCA6213C9133CD7
                            SHA-512:59D798652E181582593B44015803A13F9838EE1C5971D2992F968D314CDB80B77A9869344D9D1FD26C2D8AFC4574DD9145E795DCFDA706E6CF1B49CAB6402C7B
                            Malicious:false
                            Preview:PK........x.%A}.4+.....k......[Content_Types].xml..n.@.E_.y.ac $..,........-..g@.u.G.+t.:......A1......=..._..d.....Y:.B...t.e.8]..].....s.M.=.....6...&Z.D.?.u..,."Q.].. W.....p0..Q.Z........Rm7....}\.{.W^.....Z3/N...o.....1'.T.o.HYw?....._,.<<c.qnn...8.:.B9.."^...U.O*q.....>..-]..O...-.q..Y.M...:.M+...}..y..{.0..V'K6.K?Qqz........c^..~GN.*s_..Q=g[k.....8..XCN..'....k.u.u....+..r...!.A....!.Q....a...7U.*uH...!gi=..Y.[.v{&.......q.=.[.v{....k.5.........4Y9..3Y).....v..mi...Wi.~.=G.....t.?.S......bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`...[..u...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C.&2.k...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C..d...*&T9..\..q...W.\...r.?.... .W.C...&+h.r&+f.R.%X..K..-.`.h....e.......zu9JR..7..Y=..6.?PK..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):738429
                            Entropy (8bit):7.8235726750504355
                            Encrypted:false
                            SSDEEP:12288:MIA7gJFzMeFZaq2fscBNVRFCToZr5RCmUQHr+kRBhFF0s9XH44qTxQXMI:hA7gJFzZ2xBbmsZdRC4Ck19X44qyMI
                            MD5:8EBD58005DAF9C4EC15AC2530D3A4A30
                            SHA1:D11B9F2B85F20EB3DB28C4D9C9FDD909848E3E05
                            SHA-256:D3AB94FDC32B10903AD444F6F3518F93C3D7348FB945168DD8140C74BB7D7E26
                            SHA-512:00A3A6F8A8D10F4BAD87C3BEAE299D0E28931593EF0FB4145711B1D164A3351A8EF131DA0F26AAB9C3EB7AC214B69E1F03CB52E0E1EA95EB444664D5B0B998E9
                            Malicious:false
                            Preview:PK........e.$A}.4+.....k......[Content_Types].xml..n.@.E_.y.ac $..,........-..g@.u.G.+t.:......A1......=..._..d.....Y:.B...t.e.8]..].....s.M.=.....6...&Z.D.?.u..,."Q.].. W.....p0..Q.Z........Rm7....}\.{.W^.....Z3/N...o.....1'.T.o.HYw?....._,.<<c.qnn...8.:.B9.."^...U.O*q.....>..-]..O...-.q..Y.M...:.M+...}..y..{.0..V'K6.K?Qqz........c^..~GN.*s_..Q=g[k.....8..XCN..'....k.u.u....+..r...!.A....!.Q....a...7U.*uH...!gi=..Y.[.v{&.......q.=.[.v{....k.5.........4Y9..3Y).....v..mi...Wi.~.=G.....t.?.S......bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`........bB..H.%X.W..r.>.... .W.\...rU?.++i..&+g.b&+e\..h....r.V..^.JZ..j`...[..u...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C.&2.k...UN -.`A\a..U. .W.\...r5?..U..............q.....,D.%X5Zz.*i.....C..d...*&T9..\..q...W.\...r.?.... .W.C...&+h.r&+f.R.%X..K..-.`.h....e.......zu9JR..7..Y=..6.?PK..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900720[[fn=Integral]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):3446188
                            Entropy (8bit):7.939078022105486
                            Encrypted:false
                            SSDEEP:98304:hAABj6t8mC7x/pS6+X3Bzx37OjbqOMhbEsMWII5:ct8mC7x/pS6uBzp5NhAsMWt
                            MD5:AD1C52DB4C29726B3A2D28DDA1110F76
                            SHA1:46A0656C55202A4ADFAAC7E98E9E1340C4A1FD55
                            SHA-256:7973C1386416C251569ACC3CDBFE04DA848262A9A2DA998F915E000BFD6B52B3
                            SHA-512:95C3F09611F977EB3F146C9844D7B96AF3E8123CF3393884CD10EFE7C250F446A565EDAFED1CF1FA6DCAC4D7EADAFACAD134D2A75A8CFB74462F62F5EA8B7400
                            Malicious:false
                            Preview:PK.........Z&A........a.......[Content_Types].xml...r.`...[a.:%..R.v..p.gh..$d...^../.[0.e..=d....B...c.._?~._>$..}...2.t]...D.ty...I........._....T.M.I..,..APLo.$,z.,J.wf.<...e>..p.=.G......eZFiyT...8....E...P}y}..,.w;...\]k.....o......9(.E<.....>..I;....|.Lq.g....]..g......~>W.<....0/?.I.....g...U.V..3....l.O........m.l...T.....h.GE.......'K....$...z.E..(.Gc.....N......>...b....Z...Y.f.13k..:af..Y..13...........8L....o...s.....k...l.k....K.Z..i[..7mk...m._........~.../.^...{..Z...r@........P.@.....Z..d....R..e.O..jY.S.,..Z..T-K}....Z-^}.}iyS_C.C}.6.w.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_.....}iyS_C.C}C...*....Y.R..uwY.S.,..Z..T-K}...>U.R..e.O..W..o./-o.kha....N.LP..e.O...,..Z..T-K}...>U.R..e.O..jY....w./-o.kha.odC}#...s"kY....K}...>U.R..e.O..jY.S.,..Z..j.x.....M}.-....P....9..,..\[w..>U.R..e.O..jY.S.,..Z..T-K}.Z..N...M}.-...m.o.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_............3..;S0A='...>.k...jY.S.,..Z..T-K}...>U.R..e..V.W.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900722[[fn=Ion Boardroom]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1593982
                            Entropy (8bit):7.907400454215888
                            Encrypted:false
                            SSDEEP:24576:zT2WTsZasyuJiyV0mDUoHLgwPjvgpEtrYpXjdHo8dJNgR6MxNTkdXylo:/KYlO3BpPTgpEtkpXJTgHxWuo
                            MD5:407ACAACDD935B4C82A2D4AF73D07744
                            SHA1:E7AB195DF6F9BFD7676C34503E337194DC7631DD
                            SHA-256:ED85105C65F81EC015215B76ECBD46BEE4CAAA17AD716393DFD15D5DCD57A3E4
                            SHA-512:03D30E2357319A8153D242EEE035DDFDA718CE93E00C0D99ECF82C1387D1FE1A436111E13AD1CE67214C87CF4709D68FF452C041772A43CB242786ED4090370A
                            Malicious:false
                            Preview:PK..........AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900743[[fn=Organic]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):8705569
                            Entropy (8bit):7.955490103632122
                            Encrypted:false
                            SSDEEP:196608:fHnG7lmZcnwldXA4AZwsjVvWJ5u2AbKLCIV50CAmad7uS/5o:u7lVGXA4ABJWJc2A6rkno
                            MD5:476CF35ED8367EB98237B6428266D6D8
                            SHA1:37B320D5109D5FB41044F329187CFECAA8DE2A9C
                            SHA-256:71739BEA66F1DEE0789A7675ADD098123EC0E8E45EB74D707F6412B28FCBAE81
                            SHA-512:7280C51F2DC97871C8B959A971445E1CE1499D108204C025043A0B44E9A9D6AC03E1326BBE652EF2EF900BC6F3F5566A32DBA5AA2EEA6A84F1585323E9C9CAE0
                            Malicious:false
                            Preview:PK..........A.f}......p......[Content_Types].xml..n.@.._......8i.'......}.......(y...H}......3Fi..%.......3..._...j.`.2....cod.(...r...w{s..)...]..3..APF.61...6ug.Y...... 7.....d<..Q.V6.N......{.0.U5...>.-..Ko.nw.f...'.....!.s.=fw.{PaW.. ..82.;.<..os....n....>...w..%....P...v...v....'....m.m..3.[.._...:[,...h..!~s..^..Y..E.....^.9Y.j.....#x......3....=....b}4O.*....k7.+.&.Xg.X.X..XSN.KN.+N.7.X....!..CR....I]...>....L...!=...9..!L.0.v.gEo\.......w..No.a.C.q.}<.........a..n./......e.-)h9a..}i.}.."-..C.C.Xq..0?..M4.........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......4....&T......Wlw.b....}..+.A\...q......~.WK.Z^..........>.h..`......}......k..s.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G.....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ...-Z.>X.2.....>8..S.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900769[[fn=Retrospect]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):1623260
                            Entropy (8bit):7.867463315196704
                            Encrypted:false
                            SSDEEP:24576:bimPI+bGSIB3FKbFGTCpavIOuaR0Um9BbbjE68+xiMNcayWSvHo5R/m:OmPI+6fB3Abk8Q5tHmAsiMNccSvIr/m
                            MD5:126269588DEC71F54D53B563106D0500
                            SHA1:E4E27B005A9728617832F0F2645980CC2CE6EC52
                            SHA-256:0C11107C6CF799125DB9352E2F3A0D2B9ED5D55CBBEAED66D79464058598D94B
                            SHA-512:667F9CA3929926397ED5B43DF4859B8C52973F2603405763308D931C32C4DA831A144ED7041096AFC7CDD291B2978622DED5DD4C16C6BFB0F18235E05B212E5A
                            Malicious:false
                            Preview:PK.........Z&A........a.......[Content_Types].xml...r.`...[a.:%..R.v..p.gh..$d...^../.[0.e..=d....B...c.._?~._>$..}...2.t]...D.ty...I........._....T.M.I..,..APLo.$,z.,J.wf.<...e>..p.=.G......eZFiyT...8....E...P}y}..,.w;...\]k.....o......9(.E<.....>..I;....|.Lq.g....]..g......~>W.<....0/?.I.....g...U.V..3....l.O........m.l...T.....h.GE.......'K....$...z.E..(.Gc.....N......>...b....Z...Y.f.13k..:af..Y..13...........8L....o...s.....k...l.k....K.Z..i[..7mk...m._........~.../.^...{..Z...r@........P.@.....Z..d....R..e.O..jY.S.,..Z..T-K}....Z-^}.}iyS_C.C}.6.w.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_.....}iyS_C.C}C...*....Y.R..uwY.S.,..Z..T-K}...>U.R..e.O..W..o./-o.kha....N.LP..e.O...,..Z..T-K}...>U.R..e.O..jY....w./-o.kha.odC}#...s"kY....K}...>U.R..e.O..jY.S.,..Z..j.x.....M}.-....P....9..,..\[w..>U.R..e.O..jY.S.,..Z..T-K}.Z..N...M}.-...m.o.`.zNd-K}2...e.O..jY.S.,..Z..T-K}...>U.R_............3..;S0A='...>.k...jY.S.,..Z..T-K}...>U.R..e..V.W.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):562113
                            Entropy (8bit):7.67409707491542
                            Encrypted:false
                            SSDEEP:12288:/dy5Gtyp/FZ9QqjdxDfSp424XeavSktiAVE0:/dizp1ndpqpMZnV
                            MD5:4A1657A3872F9A77EC257F41B8F56B3D
                            SHA1:4DDEA85C649A2C1408B5B08A15DEF49BAA608A0B
                            SHA-256:C17103ADE455094E17AC182AD4B4B6A8C942FD3ACB381F9A5E34E3F8B416AE60
                            SHA-512:7A2932639E06D79A5CE1D3C71091890D9E329CA60251E16AE4095E4A06C6428B4F86B7FFFA097BF3EEFA064370A4D51CA3DF8C89EAFA3B1F45384759DEC72922
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1649585
                            Entropy (8bit):7.875240099125746
                            Encrypted:false
                            SSDEEP:24576:L368X6z95zf5BbQ6U79dYy2HiTIxRboyM/LZTl5KnCc:r68kb7UTYxGIxmnp65
                            MD5:35200E94CEB3BB7A8B34B4E93E039023
                            SHA1:5BB55EDAA4CDF9D805E36C36FB092E451BDDB74D
                            SHA-256:6CE04E8827ABAEA9B292048C5F84D824DE3CEFDB493101C2DB207BD4475AF1FD
                            SHA-512:ED80CEE7C22D10664076BA7558A79485AA39BE80582CEC9A222621764DAE5EFA70F648F8E8C5C83B6FE31C2A9A933C814929782A964A47157505F4AE79A3E2F9
                            Malicious:false
                            Preview:PK..........1A..u._....P......[Content_Types].xml..Ms.@.....!...=.7....;a.h.&Y..l..H~..`;...d..g/..e..,M..C...5...#g/."L..;...#. ]..f...w../._.2Y8..X.[..7._.[...K3..#.4......D.]l.?...~.&J&....p..wr-v.r.?...i.d.:o....Z.a|._....|.d...A....A".0.J......nz....#.s.m.......(.]........~..XC..J......+.|...(b}...K!._.D....uN....u..U..b=.^..[...f...f.,...eo..z.8.mz....."..D..SU.}ENp.k.e}.O.N....:^....5.d.9Y.N..5.d.q.^s..}R...._E..D...o..o...o...f.6;s.Z]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...S.....0.zN.... ...>..>..>..>..>..>..>........e...,..7...F(L.....>.ku...i...i...i...i...i...i...i........yi.....G...1.....j...r.Z]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o|^Z....Q}.;.o...9.Z..\.V...............................jZ......k.pT...0.zN.... ...>..>..>..>..>..>..>........e...,..7...f(L.....>.ku...i...i...i...i...i...i...i........yi.......n.....{.._f...0...PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):558035
                            Entropy (8bit):7.696653383430889
                            Encrypted:false
                            SSDEEP:12288:DQ/oYjRRRRRRRRYcdY/5ASWYqBMp8xsGGEOzI7vQQwOyP:DQ/nRRRRRRRRxY/5JWYZ3GGbI8YA
                            MD5:3B5E44DDC6AE612E0346C58C2A5390E3
                            SHA1:23BCF3FCB61F80C91D2CFFD8221394B1CB359C87
                            SHA-256:9ED9AD4EB45E664800A4876101CBEE65C232EF478B6DE502A330D7C89C9AE8E2
                            SHA-512:2E63419F272C6E411CA81945E85E08A6E3230A2F601C4D28D6312DB5C31321F94FAFA768B16BC377AE37B154C6869CA387005693A79C5AB1AC45ED73BCCC6479
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457452[[fn=Celestial]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3295051
                            Entropy (8bit):7.9549249539064
                            Encrypted:false
                            SSDEEP:98304:RMKPrL1cgIF6jyoKfszvzC2UFsp3SUwDyMdghJU:RLPrGgIF6jJKAvO2UAiwU
                            MD5:5978107C3CB2A4A8427E643D0A5587EB
                            SHA1:A3A865B6D128E7C9C5821DF03B9EDFE136F53D17
                            SHA-256:DDCEAEC2A8E652B60CFA4D5D4C7895D70AD25A214D70DE884302C8FE18F53910
                            SHA-512:D9E0B9D52665F4C1E4B6CC32E6DEBA4C0CBC9309728415AC9588DDD84CAD47A90567192D24BF7FF2F5DD7836A559F396B5015ABF3E085ABC9B813FF365388D65
                            Malicious:false
                            Preview:PK..........1A.f}......p......[Content_Types].xml..n.@.._......8i.'......}.......(y...H}......3Fi..%.......3..._...j.`.2....cod.(...r...w{s..)...]..3..APF.61...6ug.Y...... 7.....d<..Q.V6.N......{.0.U5...>.-..Ko.nw.f...'.....!.s.=fw.{PaW.. ..82.;.<..os....n....>...w..%....P...v...v....'....m.m..3.[.._...:[,...h..!~s..^..Y..E.....^.9Y.j.....#x......3....=....b}4O.*....k7.+.&.Xg.X.X..XSN.KN.+N.7.X....!..CR....I]...>....L...!=...9..!L.0.v.gEo\.......w..No.a.C.q.}<.........a..n./......e.-)h9a..}i.}.."-..C.C.Xq..0?..M4.........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......4....&T......Wlw.b....}..+.A\...q......~.WK.Z^..........>.h..`......}......k..s.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G.....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ...-Z.>X.2.....>8..S.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G....(.P.'....B\...}..+.A\...q.....~..+.!\-1hyAK.ZV...... ..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):570901
                            Entropy (8bit):7.674434888248144
                            Encrypted:false
                            SSDEEP:6144:D2tTXiO/3GH5SkPQVAqWnGrkFxvay910UUTWZJarUv9TA0g8:kX32H+VWgkFxSgGTmarUv9T
                            MD5:D676DE8877ACEB43EF0ED570A2B30F0E
                            SHA1:6C8922697105CEC7894966C9C5553BEB64744717
                            SHA-256:DF012D101DE808F6CD872DFBB619B16732C23CF4ABC64149B6C3CE49E9EFDA01
                            SHA-512:F40BADA680EA5CA508947290BA73901D78DE79EAA10D01EAEF975B80612D60E75662BDA542E7F71C2BBA5CA9BA46ECAFE208FD6E40C1F929BB5E407B10E89FBD
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):523048
                            Entropy (8bit):7.715248170753013
                            Encrypted:false
                            SSDEEP:6144:WfmDdN6Zfv8q5rnM6vZ02PtMZRkfW5ipbnMHxVcsOWrCMxy0sD/mcKb4rYEY:xDdQXBrMi2YtggW5ObnMH1brJpUmBU0N
                            MD5:C276F590BB846309A5E30ADC35C502AD
                            SHA1:CA6D9D6902475F0BE500B12B7204DD1864E7DD02
                            SHA-256:782996D93DEBD2AF9B91E7F529767A8CE84ACCC36CD62F24EBB5117228B98F58
                            SHA-512:B85165C769DFE037502E125A04CFACDA7F7CC36184B8D0A54C1F9773666FFCC43A1B13373093F97B380871571788D532DEEA352E8D418E12FD7AAD6ADB75A150
                            Malicious:false
                            Preview:PK..........1AE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3078052
                            Entropy (8bit):7.954129852655753
                            Encrypted:false
                            SSDEEP:49152:bSEjlpY8skyFHuj2yY0ciM9U2NCVBB4YFzYFw7IaJE2VRK+Xn9DOOe9pp9N9Hu:bfp5sksA3cimUVxV05aJE2fKaDOXdN9O
                            MD5:CDF98D6B111CF35576343B962EA5EEC6
                            SHA1:D481A70EC9835B82BD6E54316BF27FAD05F13A1C
                            SHA-256:E3F108DDB3B8581A7A2290DD1E220957E357A802ECA5B3087C95ED13AD93A734
                            SHA-512:95C352869D08C0FE903B15311622003CB4635DE8F3A624C402C869F1715316BE2D8D9C0AB58548A84BBB32757E5A1F244B1014120543581FDEA7D7D9D502EF9C
                            Malicious:false
                            Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):777647
                            Entropy (8bit):7.689662652914981
                            Encrypted:false
                            SSDEEP:6144:B04bNOJMngI856k0wwOGXMaXTLaTDmfBaN2Tx9iSUk1PdSnc0lnDlcGMcEFYYYYt:xbY6ngI46Aw5dmyYYYYYYYYY7p8d
                            MD5:B30D2EF0FC261AECE90B62E9C5597379
                            SHA1:4893C5B9BE04ECBB19EE45FFCE33CA56C7894FE3
                            SHA-256:BB170D6DE4EE8466F56C93DC26E47EE8A229B9C4842EA8DD0D9CCC71BC8E2976
                            SHA-512:2E728408C20C3C23C84A1C22DB28F0943AAA960B4436F8C77570448D5BEA9B8D53D95F7562883FA4F9B282DFE2FD07251EEEFDE5481E49F99B8FEDB66AAAAB68
                            Malicious:false
                            Preview:PK.........V'B.._<....-.......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):924687
                            Entropy (8bit):7.824849396154325
                            Encrypted:false
                            SSDEEP:12288:lsadD3eLxI8XSh4yDwFw8oWR+6dmw2ZpQDKpazILv7Jzny/ApcWqyOpEZULn:qLxI8XSh4yUF/oWR+mLKpYIr7l3ZQ7n
                            MD5:97EEC245165F2296139EF8D4D43BBB66
                            SHA1:0D91B68CCB6063EB342CFCED4F21A1CE4115C209
                            SHA-256:3C5CF7BDB27592791ADF4E7C5A09DDE4658E10ED8F47845064DB1153BE69487C
                            SHA-512:8594C49CAB6FF8385B1D6E174431DAFB0E947A8D7D3F200E622AE8260C793906E17AA3E6550D4775573858EA1243CCBF7132973CD1CF7A72C3587B9691535FF8
                            Malicious:false
                            Preview:PK..........1AS'......ip......[Content_Types].xml..n.@.._......8ie'......}.......(y...H}......3Fi..%2.v?..3..._...d=..E.g.....7.i.-.t5.6......}}.m9r.......m...ML.g.M.eV$.r..*.M..l0...A...M..j;.w={o.f..F....i..v......5..d;..D.ySa...M&..qd*w>.O.{h...|w..5.]..'.CS<.:8C}.g.|E.../..>..].Tnml..I.......r.Gv.E....7.;.E......4/l.....6.K.C?1qz.O.v_..r......\c.c.>..lS........X.N.3N.sN..N.)'.%'..'..N.pL.E...T.!..CR....Ie..k.o..M..w.B.0}..3....v..+....,.q..pz.......v{.;....s3.|..V..ZZ......0.[.....x.....!.!~.8.e..n..&.}p....s.i.. ..[]...q.r....~..+.A\...q............e.-)h9..."Z.>...5-C..`..g.}........r.A.+..\...r.>.... .W.\...re?..%.-/hiA..ZR.r.W.D.\}.EK..kZ.>......5..9.&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^h....L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i..`..G..j..).&T......Wlu.b....}..+.A\...q......~.WK.Z^..........>.h..`......}.....^j..K.L...H...!...r.>... .W...\...rE?............-+hIA..\}..r...-}..i.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):966946
                            Entropy (8bit):7.8785200658952
                            Encrypted:false
                            SSDEEP:24576:qBcvGBGhXQir6H1ws6+iU0YuA35VuinHX2NPs:ccvGBGdQ5CsMxQVj3yPs
                            MD5:F03AB824395A8F1F1C4F92763E5C5CAD
                            SHA1:A6E021918C3CEFFB6490222D37ECEED1FC435D52
                            SHA-256:D96F7A63A912CA058FB140138C41DCB3AF16638BA40820016AF78DF5D07FAEDD
                            SHA-512:0241146B63C938F11045FB9DF5360F63EF05B9B3DD1272A3E3E329A1BFEC5A4A645D5472461DE9C06CFE4ADB991FE96C58F0357249806C341999C033CD88A7AF
                            Malicious:false
                            Preview:PK..........1A.......F`......[Content_Types].xml..n.@.._.y.ac $..,........-..g@.u.G.+t.:........D1...itgt>...k..lz;].8Kg^....N.l..........0.~}....ykk.A`..N..\...2+.e.c..r..P+....I.e.......|.^/.vc{......s..z....f^...8...'.zcN&.<....}.K.'h..X..y.c.qnn.s%...V('~v.W.......I%nX`.....G.........r.Gz.E..M.."..M....6n.a..V.K6.G?Qqz..............\e.K.>..lkM...`...k.5...sb.rbM8..8..9..pb..R..{>$..C.>......X..iw.'..a.09CPk.n...v....5n..Uk\...SC...j.Y.....Vq..vk>mi......z..t....v.]...n...e(.....s.i......]...q.r....~.WV/.j.Y......K..-.. Z..@.\.P..W...A..X8.`$C.F(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........c..0F...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP..........(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-.............0A...@Z.....v.+.A\...q.......ZAV'p)...R.D....K..-...h....eP.........w(.P..H...W..r.>... .W.C..zAV+.....@.\..h....r)...R..-..........T..GI..~.....~....PK..........1A.s@.....O......._rels/.rels...J.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1204049
                            Entropy (8bit):7.92476783994848
                            Encrypted:false
                            SSDEEP:24576:+3zSQBxvOUIpHLYTCEmS1Wu09jRalJP3sdgnmAOFt0zU4L0MRx5QNn5:+bvI5UTCPu09qP3JPOFoR4N5
                            MD5:FD5BBC58056522847B3B75750603DF0C
                            SHA1:97313E85C0937739AF7C7FC084A10BF202AC9942
                            SHA-256:44976408BD6D2703BDBE177259061A502552193B1CD05E09B698C0DAC3653C5F
                            SHA-512:DBD72827044331215A7221CA9B0ECB8809C7C79825B9A2275F3450BAE016D7D320B4CA94095F7CEF4372AC63155C78CA4795E23F93166D4720032ECF9F932B8E
                            Malicious:false
                            Preview:PK..........1A..d T....P......[Content_Types].xml..Ms.@.....!...=.7....kX 5o.,L..<..........d..g/..dw.]...C...9...#g/."L..;...#. ]..f...w../._.3Y8..X.[..7._.[...K3..3.4......D.]l.?...~.&J&...s...;...H9...e.3.q.....k-.0>Lp:.7..eT...Y...P...OVg.....G..).aV...\Z.x...W.>f...oq.8.....I?Ky...g..."...J?....A$zL.].7.M.^..\....C..d/;.J0.7k.X4.e..?N{....r.."LZx.H?. ......;r.+...A<.;U.....4...!'k...s.&..)'k...d..d......._E..D...o..o...o...f.7;s..]...Uk6d.j..MW....5[C].f#...l;u.M..Z.../iM|...b...s.....0..O.... ...>..>..>..>..>..>..>.........2V}......Q}#.&T...rU....\..\..\..\..\..\..\..\.W..W.^Z....Q}c;.o...>.Z..\.v...............................*Z....K.X.5X8.obG.MP.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.M.).....j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oZ/-c..`....7CaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,...|...].k.........PK..........1A.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):486596
                            Entropy (8bit):7.668294441507828
                            Encrypted:false
                            SSDEEP:6144:A+JBmUx0Zo24n8z/2NSYFl2qGBuv8p6+LwwYmN59wBttsdJrmXMlP1NwQoGgeL:fNgxz/g5z2BT6+Eu0ntMcczNQG5L
                            MD5:0E37AECABDB3FDF8AAFEDB9C6D693D2F
                            SHA1:F29254D2476DF70979F723DE38A4BF41C341AC78
                            SHA-256:7AC7629142C2508B070F09788217114A70DE14ACDB9EA30CBAB0246F45082349
                            SHA-512:DE6AFE015C1D41737D50ADD857300996F6E929FED49CB71BC59BB091F9DAB76574C56DEA0488B0869FE61E563B07EBB7330C8745BC1DF6305594AC9BDEA4A6BF
                            Malicious:false
                            Preview:PK.........V'BE,.{....#P......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.~n..Ofu.-..K.e....{..A.~.8.#D..)o.7..........:2........=......f...u....[..}...u.6b...xz.[...G..|#...$....)J./.......7.............oQ..]^.M........wy}7a.....&l................w.......l._...l..?.A..........r..9.|.8.........{w...........n...]^.M........wy}7a.....&l.................`..z..`.....2.o...wx}.....>..c.M..Arr#.....nD..[.....w......n...]^.M........wy}7a.....&l........w........... ..Fp....w_Q....g..tL.i.?H.o...]^..........n...]^.M........wy}7a.....&l.................`..z..`

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):976001
                            Entropy (8bit):7.791956689344336
                            Encrypted:false
                            SSDEEP:24576:zHM7eZGgFiHMRej4N9tpytNZ+tIw5ErZBImlX0m:zHM7eZGgFiHMRej++NZ+F5WvllZ
                            MD5:9E563D44C28B9632A7CF4BD046161994
                            SHA1:D3DB4E5F5B1CC6DD08BB3EBF488FF05411348A11
                            SHA-256:86A70CDBE4377C32729FD6C5A0B5332B7925A91C492292B7F9C636321E6FAD86
                            SHA-512:8EB14A1B10CB5C7607D3E07E63F668CFC5FC345B438D39138D62CADF335244952FBC016A311D5CB8A71D50660C49087B909528FC06C1D10AF313F904C06CBD5C
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):1463634
                            Entropy (8bit):7.898382456989258
                            Encrypted:false
                            SSDEEP:24576:75MGNW/UpLkupMAqDJhNHK4/TuiKbdhbZM+byLH/:7ZwUpLkulkHK46iiDZHeLH/
                            MD5:ACBA78931B156E4AF5C4EF9E4AB3003B
                            SHA1:2A1F506749A046ECFB049F23EC43B429530EC489
                            SHA-256:943E4044C40ABA93BD7EA31E8B5EBEBD7976085E8B1A89E905952FA8DAC7B878
                            SHA-512:2815D912088BA049F468CA9D65B92F8951A9BE82AB194DBFACCF0E91F0202820F5BC9535966654D28F69A8B92D048808E95FEA93042D8C5DEA1DCB0D58BE5175
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2218943
                            Entropy (8bit):7.942378408801199
                            Encrypted:false
                            SSDEEP:49152:8mwK3gH/l4hM06Wqnnl1IdO9wASFntrPEWNe7:863gHt4hM9WWnMdO9w35PEWK
                            MD5:EE33FDA08FBF10EF6450B875717F8887
                            SHA1:7DFA77B8F4559115A6BF186EDE51727731D7107D
                            SHA-256:5CF611069F281584DE3E63DE8B99253AA665867299DC0192E8274A32A82CAA20
                            SHA-512:AED6E11003AAAACC3FB28AE838EDA521CB5411155063DFC391ACE2B9CBDFBD5476FAB2B5CC528485943EBBF537B95F026B7B5AB619893716F0A91AEFF076D885
                            Malicious:false
                            Preview:PK.........{MBS'..t...ip......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`.../.|u1..Y.....nK.......u=..2.tu~^L.Y5]/...~+.v...o....j.`?.S...../.by.|..>."kZbs....H.9..m.z.]W.V.?~v........;...N.......w....;.z..N.......w.....R.._..w._..w._..w._..w._..w._..w.n..Ofu.-..K.e........T..q.F...R[...~.u.....Z..F....7.?.v....5O....zot..i.....b...^...Z...V...R...N...r./.?........=....#.`..\~n.n...)J./.......7........+......Q..]n............w......Ft........|......b...^...Z...V...R...N..W<x......l._...l..?.A......x....x.9.|.8..............u................w#.....nD..]...........R.......R.......R........o...].`.....A....#.`..\.....+J./.......7........+......Q..]n.........w9~7......Ft........|......b...^.c..-...-...-

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033923[[fn=Depth]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):2332136
                            Entropy (8bit):7.9547975506532795
                            Encrypted:false
                            SSDEEP:49152:5HQKNdoI77mfXP/mDZLGkkgrODG1MHKr4nNtOmtu0:5HNjoygXnm0jgrODhqrsNcmtu0
                            MD5:2AECC99B664F840799028A20703C3E21
                            SHA1:0018EAB0CE4900220607F4F80B506AA2F7F89C17
                            SHA-256:DF93F14304E35E460EEC7F8464AE2C2B0BFFA84D860D4857F41E0F07A3F023E3
                            SHA-512:E0BD3A86C7AF6B7202E8FBA42BCA27FBB17A21AC94A685A38C8A45F5AE35F350AE18D6B107F553DC95774FAE47F8BD8926F76DDD840BB7EB8E51E5CF2269AA1C
                            Malicious:false
                            Preview:PK........fdlB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1750795
                            Entropy (8bit):7.892395931401988
                            Encrypted:false
                            SSDEEP:24576:DyeAqDJpUDH3xk8ZKIBuX3TPtd36v4o5d4PISMETGBP6eUP+xSeW3v0HKPsc:uRqUjSTPtd36AFDM/BP6eUeW3v0Fc
                            MD5:529795E0B55926752462CBF32C14E738
                            SHA1:E72DFF8354DF2CB6A5698F14BBD1805D72FEEAFF
                            SHA-256:8D341D1C24176DC6B67104C2AF90FABD3BFF666CCC0E269381703D7659A6FA05
                            SHA-512:A51F440F1E19C084D905B721D0257F7EEE082B6377465CB94E677C29D4E844FD8021D0B6BA26C0907B72B84157C60A3EFEDFD96C16726F6ABEA8D896D78B08CE
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2924237
                            Entropy (8bit):7.970803022812704
                            Encrypted:false
                            SSDEEP:49152:mc4NEo4XNd5wU5qTkdC4+K9u5b/i40RKRAO/cLf68wy9yxKrOUURBgmai2prH:mJef5yTSoKMF//DRGJwLx9DBaH
                            MD5:5AF1581E9E055B6E323129E4B07B1A45
                            SHA1:B849F85BCAF0E1C58FA841FFAE3476D20D33F2DD
                            SHA-256:BDC9FBF81FBE91F5BF286B2CEA00EE76E70752F7E51FE801146B79F9ADCB8E98
                            SHA-512:11BFEF500DAEC099503E8CDB3B4DE4EDE205201C0985DB4CA5EBBA03471502D79D6616D9E8F471809F6F388D7CBB8B0D0799262CBE89FEB13998033E601CEE09
                            Malicious:false
                            Preview:PK.........{MB.$<.~....p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^.......H^..<}...lA-.D.....lI/...hD.Z....|VM..ze........L..tU...g....lQ....Y...>MI...5-....S......h=..u.h..?;h...@k...h...'Z...D...;.....h=..'Z...D...;.....)^./.../U.../..../U.../..../U..?...'.........Ngz..A.~.8.#D....xot.u.?...eyot.n..{..sk....[......Z..F....l...o)..o..o...oi..o)..o..,..b.s......2.C.z.~8.......f......x.9.|.8..............u................r.nD..]...........w.~7...-...-...-...-...-...-....x.&l........>.4.z.~8..........=E....As.1..q. 9....w.7...1........w.}7......Ft...................o)..o..o...oi..o)..o..w.7a...x0...........d0..............A.......Fl.............Ft................w#...r.nD..]..M...K1.0..7....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2357051
                            Entropy (8bit):7.929430745829162
                            Encrypted:false
                            SSDEEP:49152:tfVcGO3JiR6SgT7/bOCrKCsaFCX3CzwovQTSwW8nX:pVcG2iRedsaoXSzeOwWEX
                            MD5:5BDE450A4BD9EFC71C370C731E6CDF43
                            SHA1:5B223FB902D06F9FCC70C37217277D1E95C8F39D
                            SHA-256:93BFC6AC1DC1CFF497DF92B30B42056C9D422B2321C21D65728B98E420D4ED50
                            SHA-512:2365A9F76DA07D705A6053645FD2334D707967878F930061D451E571D9228C74A8016367525C37D09CB2AD82261B4B9E7CAEFBA0B96CE2374AC1FAC6B7AB5123
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3611324
                            Entropy (8bit):7.965784120725206
                            Encrypted:false
                            SSDEEP:49152:ixc1kZBIabo4dTJyr3hJ50gd9OaFxTy+1Nn/M/noivF0po3M0h0Vsm:ixcaAabT83hJLdoaFxTygxcoiX3M0iCm
                            MD5:FB88BFB743EEA98506536FC44B053BD0
                            SHA1:B27A67A5EEC1B5F9E7A9C3B76223EDE4FCAF5537
                            SHA-256:05057213BA7E5437AC3B8E9071A5577A8F04B1A67EFE25A08D3884249A22FBBF
                            SHA-512:4270A19F4D73297EEC910B81FF17441F3FC7A6A2A84EBA2EA3F7388DD3AA0BA31E9E455CFF93D0A34F4EC7CA74672D407A1C4DC838A130E678CA92A2E085851C
                            Malicious:false
                            Preview:PK.........{MB.f}......p......[Content_Types].xml..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c.v...(=.v........F_..U..G...T.e.y)[..b.......3.m....6.X5.P........_...b../..}.-......~.-..z..d.......j.^.+c..E.V..~3}..U.7..~p.>.E..9^d....4%}.E.$....N..r....<....%...%.?....w.u...h........D...w.....h........Dkw...x..T....T....T....T....T....T....j...."[.J.....;..!4...M...............t.n-.{..skp...[;.......F...j.7...4fC...K1..K/..K-..K+..K)..K'..f9......Fl._.........d0...?7K7].........A.......Fl.............Ft....u.......Ft........\.......w....R.......R.......R........o...].`.....A....#.`..\.....S.._...4...o.........W<x#..............w#...r.nD..]....\.~....|......b...^...Z...V...R...N..W<x......l._...l..?.A......xp_Q..y<h..tL.i.?HNn...]..........r.nD..]~.........wy~7......Ft...........E/|c.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):1091485
                            Entropy (8bit):7.906659368807194
                            Encrypted:false
                            SSDEEP:24576:oBpmCkw3Tg/euEB+UdoC4k7ytHkHA6B/puqW2MIkTeSBmKrZHQ:MR3c/AseydwppC7veSBmWHQ
                            MD5:2192871A20313BEC581B277E405C6322
                            SHA1:1F9A6A5E10E1C3FFEB6B6725C5D2FA9ECDF51085
                            SHA-256:A06B302954A4C9A6A104A8691864A9577B0BFEA240B0915D9BEA006E98CDFFEC
                            SHA-512:6D8844D2807BB90AEA6FE0DDDB9C67542F587EC9B7FC762746164B2D4A1A99EF8368A70C97BAD7A986AAA80847F64408F50F4707BB039FCCC509133C231D53B9
                            Malicious:false
                            Preview:PK...........G`.jaV....P......[Content_Types].xml...n.@...W......T@.mwM.E....)....y...H}.N..ll8.h5g6Q.=3_......?...x..e^Di.p.^.ud...(Y/..{w..r..9.../M...Q*{..E...(.4..>..y,.>..~&..b-.a.?..4Q2Q=.2.......m....>-....;]......N'..A...g.D.m.@(}..'.3Z....#....(+....-q<uq.+....?....1.....Y?Oy......O"..J?....Q$zT.].7.N..Q Wi.....<.........-..rY....hy.x[9.b.%-<.V?.(......;r.+...Q<.;U.....4...!'k...s.&..)'k...d.s..}R....o".D.I..7..7.KL.7..Z.....v..b.5.2].f....l.t....Z...Uk...j.&.U-....&>.ia1..9lhG..Q.P.'P.U}.k..rU..rU..rU..rU..rU..rU..rU..rU_EK_}.zi.....G.........j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..h.oT/-c..`....7FaBu.@-W.A.]..U}H.U}H.U}H.U}H.U}H.U}H.U}H.U}.-}...e...,..7...&(L.....>.kw...i...i...i...i...i...i...i.......I...U_.....vT.....}..\...v..W.!-W.!-W.!-W.!-W.!-W.!-W.!-W.U...7.....k.pT...0..O.... ...>..>..>..>..>..>..>......f..2V}....W>jO....5..].?.o..oPK...........G.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):608122
                            Entropy (8bit):7.729143855239127
                            Encrypted:false
                            SSDEEP:6144:Ckl6KRKwg9jf2q/bN69OuGFlC/DUhq68xOcJzGYnTxlLqU8dmTW:8yKwgZ2qY9kA7Uhq68H3ybmq
                            MD5:8BA551EEC497947FC39D1D48EC868B54
                            SHA1:02FA15FDAF0D7E2F5D44CAE5FFAE49E8F91328DF
                            SHA-256:DB2E99B969546E431548EBD58707FC001BBD1A4BDECAD387D194CC9C6D15AC89
                            SHA-512:CC97F9B2C83FF7CAC32AB9A9D46E0ACDE13EECABECD653C88F74E4FC19806BB9498D2F49C4B5581E58E7B0CB95584787EA455E69D99899381B592BEA177D4D4B
                            Malicious:false
                            Preview:PK.........LGE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK.........LG.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):857650
                            Entropy (8bit):7.84356939318248
                            Encrypted:false
                            SSDEEP:12288:RiQJnhBiU81d9WbQPHxV9uqraiDFihVRR5cJJeYiaFUV0CoTz:RiwhE8bIXkvQIjRR+nDmVK3
                            MD5:9A0B4CB63DD4E749EE4258F897FF42EE
                            SHA1:BD0F90AAD36C7DB69A57179B9702B13D8C83AABF
                            SHA-256:9C5471CD01C213E94E699E12331194370D8E3F4FC37776CAACDCF7CCB8949A2E
                            SHA-512:407AB455623FD3911E6B00CF0A23333979D7E29E7DFB0A759A3FF162B12894C843C51EFF6E1F99BB721851ABB122052ED7F141053FF4F5D955D7842B3600AA44
                            Malicious:false
                            Preview:PK...........JE,.{E...#P......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-o..j?...H..sa......./UCb.'...r...w.i..e..<[....{2..U.m..N.{...r.....3.fj.o......2.*....;.L.6..&,D.Cld8...a.gZf.......r-v..><....~/......|Zk.......a.R&.d.(.$..6..}.:.....3......1..[.p.....?..+....R...y,.fod.....e...-.|..#..]j....n:...f...-J...i.^.:Y....T..........m^..~GNp../e}...N....a..5.d.8YcN..5.d.8Y...7..A..e...7Q."3...../.sL._...v...n..b..2].v....n.t....Z...Uk...j.&.Z....im|.r....B.....7DaBuN.... ...>..>..>..>..>..>..>.........V}-.....Q}#.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7FaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}..&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b....7EaBuN.... ...>..>..>..>..>..>..>.........V}-...Q}3.&T..j...r..]..CZ..CZ..CZ..CZ..CZ..CZ..CZ..i.o.,-k..b.\}..)...A.......[..PK...........J.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70...........84P....

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401375[[fn=Madison]].thmx (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):2443359
                            Entropy (8bit):7.927032974390551
                            Encrypted:false
                            SSDEEP:49152:2HZkYR3gdOwBkskdDT+FQDGn5zpoLU0izCPOYZSKgdE6qFnm3DP+ulUnW:2jRkOlskJpDO5zpoKzZBKga6YmzWulUW
                            MD5:960696AF7BBDF3A98F282FD51A641797
                            SHA1:D884A5875C64C8F3B011E0754BEA633ACACEFBE6
                            SHA-256:CBFAC1EE697AB73485822088E25CEDB92D495B0B9423464CEBAC2FE3989212FC
                            SHA-512:9000DD85A0B2EBF5BE41D6C9785D69462D4D1B097D49CF2A57A432AB5D784BB9C95ECF1EB9F7CCC88D0CE47C580014E038D7A716FD1F8C094D2E6A1A42F3F0A3
                            Malicious:false
                            Preview:PK.........k.JH...O...VP......[Content_Types].xml..Mo.0.....Z..N7.=l......V0.-q.......0..*!......R5/..Xu..C...5.{H.o/.2.....}.*.V..,..^.n.....c.K.....:...e...(.,..\YgE*.9,6a...b#.a.?..Li.tO?=._....%...`N.........{.j........u..\..9^h.T.<.$.<.#...p.V'......f..r.......Kggx...x....E...H.m.6.)._.2S...l....8..,.fHP}.M.......I.B....c.....4.......=ebN.R..Q=.~EN.*.4.x.v.........rf.8..Y..)g.3.3..g.O.e...7Q.B........L.7..v.6;..v....d....M.Z...ZkWC]k.".k.];u..K.Wk...>Wk.#..Z.| t.6tC}C...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7lJ..ZZ8.7rC}#...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7jJ..ZZ8.7vC}c...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7nJ..ZZ8.7qC}....}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7iJ..ZZ8.7uC}S...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7mJ..ZZ8.7sC}3...}.k...s.Z]...Z...Z...Z...Z...Z...Z...Z...j..7kJ..ZZ,..ztyJ.<}.2.e..._....PK.........k.J.s@.....O......._rels/.rels...J.1.._%..d...t......}...n2!..}6.>..`(.v...K`2...70........

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):5783
                            Entropy (8bit):7.88616857639663
                            Encrypted:false
                            SSDEEP:96:CDG4D+8VsXzXc2zLXTJ2XFY47pk2G7HVlwFzTXNbMfmn2ivLZcreFWw5fc9ADdZm:CDG4DRGY23l2Xu47GL7YtT9V29yWvWdk
                            MD5:8109B3C170E6C2C114164B8947F88AA1
                            SHA1:FC63956575842219443F4B4C07A8127FBD804C84
                            SHA-256:F320B4BB4E57825AA4A40E5A61C1C0189D808B3EACE072B35C77F38745A4C416
                            SHA-512:F8A8D7A6469CD3E7C31F3335DDCC349AD7A686730E1866F130EE36AA9994C52A01545CE73D60B642FFE0EE49972435D183D8CD041F2BB006A6CAF31BAF4924AC
                            Malicious:false
                            Preview:PK.........A;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........pnB;.M.:....g......._rels/.rels...J.0.._%.n....xp..,{.i2M.........G..........7...3o/.......d.kyU....^..[>Q....j.#P.H......Z>..+!...B*|@...G...E....E]..".3.......!..7....,:..,.......Ot..0r....Z..&1..U..p.U-.[Uq&.......................Gyy.}n.(.C(i.x........?.vM..}..%.7.b.>L..]..PK........EV:5K..4....H......diagrams/layout1.xml.Yo.6........S.`......$M...Q8A...R..T.k...K.4CQG..}.A..9.?R....!&...Q..ZW.......Q....<8..z..g....4{d.>..;.{.>.X.....Y.2.......cR....9e.. ...}L.....yv&.&...r..h...._..M. e...[..}.>.k..........3.`.ygN...7.w..3..W.S.....w9....r(....Zb..1....z...&WM.D<......D9...ge......6+.Y....$f......wJ$O..N..FC..Er........?..is...-Z

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):4026
                            Entropy (8bit):7.809492693601857
                            Encrypted:false
                            SSDEEP:96:VpDCBFLhxaUGm5EWA07yNdKH1FQpy8tnX8Iz3b7TrT502+fPD:VpDYFFRMNU+RtXzLf35t+3D
                            MD5:5D9BAD7ADB88CEE98C5203883261ACA1
                            SHA1:FBF1647FCF19BCEA6C3CF4365C797338CA282CD2
                            SHA-256:8CE600404BB3DB92A51B471D4AB8B166B566C6977C9BB63370718736376E0E2F
                            SHA-512:7132923869A3DA2F2A75393959382599D7C4C05CA86B4B27271AB9EA95C7F2E80A16B45057F4FB729C9593F506208DC70AF2A635B90E4D8854AC06C787F6513D
                            Malicious:false
                            Preview:PK........YnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........bnB;?.......f......._rels/.rels...J.1.._%..f....m/.,x...&.lt.dV.y.|.."v....q..|......r..F..)..;.T5g.eP..O..Z.^-.8...<.Y....Q.."....*D.%.!9.R&#".'0(.u}).!..l....b..J..rr....P.L.w..0.-......A..w..x.7U...Fu<mT.....^s...F./ ..( .4L..`.....}...O..4.L...+H.z...m..j[].=........oY}.PK........J.L6...m....,.......diagrams/layout1.xml.X.n.8.}N.....PG.............wZ.,.R.%.K...J.H]....y.3..9...O..5."J.1.\.1....Q....z......e.5].)...$b.C)...Gx!...J3..N..H...s....9.~...#..$...W.8..I`|..0xH}......L.|..(V;..1...kF..O=...j...G.X.....T.,d>.w.Xs.......3L.r..er\o..D..^....O.F.{:.>.R'....Y-...B.P.;....X.'c...{x*.M7..><l.1.w..{].46.>.z.E.J.......G......Hd..$..7....E.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):4243
                            Entropy (8bit):7.824383764848892
                            Encrypted:false
                            SSDEEP:96:22MQe4zHye8/djzF+JjvtmMkkBpF7e0LTkaf:22De4zHHCvF+nRBDXoaf
                            MD5:7BC0A35807CD69C37A949BBD51880FF5
                            SHA1:B5870846F44CAD890C6EFF2F272A037DA016F0D8
                            SHA-256:BD3A013F50EBF162AAC4CED11928101554C511BD40C2488CF9F5842A375B50CA
                            SHA-512:B5B785D693216E38B5AB3F401F414CADACCDCB0DCA4318D88FE1763CD3BAB8B7670F010765296613E8D3363E47092B89357B4F1E3242F156750BE86F5F7E9B8D
                            Malicious:false
                            Preview:PK........NnB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........TnB;..d.....h......._rels/.rels...J.0.._%.n..)"....<.w.&.4..!...y.|.........|.&3.o.....S..K.T5g.U....g..n.f....T*.hcf...D.V..Ft....d....c2".z.....N.s._2....7.0.V.]P.CO?...`...8....4&......_i..Y.T...Z...g....{-...]..pH..@.8....}tP.)..B>..A...S&......9..@...7........b_.PK........r};5.z..............diagrams/layout1.xml.X.n.8.}.........4.+.(...@......(..J..._.!)..b..v.}.H..zf8...dhM....E..I.H..V.Y.R..2zw5L~....^..]...J_..4.\.\......8..z..2T..".X.l.F#......5....,*....c....r.kR.I.E..,.2...&%..''.qF.R.2.....T;F...W.. ...3...AR.OR.O..J}.w6..<...,.x..x....`g?.t.I.{.I...|X..g.....<BR..^...Q.6..m.kp...ZuX.?.z.YO.g...$.......'.]..I.#...]$/~`${.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):16806
                            Entropy (8bit):7.9519793977093505
                            Encrypted:false
                            SSDEEP:384:eSMjhqgJDGwOzHR3iCpK+QdLdfufFJ9aDn9LjDMVAwHknbz7OW:eSkhqglGwERSAHQdLhDn9AKokv7H
                            MD5:950F3AB11CB67CC651082FEBE523AF63
                            SHA1:418DE03AD2EF93D0BD29C3D7045E94D3771DACB4
                            SHA-256:9C5E4D8966A0B30A22D92DB1DA2F0DBF06AC2EA75E7BB8501777095EA0196974
                            SHA-512:D74BF52A58B0C0327DB9DDCAD739794020F00B3FA2DE2B44DAAEC9C1459ECAF3639A5D761BBBC6BDF735848C4FD7E124D13B23964B0055BB5AA4F6AFE76DFE00
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........Ul.<..<"I5...&......diagrams/layout1.xml.}.r.I..s........~Y.f.gzfv......E."w.K..J5m.e...4.0..Q... A.!...%...<...3.......O.......t~.u{...5.G......?,.........N......L......~.:....^,..r=./~7_..8............o.y......oo.3.f........f.......r.7../....qrr.v9.......,?..._O.....?9.O~]..zv.I'.W..........;..\..~....../........?~..n.....\}pt.........b,~...;>.=;>:..u.....?.......2]..]....i......9..<.p..4D..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):11380
                            Entropy (8bit):7.891971054886943
                            Encrypted:false
                            SSDEEP:192:VJcnLYnAVbOFLaCPLrGGbhaWEu6d3RmryqLkeAShObPb1AYcRMMXjkfa0nYBwggD:VcMC8lLrRbhy1ZqLyShYb1FHQ4C0nYQJ
                            MD5:C9F9364C659E2F0C626AC0D0BB519062
                            SHA1:C4036C576074819309D03BB74C188BF902D1AE00
                            SHA-256:6FC428CA0DCFC27D351736EF16C94D1AB08DDA50CB047A054F37EC028DD08AA2
                            SHA-512:173A5E68E55163B081C5A8DA24AE46428E3FB326EBE17AE9588C7F7D7E5E5810BFCF08C23C3913D6BEC7369E06725F50387612F697AC6A444875C01A2C94D0FF
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........q.~<.6..9 ...e......diagrams/layout1.xml..r.........{.]..u...xv7b.....HPd....t.q...b.i_a.'..P.f.3..F..1...U.u.*.2......?}..O..V.....yQ.Mf........w.....O....N.........t3;...e....j.^.o&.....w...../.w................e.................O..,./..6...8>^.^..........ru5...\.=>[M?......g..........w.N....i.........iy6.?........>.......>{yT...........x.........-...z5.L./.g......_.l.1.....#...|...pr.q

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):6024
                            Entropy (8bit):7.886254023824049
                            Encrypted:false
                            SSDEEP:96:bGa2onnLYHTSSxpHVTSH1bywZKmpRqiUtFvS9xrPooBpni6eDa16MUELHsrKjRBA:SJonLYzSSr1TuZNwtFZKpiiyrKXuCUd
                            MD5:20621E61A4C5B0FFEEC98FFB2B3BCD31
                            SHA1:4970C22A410DCB26D1BD83B60846EF6BEE1EF7C4
                            SHA-256:223EA2602C3E95840232CACC30F63AA5B050FA360543C904F04575253034E6D7
                            SHA-512:BDF3A8E3D6EE87D8ADE0767918603B8D238CAE8A2DD0C0F0BF007E89E057C7D1604EB3CCAF0E1BA54419C045FC6380ECBDD070F1BB235C44865F1863A8FA7EEA
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK........2..<..]#.....'......diagrams/layout1.xml.].r.8...V.;0.;..aO........{.....V..3].d{..............\. .#.t... ........x<...@7o.]..7.N..@.NF..../....S.../.xC..U...<..Q.=...|..v.....cQ..Y=.....i`.. ..?.;...Go....x.O.$....7s..0..qg....|..r..l.w.a..p.3.Em7v...N............3..7...N.\\..f...9...U$..7...k.C..M.@\.s....G/..?...I...t.Yos...p..z...6.lnqi.6..<..1qg+......#]....|C/N..K\}.....#..".

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):9191
                            Entropy (8bit):7.93263830735235
                            Encrypted:false
                            SSDEEP:192:oeAMExvPJMg+yE+AfJLi3+Xoj7F3sPgMG61J88eDhFWT7hFNsdJtnLYJ7tSh:v2d+hnfJLi3+4ja4WqhFWT7FsdHMA
                            MD5:08D3A25DD65E5E0D36ADC602AE68C77D
                            SHA1:F23B6DDB3DA0015B1D8877796F7001CABA25EA64
                            SHA-256:58B45B9DBA959F40294DA2A54270F145644E810290F71260B90F0A3A9FCDEBC1
                            SHA-512:77D24C272D67946A3413D0BEA700A7519B4981D3B4D8486A655305546CE6133456321EE94FD71008CBFD678433EA1C834CFC147179B31899A77D755008FCE489
                            Malicious:false
                            Preview:PK.........]w>....<...5.......diagrams/layout1.xmlz........].r.F.}......1w`.J..'.......w..Dn. d....~........pw...O.......s...?...p7.t>e.r<.]u.e..d..|8..\uo.......K...._.Y..E6.|..y;........y.*/:o./...:[.o.+/.....?.....Z.?..s..d}...S.`...b.^o9.e.ty9_d...y>M.....7...e....."....<.v.u...e:].N.t....a....0..}..bQ.Y..>.~..~...U.|..Ev.....N...bw....{...O..Y.Y.&........A.8Ik...N.Z.P.[}t........|m...E..v..,..6........_?..."..K<.=x....$..%@.e..%....$=F..G..e........<F..G51..;......=...e.e.q..d......A...&9'.N.\%.=N.Z.9.s......y.4.Q.c......|8.......Eg.:.ky.z.h.......).O...mz...N.wy.m...yv....~8.?Lg..o.l.y:.....z.i..j.irxI.w...r.......|.=....s};.\u.{t;i~S.......U7..mw...<.vO...M.o...W.U.....}.`V<|..%....l..`>]..".].I.i.N..Z..~Lt.........}?..E~:..>$......x...%.........N....'C.m.=...w.=.Y...+'M.].2 >.]_~...'.?...:....z.O..Y......6..5...sj?.....).B..>.3...G...p.9.K!..[H..1$v../...E V..?`....+[...C......h..!.QI5....<.>...A.d.......

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):4326
                            Entropy (8bit):7.821066198539098
                            Encrypted:false
                            SSDEEP:96:+fF+Jrp7Yo5hnJiGa24TxEcpUeONo1w2NFocy2LQi33Z:2+f7YuhJdJ4TxEcmKwGkk3Z
                            MD5:D32E93F7782B21785424AE2BEA62B387
                            SHA1:1D5589155C319E28383BC01ED722D4C2A05EF593
                            SHA-256:2DC7E71759D84EF8BB23F11981E2C2044626FEA659383E4B9922FE5891F5F478
                            SHA-512:5B07D6764A6616A7EF25B81AB4BD4601ECEC1078727BFEAB4A780032AD31B1B26C7A2306E0DBB5B39FC6E03A3FC18AD67C170EA9790E82D8A6CEAB8E7F564447
                            Malicious:false
                            Preview:PK.........n.A...#............docProps/thumbnail.jpgz.........{4.i....1.n.v)..#.\*....A+..Q(."..D.......#Q)...SQ....2c.ei.JC...N.{......}.s.s..y>....d.(:.;.....q........$.OBaPbI..(.V...o.....'..b..edE.J.+.....".tq..dqX.......8...CA.@..........0.G.O.$Ph...%i.Q.CQ.>.%!j..F..."?@.1J.Lm$..`..*oO...}..6......(%....^CO..p......-,.....w8..t.k.#....d..'...O...8....s1....z.r...rr...,(.)...*.]Q]S.{X.SC{GgWw..O....X./FF9._&..L.....[z..^..*....C...qI.f... .Hq....d*.d..9.N{{.N.6..6)..n<...iU]3.._.....%./.?......(H4<.....}..%..Z..s...C@.d>.v...e.'WGW.....J..:....`....n..6.....]W~/.JX.Qf..^...}...._Sg.-.p..a..C_:..F..E.....k.H..........-Bl$._5...B.w2e...2...c2/y3.U...7.8[.S}H..r/..^...g...|...l..\M..8p$]..poX-/.2}..}z\.|.d<T.....1....2...{P...+Y...T...!............p..c.....D..o..%.d.f.~.;.;=4.J..]1"("`......d.0.....L.f0.l..r8..M....m,.p..Y.f....\2.q. ...d9q....P...K..o!..#o...=.........{.p..l.n...........&..o...!J..|)..q4.Z.b..PP....U.K..|.i.$v

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):7370
                            Entropy (8bit):7.9204386289679745
                            Encrypted:false
                            SSDEEP:192:fYa+ngK2xG6HvLvoUnXxO+blKO1lt2Zg0AV:fYVn8Y6Hv3XxO+8uQZCV
                            MD5:586CEBC1FAC6962F9E36388E5549FFE9
                            SHA1:D1EF3BF2443AE75A78E9FDE8DD02C5B3E46F5F2E
                            SHA-256:1595C0C027B12FE4C2B506B907C795D14813BBF64A2F3F6F5D71912D7E57BC40
                            SHA-512:68DEAE9C59EA98BD597AE67A17F3029BC7EA2F801AC775CF7DECA292069061EA49C9DF5776CB5160B2C24576249DAF817FA463196A04189873CF16EFC4BEDC62
                            Malicious:false
                            Preview:PK........;nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........HnB;..I)....j......._rels/.rels...J.@.._e..&6E.i/.,x..Lw'.j........G..\...................)...Y.3)..`...9r{v!......z...#>5.g.WJ%..T..>'m ..K.T.....j6[(:f.)S....C.mk5^.=:...X......C.... I......&5..e..H.1...).P.cw.kjT......C.......=.....}G!7E.y$.(...}b.........b=.<..^.....U..Y..PK.........^5a.2u............diagrams/layout1.xml..ko.8..+x.t.l..J.n.t.Mnw.x. ....B.t$.,.(&i.....(..d.mY......g.../[.<!.{ap>...L...p....G.9z?...._...e..`..%......8....G!..B8.....o...b.......Q.>|.......g..O\B...i.h...0B.}.....z...k...H..t~r.v........7o.E....$....Z.........ZDd..~......>......O.3.SI.Y.".O&I....#."._c.$.r..z.g0`...0...q:...^0.EF...%(.Ao$.#.o6..c'....$%.}

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):5596
                            Entropy (8bit):7.875182123405584
                            Encrypted:false
                            SSDEEP:96:dGa2unnLYEB2EUAPOak380NQjqbHaPKJebgrEVws8Vw+BMa0EbdLVQaZJgDZh0pJ:UJunLYEB2EUAxk3pIYaScgYwsV4bdS0X
                            MD5:CDC1493350011DB9892100E94D5592FE
                            SHA1:684B444ADE2A8DBE760B54C08F2D28F2D71AD0FA
                            SHA-256:F637A67799B492FEFFB65632FED7815226396B4102A7ED790E0D9BB4936E1548
                            SHA-512:3699066A4E8A041079F12E88AB2E7F485E968619CB79175267842846A3AD64AA8E7778CBACDF1117854A7FDCFB46C8025A62F147C81074823778C6B4DC930F12
                            Malicious:false
                            Preview:PK.........T.>................[Content_Types].xmlz.........=N.1...b.Eko(.B....(.Pp..=.u.?.....#q..ND.!$.J{.o....G..[Cv.....+.R.Nx..........0."u..S...$&.....Je..B..x......m......M^z....f....|...N..Q..z.!.- .2.9y.i.8j...........0.AE..p.s~@../jw.#8.I.#....4.~Cl.:#h..f.PU.s.~........(.)F..Y......^x..PK.........T.>...V....L......._rels/.rels...J.@.._e..]AD.....x....3.t..T.w.\ZpA<x......v..'....z.........Y..[...<..2.TT....Q$.!.=.....&C....b".F.q.7...X3...7.8.N.}.. ?..8...#..,.L.3.#e...wZpZ.]S..:....t.....{..6.7.|..,dH.e..K 7-}.~.v...5.......b..PK.........V.<.S.....Y.......diagrams/layout1.xml.\.r.8...U....m.$.."3.....;...../3.XAn..O.?....V.;...")Nr.O.H....O......_..E..S...L7....8H.y<=............~...Ic......v9.X.%.\.^.,?g.v.?%w...f.).9.........Ld;.1..?~.%QQ...h.8;.gy..c4..]..0Ii.K&.[.9.......E4B.a..?e.B..4....E.......Y.?_&!.....i~..{.W..b....L.?..L..@.F....c.H..^..i...(d.......w...9..9,........q..%[..]K}.u.k..V.%.Y.....W.y..;e4[V..u.!T...).%.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):3683
                            Entropy (8bit):7.772039166640107
                            Encrypted:false
                            SSDEEP:96:GyfQZd6ZHNCWl9aXFkZwIq/QDsRYPf8P9QtDIs5r:G6wYtNZS1k99AmPfSOtD5r
                            MD5:E8308DA3D46D0BC30857243E1B7D330D
                            SHA1:C7F8E54A63EB254C194A23137F269185E07F9D10
                            SHA-256:6534D4D7EF31B967DD0A20AFFF092F8B93D3C0EFCBF19D06833F223A65C6E7C4
                            SHA-512:88AB7263B7A8D7DDE1225AE588842E07DF3CE7A07CBD937B7E26DA7DA7CFED23F9C12730D9EF4BC1ACF26506A2A96E07875A1A40C2AD55AD1791371EE674A09B
                            Malicious:false
                            Preview:PK.........a9;lq.ri...#.......diagrams/layout1.xmlz........WKn.0.];.`..J..AP...4E..!..hi$..I......z..D.d;...m.d...f.3o.._....9'.P.I1.F.C...d.D:.........Q..Z..5$..BO...e..(.9..2..+.Tsjp.. Vt.f.<...gA.h...8...>..p4..T...9.c...'.G.;.@.;xKE.A.uX.....1Q...>...B...!T.%.* ...0.....&......(.R.u..BW.yF.Grs...)..$..p^.s.c._..F4.*. .<%.BD..E....x... ..@...v.7f.Y......N.|.qW'..m..........im.?.64w..h...UI...J....;.0..[....G..\...?:.7.0.fGK.C.o^....j4............p...w:...V....cR..i...I...J=...%. &..#..[M....YG...u...I)F.l>.j.....f..6.....2.]..$7.....Fr..o.0...l&..6U...M..........%..47.a.[..s........[..r....Q./}.-.(.\..#. ..y`...a2..*....UA.$K.nQ:e!bB.H.-Q-a.$La.%.Z!...6L...@...j.5.....b..S.\c..u...R..dXWS.R.8"....o[..V...s0W..8:...U.#5..hK....ge.Q0$>...k.<...YA.g..o5...3.....~re.....>....:..$.~........pu ._Q..|Z...r...E.X......U....f)s^.?...%......459..XtL:M.).....x..n9..h...c...PK........Ho9<"..%...........diagrams/layoutHeader1.xmlMP.N.0.>oOa.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):4888
                            Entropy (8bit):7.8636569313247335
                            Encrypted:false
                            SSDEEP:96:StrFZ23/juILHPzms5UTuK9CuZGEoEuZ28H1HiGa2RnnLY+tUb:SPZQ7uCHPzms5UTlqauZVHdJRnLY+tUb
                            MD5:0A4CA91036DC4F3CD8B6DBF18094CF25
                            SHA1:6C7EED2530CD0032E9EEAB589AFBC296D106FBB9
                            SHA-256:E5A56CCB3B3898F76ABF909209BFAB401B5DDCD88289AD43CE96B02989747E50
                            SHA-512:7C69426F2250E8C84368E8056613C22977630A4B3F5B817FB5EA69081CE2A3CA6E5F93DF769264253D5411419AF73467A27F0BB61291CCDE67D931BD0689CB66
                            Malicious:false
                            Preview:PK.........e.>.......]>......diagrams/layout1.xmlz........Z..6....;..{......lw.E.o....i..T....&...G.+...$..(.6..>Y.pf8C.|3.?..m....xA8v.`.hW..@..Zn..(kb..(.......`.+....Y`...\..qh.0.!&w..)|...<..]Q.. _....m..Z.{3..~..5..R..d..A.O....gU.M..0..#...;.>$...T......T..z.Z.\a.+...?#.~.....1.>?...*..DD.1...'..,..(...5B...M..]..>.C..<[....,L.p..Q.v.v^q.Y...5.~^c..5........3.j.......BgJ.nv.. ............tt......Q..p..K....(M.(]@..E..~z.~...8...49.t.Q..Q.n..+.....*J.#J.... .P...P.1...!.#&...?A..&.."..|..D.I...:.....~/.....b..].........nI7.IC.a..%...9.....4...r....b..q....@o........O...y...d@+~.<.\....f.a`:...Qy/^..P....[....@i.I.._.?.X.x.8....)..s....I.0...|.....t...;...q=k.=..N.%!.(.1....B.Ps/."...#.%..&...j<..2x.=<.......s.....h..?..]?Y?...C.}E.O........{..6.d....I...A.....JN..w+....2..m>9.T7...t.6.}.i..f.Ga..t.].->...8U......G.D`......p..f.. ...qT.YX.t.F..X.u=.3r...4....4Q.D..l.6.+PR...+..T..h: H.&.1~....n.....)........2J.. O.W+vd..f....0.....6..9QhV..

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):6448
                            Entropy (8bit):7.897260397307811
                            Encrypted:false
                            SSDEEP:192:tgaoRbo1sMjb0NiJ85oPtqcS+yaXWoa8XBzdJYnLYFtWT7:LR1sk+i4o1qc1yaukzd8MK
                            MD5:42A840DC06727E42D42C352703EC72AA
                            SHA1:21AAAF517AFB76BF1AF4E06134786B1716241D29
                            SHA-256:02CCE7D526F844F70093AC41731D1A1E9B040905DCBA63BA8BFFC0DBD4D3A7A7
                            SHA-512:8886BFD240D070237317352DEB3D46C6B07E392EBD57730B1DED016BD8740E75B9965F7A3FCD43796864F32AAE0BE911AB1A670E9CCC70E0774F64B1BDA93488
                            Malicious:false
                            Preview:PK.........k.>........'......diagrams/layout1.xmlz........].r.8.}.V.?p.n....g*5..JUn.....(SU......T.l.......X.d."m."..S....F..P.........-..<Y^..=..e.L....m>.pG.....M~...+\....u}o...".Yn}Y.".-r......0...'/........{........F.~.M8.d....(.....q.D.....4\.;.D,.\.)n.S....Z.cl.|<..7._.dk..7..E.......kS...d.....i.....noX...o.W#9..}.^..I0....G.......+.K.[i.O.|G..8=.;.8.8.8.8.....{..-..^.y..[.....`...0..f...Q<^~..*.l....{...pA.z.$.$R.../...E.(..Q.(V.E_ ......X]Q..Y9.......>...8......l..--.ug.......I.;..].u.b.3Lv:.d.%H..l<...V...$.M..A>...^M./.[..I....o~,.U. .$d\..?........O.;..^M..O...A.$Yx..|f.n...H.=.|!cG)dd%..(... ..Xe......2B."i...n....P.R..E?... Y.I6...7n..Xs..J..K..'..JaU..d..|.(y.a.....d......D.Dr...._.._..m..Yu..6.o.\......&.m....wy...4k?..~........f....0.. \...}iS.i..R....q-#_..g........{Z.u.V.r(....j.I...,R..f.=.n.[.'..L'd.n C.0.I.....RpaV........c.k..NR....)B^k...d.i...d0.E. ^..G.']....x.c.>'..p...y.ny.P.x6..%.J\.....De.B\.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):5630
                            Entropy (8bit):7.87271654296772
                            Encrypted:false
                            SSDEEP:96:n5ni6jKZWsD+QJaUQ7R6qYFF5QS+BEgeJam6S7ZCHuKViGa2CnnLYLt/ht:nccqxIBdQ1QS+uDJanS7ZCHHVdJCnLY5
                            MD5:2F8998AA9CF348F1D6DE16EAB2D92070
                            SHA1:85B13499937B4A584BEA0BFE60475FD4C73391B6
                            SHA-256:8A216D16DEC44E02B9AB9BBADF8A11F97210D8B73277B22562A502550658E580
                            SHA-512:F10F7772985EDDA442B9558127F1959FF0A9909C7B7470E62D74948428BFFF7E278739209E8626AE5917FF728AFB8619AE137BEE2A6A4F40662122208A41ABB2
                            Malicious:false
                            Preview:PK...........<..W8...j.......diagrams/layout1.xmlz........]......Hy..{...n .l.:.D.vvW..s....-a..fg&.}.\..+......4M..'=...(._.U]U......_.....U...k}.y.,......C..._^.......w/."7....v..Ea........Q..u..D{..{v.x.]....AtB15u..o...w..o.1...f.L...I<[zk7..7^..,.h.&l3...#..)..'H..d.r.#w=b...Ocw.y.&.v..t.>.s..m^M7..8I?o7................H...b....Qv.;'..%.f..#vR....V.H.),g..`...)(..m...[l...b...,.....U...Q.{.y.y.....G.I.tT.n..N.....A.tR..tr....i.<.......,.n:.#.A..a!X.......DK..;v..._M..lSc../n...v.....}.....I.|8.!b.C..v..|.....4l..n.;<9.i./..}!&2.c/.r...>.X02[..|.a.-.....$#-....>...{.M].>3.,\o.x....X%;.F.k.)*".I8<.0..#......?.h..-..O.2.B.s..v....{Abd...h0....H..I.. ...%...$1.Fyd..Y....U...S.Y.#.V.....TH(....%..nk.3Y.e.m.-.S..Q...j.Ai..E..v......4.t.|..&"...{..4.!.h.....C.P.....W...d[.....U<Yb;B.+W.!.@B....!.=......b"...Y.N;.#..Q...0G.lW...]7:...#9!z......|f..r..x.....t........`.uL1u.:.....U.D.n.<Q.[%...ngC./..|...!..q;;.w.".D..lt.".l.4".mt...E..mt

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):6193
                            Entropy (8bit):7.855499268199703
                            Encrypted:false
                            SSDEEP:192:WavHMKgnU2HUGFhUnkbOKoztj1QfcnLYut3d8:YKeUlGXUnC+HQSMp
                            MD5:031C246FFE0E2B623BBBD231E414E0D2
                            SHA1:A57CA6134779D54691A4EFD344BC6948E253E0BA
                            SHA-256:2D76C8D1D59EDB40D1FBBC6406A06577400582D1659A544269500479B6753CF7
                            SHA-512:6A784C28E12C3740300883A0E690F560072A3EA8199977CBD7F260A21E8346B82BA8A4F78394D3BB53FA2E98564B764C2D0232C40B25FB6085C36D20D70A39D1
                            Malicious:false
                            Preview:PK........X..<..Zn|...........diagrams/layout1.xmlz........]..H.}......M,l#g.j:.G-eu.*S=.$......T_6..I...6...d.NJ....r.p.p.........|.z.K.M..L.T.(........<..ks.......o...t}...P..*.7...`.+.[...H..._..X.u.....N....n....n|..=.....K.:.G7.u....."g.n.h...O.,...c...f.b.P......>[l.....j.*.?..mxk..n..|A...,\o..j..wQ.....lw.~].Lh..{3Y..D..5.Y..n..Mh.r..J....6*.<.kO...Alv.._.qdKQ.5...-FMN......;.~..._..pv..&...%"Nz].n............vM.`..k..a.:.f]...a........y.....g0..`........|V...Yq.....#...8....n..i7w<2Rp...R.@.]..%.b%..~...a..<.j...&....?...Qp..Ow|&4>...d.O.|.|...Fk;t.P[A..i.6K.~...Y.N..9......~<Q..f...i.....6..U...l. ..E..4$Lw..p..Y%NR..;...B|B.U...\e......S...=...B{A.]..*....5Q.....FI..w....q.s{.K....(.]...HJ9........(.....[U|.....d71.Vv.....a.8...L.....k;1%.T.@+..uv.~v.]`.V....Z.....`.M.@..Z|.r........./C..Z.n0.....@.YQ.8..q.h.....c.%...p..<..zl.c..FS.D..fY..z..=O..%L..MU..c.:.~.....F]c......5.=.8.r...0....Y.\o.o....U.~n...`...Wk..2b......I~

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):3075
                            Entropy (8bit):7.716021191059687
                            Encrypted:false
                            SSDEEP:48:96yn4sOBoygpySCCxwKsZCB2oLEIK+aQpUNLRQWtmMamIZxAwCC2QnyODhVOzP4:l0vCxJsZQ2ofpKvtmMdIZxAwJyODhVOE
                            MD5:67766FF48AF205B771B53AA2FA82B4F4
                            SHA1:0964F8B9DC737E954E16984A585BDC37CE143D84
                            SHA-256:160D05B4CB42E1200B859A2DE00770A5C9EBC736B70034AFC832A475372A1667
                            SHA-512:AC28B0B4A9178E9B424E5893870913D80F4EE03D595F587AA1D3ACC68194153BAFC29436ADFD6EA8992F0B00D17A43CFB42C529829090AF32C3BE591BD41776D
                            Malicious:false
                            Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK.........nB;O.......k......._rels/.rels...J.@.._e..4...i/.,x..Lw'....v'.<....WpQ..,......7?....u.y..;bL../..3t.+.t.G....Y.v8.eG.MH,....(\..d..R....t>Z.<F-..G.(..\.x...l?..M..:#........2.#.[..H7..#g{...._j...(.....q......;.5'..Nt..."...A.h........>....\.'...L..D..DU<.....C.TKu.5Tu....bV..;PK.........C26.b..............diagrams/layout1.xml.T.n. .}N....).je./m.+u....`{..0P......p..U}c.9g..3....=h.(.."..D-.&....~.....y..I...(r.aJ.Y..e..;.YH...P.{b......hz.-..>k.i5..z>.l...f...c..Y...7.ND...=.%..1...Y.-.o.=)(1g.{.".E.>2.=...]Y..r0.Q...e.E.QKal,.....{f...r..9-.mH..C..\.w....c.4.JUbx.p Q...R......_...G.F...uPR...|um.+g..?..C..gT...7.0.8l$.*.=qx.......-8..8.

                            C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:Microsoft OOXML
                            Category:dropped
                            Size (bytes):5151
                            Entropy (8bit):7.859615916913808
                            Encrypted:false
                            SSDEEP:96:WkV3UHhcZDEteEJqeSGzpG43GUR8m8b6dDLiCTfjKPnD6H5RhfuDKNtxx3+7tDLp:Wq3UBc9EJqIpGgD5dDL1DjKvDKhfnNti
                            MD5:6C24ED9C7C868DB0D55492BB126EAFF8
                            SHA1:C6D96D4D298573B70CF5C714151CF87532535888
                            SHA-256:48AF17267AD75C142EFA7AB7525CA48FAB579592339FB93E92C4C4DA577D4C9F
                            SHA-512:A3E9DC48C04DC8571289F57AE790CA4E6934FBEA4FDDC20CB780F7EA469FE1FC1D480A1DBB04D15301EF061DA5700FF0A793EB67D2811C525FEF618B997BCABD
                            Malicious:false
                            Preview:PK.........nB;.h......F.......[Content_Types].xmlz.........MN.0...by.b.,.BI...X `...{..O.S...H\.'.XTP..K{.o.....rg..bL...XM.:.v..c.k...}.D....9.....Bb>.+..G.......+(.u}.w.]...v..{.M&.].>`....nB..B0Z@.e.u..R.......-.&#....aR..`.a..|. 1^......&..|..s.A.t..b..A.i7...7.&....bQK$O.......9....V....Wt_PK........5nB;.ndX....`......._rels/.rels...J.1.._%..f.J.J..x..AJ.2M&......g..#............|.c..x{_._..^0e.|.gU..z.....#.._..[..JG.m.....(...e..r."....P)....3..M].E:..SO.;D..c..J..rt...c.,.....a.;.....$.../5..D.Ue.g...Q3......5.':...@...~t{.v..QA>.P.R.A~..^AR.S4G......].n...x41....PK.........^5..s.V....Z......diagrams/layout1.xml.[]o.F.}N~..S.......VU.U+m6R........&.d.}...{M....Q.S....p9.'./O..z."..t>q....."[..j>y..?...u....[.}..j-...?Y..Bdy.I./.....0.._.....-.s...rj...I..=..<..9.|>YK.....o.|.my.F.LlB..be/E.Y!.$6r.f/.p%.......U....e..W.R..fK....`+?.rwX.[.b..|..O>o.|.....>1.......trN`7g..Oi.@5..^...]4.r...-y...T.h...[.j1..v....G..........nS..m..E"L...s

                            C:\Users\user\Desktop\~$Presentation.pptx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):165
                            Entropy (8bit):1.4426651152920147
                            Encrypted:false
                            SSDEEP:3:KVmF2cAmltV:KVy2cR
                            MD5:F497D347BE832C6984D3568B5A94771A
                            SHA1:6D72CB3EC231ADFD93E63DE09CBDEC0D15729E4E
                            SHA-256:156C9860830DA8342CF5779BA1F66024A135313C9DC210F58578198D75B0E13F
                            SHA-512:7E3FD4EB7CA5D8B451AF14864FC9E237DCFD9E8B3A0EADA166AB61EC1E79083CAE33F6418301A7CFEF69B180E4CCA38BA9EF8D0DC99C157A5B9F744CBB005D22
                            Malicious:false
                            Preview:.user. ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                            Static File Info

                            General

                            File type:Microsoft PowerPoint 2007+
                            Entropy (8bit):7.889029121709577
                            TrID:
                            • PowerPoint Microsoft Office Open XML Format document (133004/1) 76.66%
                            • Microsoft PowerPoint Macro-enabled Open XML add-in (32504/1) 18.73%
                            • ZIP compressed archive (8000/1) 4.61%
                            File name:Presentation.pptx
                            File size:58'333 bytes
                            MD5:d6fe5c7469058b496c0eb7882bd99934
                            SHA1:051f36a8d8b3134e163981f4ae4a0548853e7fe8
                            SHA256:0441d5351a8829f35050985ebd60d7bd113eedd4747889b904588b84909148eb
                            SHA512:428e3063ebb9c88813d6aacf4c4c95af20def0cb81164b013904c7b20184b070efcb9f5d1114f74bcad4d8e792d199f90bdb2c98f8a20e7de98b70c535ed2124
                            SSDEEP:1536:poAJHSuNPP3FJWcAHxcd+QJGGfsPYTBxvTu7iMFg6z7/:mnu5IydFJhfyGjvTu7pg6v/
                            TLSH:FF43D008DA006646C3732175D935DCE0B6A64D97EA59EDEFD4DB38CE0AA5E83170D3C8
                            File Content Preview:PK..........!.+O......4.......ppt/presentation.xml...n.0...'...o'J.WH.R5..&uR..........N.t....L..&...........xq}..s.R...._M.Cy...?...!s..(MxA..4E'......E=.%U.k....0\.I.vZ.s.S..VD]..r.m.....|..I^!|.<.2.....Y.......9......m.IYS.........6.....9...IQ.....AK..

                            File Icon

                            Icon Hash:3de58c8eaea685b5

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 1, 2024 15:06:32.526552916 CEST49675443192.168.2.4173.222.162.32
                            Oct 1, 2024 15:06:40.251128912 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:40.251157999 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:40.251307011 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:40.251781940 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:40.251796961 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.059566975 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.059659004 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.084974051 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.084994078 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.085257053 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.085768938 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.085768938 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.085813999 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.356106997 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.356266975 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.356337070 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.403589964 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.403589964 CEST49739443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:41.403614998 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:41.403630018 CEST4434973940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:42.019695044 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:42.019742966 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:42.019849062 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:42.028923988 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:42.028950930 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:42.804095984 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:42.830553055 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:42.830609083 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:42.831110954 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:42.831120014 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:42.831141949 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:42.831152916 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.956180096 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.956204891 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.956222057 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.956276894 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:44.956310034 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.956346035 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:44.956361055 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:44.957576990 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.957647085 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.957669973 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:44.957694054 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.957706928 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:44.957706928 CEST49742443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:44.957715034 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:44.957720995 CEST4434974240.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:45.032288074 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:45.032357931 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:45.032592058 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:45.032767057 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:45.032784939 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:45.818694115 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:45.819813967 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:45.819833994 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:45.821759939 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:45.821768045 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:45.821789980 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:45.821799994 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.244627953 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:46.244656086 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:46.244848967 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:46.245881081 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:46.245896101 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:46.315207958 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:46.315268040 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:46.315380096 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:46.315615892 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:46.315633059 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:46.517364979 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.517391920 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.517435074 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.517465115 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.517493010 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.517509937 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.517852068 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.517863989 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.517896891 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.517905951 CEST49749443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.517954111 CEST4434974940.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.539479017 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.539513111 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.539598942 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.539762020 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:46.539773941 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:46.918313026 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:46.918422937 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:46.920779943 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:46.920792103 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:46.921024084 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:46.951545954 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:46.952152967 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:46.952172995 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:46.953135014 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:46.953198910 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:46.954385996 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:46.954442024 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:46.962449074 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:46.985404015 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.009310007 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:47.009334087 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:47.031407118 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.056190968 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:47.206660986 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206682920 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206690073 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206722975 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206747055 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.206774950 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206788063 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206810951 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.206815004 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206847906 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.206871986 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.206887960 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.206942081 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.207086086 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.219310999 CEST49751443192.168.2.452.165.165.26
                            Oct 1, 2024 15:06:47.219324112 CEST4434975152.165.165.26192.168.2.4
                            Oct 1, 2024 15:06:47.336147070 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.340933084 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.340964079 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.341763020 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.341772079 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.341803074 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.341813087 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.753411055 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.753436089 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.753547907 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.753595114 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.753803968 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.753803968 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.753854036 CEST49753443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.753871918 CEST4434975340.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.763433933 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.763458967 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:47.763606071 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.763709068 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:47.763720989 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:48.318296909 CEST4975553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.323179007 CEST53497551.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.323585987 CEST4975553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.323682070 CEST4975553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.323781967 CEST4975553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.329385996 CEST53497551.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.329423904 CEST53497551.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.339133024 CEST4975553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.387187004 CEST53497551.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.539946079 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:48.540437937 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:48.540457964 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:48.541132927 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:48.541138887 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:48.541179895 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:48.541188955 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:48.680756092 CEST53497551.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.681256056 CEST4975553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:49.311640978 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.311662912 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.311702967 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.311732054 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.311747074 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.311762094 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.311774015 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.311815023 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.312140942 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.312155962 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.312165022 CEST49754443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.312174082 CEST4434975440.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.336807013 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.336844921 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:49.336937904 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.337168932 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:49.337183952 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.111795902 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.112653017 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.112679005 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.113343954 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.113343954 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.113353968 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.113364935 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.528031111 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.528044939 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.528093100 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.528131962 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.528177977 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.528177977 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.528280020 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.528587103 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.528604031 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.528717041 CEST49756443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.528723001 CEST4434975640.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.549272060 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.549309969 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:50.549489975 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.549655914 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:50.549673080 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.351968050 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.352423906 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.352435112 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.353066921 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.353071928 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.353123903 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.353132963 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.759536982 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.759562016 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.759602070 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.759718895 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.759718895 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.759731054 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.759939909 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.760135889 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.760839939 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.760855913 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:51.760885954 CEST49757443192.168.2.440.126.32.68
                            Oct 1, 2024 15:06:51.760891914 CEST4434975740.126.32.68192.168.2.4
                            Oct 1, 2024 15:06:56.851787090 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:56.851871014 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:06:56.852438927 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:58.433110952 CEST49752443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:06:58.433142900 CEST44349752142.250.186.132192.168.2.4
                            Oct 1, 2024 15:07:13.596035957 CEST5037653192.168.2.4162.159.36.2
                            Oct 1, 2024 15:07:13.600888014 CEST5350376162.159.36.2192.168.2.4
                            Oct 1, 2024 15:07:13.603593111 CEST5037653192.168.2.4162.159.36.2
                            Oct 1, 2024 15:07:13.608387947 CEST5350376162.159.36.2192.168.2.4
                            Oct 1, 2024 15:07:14.074717999 CEST5037653192.168.2.4162.159.36.2
                            Oct 1, 2024 15:07:14.079819918 CEST5350376162.159.36.2192.168.2.4
                            Oct 1, 2024 15:07:14.079926968 CEST5037653192.168.2.4162.159.36.2
                            Oct 1, 2024 15:07:14.150707960 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:14.150758982 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:14.150871038 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:14.151215076 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:14.151232958 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:14.829689980 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:14.829823971 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:14.831139088 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:14.831151009 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:14.831423998 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:14.832632065 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:14.879398108 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.093686104 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.093712091 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.093729973 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.093919992 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.093938112 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.094024897 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.095155001 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.095199108 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.095220089 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.095230103 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.095289946 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.095449924 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.097026110 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.097026110 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.097048998 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:15.097079992 CEST50378443192.168.2.452.165.165.26
                            Oct 1, 2024 15:07:15.097086906 CEST4435037852.165.165.26192.168.2.4
                            Oct 1, 2024 15:07:32.604032040 CEST4972380192.168.2.42.19.126.163
                            Oct 1, 2024 15:07:32.604060888 CEST4972480192.168.2.4199.232.210.172
                            Oct 1, 2024 15:07:32.609119892 CEST80497232.19.126.163192.168.2.4
                            Oct 1, 2024 15:07:32.609180927 CEST4972380192.168.2.42.19.126.163
                            Oct 1, 2024 15:07:32.609406948 CEST8049724199.232.210.172192.168.2.4
                            Oct 1, 2024 15:07:32.609450102 CEST4972480192.168.2.4199.232.210.172
                            Oct 1, 2024 15:08:46.433207989 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:46.433259010 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:46.433331013 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:46.433842897 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:46.433859110 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:47.096695900 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:47.097131968 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:47.097162962 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:47.097506046 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:47.097848892 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:47.097923040 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:47.150233030 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:56.997421026 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:56.997492075 CEST44350381142.250.186.132192.168.2.4
                            Oct 1, 2024 15:08:56.997541904 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:58.433094025 CEST50381443192.168.2.4142.250.186.132
                            Oct 1, 2024 15:08:58.433136940 CEST44350381142.250.186.132192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 1, 2024 15:06:42.020237923 CEST6243153192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:42.020545006 CEST6345853192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:42.026815891 CEST53599721.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:42.029685020 CEST53624311.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:42.030136108 CEST53634581.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:42.044495106 CEST53517321.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:42.047039986 CEST5322753192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:42.058139086 CEST53532271.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:42.145852089 CEST6313553192.168.2.48.8.8.8
                            Oct 1, 2024 15:06:42.146498919 CEST5882553192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:42.153892040 CEST53588251.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:42.167721033 CEST53631358.8.8.8192.168.2.4
                            Oct 1, 2024 15:06:43.227833986 CEST6313953192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:43.228075027 CEST6314453192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:43.237518072 CEST53631441.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:43.259121895 CEST53631391.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:43.306899071 CEST53528091.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:44.172746897 CEST138138192.168.2.4192.168.2.255
                            Oct 1, 2024 15:06:46.307272911 CEST6455153192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:46.307430029 CEST5290153192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:46.314209938 CEST53529011.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:46.314502001 CEST53645511.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.298626900 CEST4998753192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.299063921 CEST5850253192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.305684090 CEST53585021.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.329950094 CEST53499871.1.1.1192.168.2.4
                            Oct 1, 2024 15:06:48.339927912 CEST6113353192.168.2.41.1.1.1
                            Oct 1, 2024 15:06:48.371323109 CEST53611331.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:00.233865023 CEST53506591.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:13.594892025 CEST5350098162.159.36.2192.168.2.4
                            Oct 1, 2024 15:07:14.112993002 CEST53652341.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:18.390974045 CEST5623353192.168.2.41.1.1.1
                            Oct 1, 2024 15:07:18.391890049 CEST5569253192.168.2.41.1.1.1
                            Oct 1, 2024 15:07:18.422415018 CEST53556921.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:18.556543112 CEST53562331.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:18.557876110 CEST6427753192.168.2.41.1.1.1
                            Oct 1, 2024 15:07:18.567955017 CEST53642771.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:19.064764023 CEST53558091.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:34.135874033 CEST5836953192.168.2.41.1.1.1
                            Oct 1, 2024 15:07:34.190767050 CEST53583691.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:41.655433893 CEST53519111.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:41.706624985 CEST53552931.1.1.1192.168.2.4
                            Oct 1, 2024 15:07:54.744769096 CEST6431253192.168.2.41.1.1.1
                            Oct 1, 2024 15:07:54.755633116 CEST53643121.1.1.1192.168.2.4
                            Oct 1, 2024 15:08:10.627631903 CEST53632261.1.1.1192.168.2.4
                            Oct 1, 2024 15:08:18.596697092 CEST5356753192.168.2.41.1.1.1
                            Oct 1, 2024 15:08:18.596879959 CEST5971553192.168.2.41.1.1.1
                            Oct 1, 2024 15:08:18.626621008 CEST53535671.1.1.1192.168.2.4
                            Oct 1, 2024 15:08:18.627425909 CEST53597151.1.1.1192.168.2.4
                            Oct 1, 2024 15:08:18.628142118 CEST5944953192.168.2.41.1.1.1
                            Oct 1, 2024 15:08:18.638647079 CEST53594491.1.1.1192.168.2.4
                            Oct 1, 2024 15:08:55.643126011 CEST53518971.1.1.1192.168.2.4
                            Oct 1, 2024 15:09:10.952105045 CEST5613053192.168.2.41.1.1.1
                            Oct 1, 2024 15:09:10.985002041 CEST53561301.1.1.1192.168.2.4
                            Oct 1, 2024 15:09:36.682876110 CEST5785653192.168.2.41.1.1.1
                            Oct 1, 2024 15:09:36.714557886 CEST53578561.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 1, 2024 15:06:42.020237923 CEST192.168.2.41.1.1.10x2e8cStandard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:42.020545006 CEST192.168.2.41.1.1.10xe8fcStandard query (0)xmlj.debelfor.com65IN (0x0001)false
                            Oct 1, 2024 15:06:42.047039986 CEST192.168.2.41.1.1.10x9803Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:42.145852089 CEST192.168.2.48.8.8.80xe549Standard query (0)google.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:42.146498919 CEST192.168.2.41.1.1.10xfd36Standard query (0)google.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:43.227833986 CEST192.168.2.41.1.1.10x8f47Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:43.228075027 CEST192.168.2.41.1.1.10xd56dStandard query (0)xmlj.debelfor.com65IN (0x0001)false
                            Oct 1, 2024 15:06:46.307272911 CEST192.168.2.41.1.1.10x4ebcStandard query (0)www.google.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:46.307430029 CEST192.168.2.41.1.1.10x91d9Standard query (0)www.google.com65IN (0x0001)false
                            Oct 1, 2024 15:06:48.298626900 CEST192.168.2.41.1.1.10xd747Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:48.299063921 CEST192.168.2.41.1.1.10x22a7Standard query (0)xmlj.debelfor.com65IN (0x0001)false
                            Oct 1, 2024 15:06:48.339927912 CEST192.168.2.41.1.1.10x267aStandard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:18.390974045 CEST192.168.2.41.1.1.10x3719Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:18.391890049 CEST192.168.2.41.1.1.10x2d7fStandard query (0)xmlj.debelfor.com65IN (0x0001)false
                            Oct 1, 2024 15:07:18.557876110 CEST192.168.2.41.1.1.10x8f39Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:34.135874033 CEST192.168.2.41.1.1.10x7ff8Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:54.744769096 CEST192.168.2.41.1.1.10x34d2Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:08:18.596697092 CEST192.168.2.41.1.1.10x2a3fStandard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:08:18.596879959 CEST192.168.2.41.1.1.10x9c46Standard query (0)xmlj.debelfor.com65IN (0x0001)false
                            Oct 1, 2024 15:08:18.628142118 CEST192.168.2.41.1.1.10xa638Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:09:10.952105045 CEST192.168.2.41.1.1.10x3e5aStandard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:09:36.682876110 CEST192.168.2.41.1.1.10xe559Standard query (0)xmlj.debelfor.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 1, 2024 15:06:42.029685020 CEST1.1.1.1192.168.2.40x2e8cName error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:42.030136108 CEST1.1.1.1192.168.2.40xe8fcName error (3)xmlj.debelfor.comnonenone65IN (0x0001)false
                            Oct 1, 2024 15:06:42.058139086 CEST1.1.1.1192.168.2.40x9803Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:42.153892040 CEST1.1.1.1192.168.2.40xfd36No error (0)google.com142.250.185.78A (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:42.167721033 CEST8.8.8.8192.168.2.40xe549No error (0)google.com142.250.184.206A (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:43.237518072 CEST1.1.1.1192.168.2.40xd56dName error (3)xmlj.debelfor.comnonenone65IN (0x0001)false
                            Oct 1, 2024 15:06:43.259121895 CEST1.1.1.1192.168.2.40x8f47Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:46.314209938 CEST1.1.1.1192.168.2.40x91d9No error (0)www.google.com65IN (0x0001)false
                            Oct 1, 2024 15:06:46.314502001 CEST1.1.1.1192.168.2.40x4ebcNo error (0)www.google.com142.250.186.132A (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:48.329950094 CEST1.1.1.1192.168.2.40xd747Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:48.371323109 CEST1.1.1.1192.168.2.40x267aName error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:06:50.609035969 CEST1.1.1.1192.168.2.40x8585No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                            Oct 1, 2024 15:07:18.422415018 CEST1.1.1.1192.168.2.40x2d7fName error (3)xmlj.debelfor.comnonenone65IN (0x0001)false
                            Oct 1, 2024 15:07:18.556543112 CEST1.1.1.1192.168.2.40x3719Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:18.567955017 CEST1.1.1.1192.168.2.40x8f39Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:34.190767050 CEST1.1.1.1192.168.2.40x7ff8Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:07:54.755633116 CEST1.1.1.1192.168.2.40x34d2Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:08:18.626621008 CEST1.1.1.1192.168.2.40x2a3fName error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:08:18.627425909 CEST1.1.1.1192.168.2.40x9c46Name error (3)xmlj.debelfor.comnonenone65IN (0x0001)false
                            Oct 1, 2024 15:08:18.638647079 CEST1.1.1.1192.168.2.40xa638Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:09:10.985002041 CEST1.1.1.1192.168.2.40x3e5aName error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false
                            Oct 1, 2024 15:09:36.714557886 CEST1.1.1.1192.168.2.40xe559Name error (3)xmlj.debelfor.comnonenoneA (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • login.live.com
                            • slscr.update.microsoft.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination Port
                            0192.168.2.44973940.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:41 UTC422OUTPOST /RST2.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 3592
                            Host: login.live.com
                            2024-10-01 13:06:41 UTC3592OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                            Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                            2024-10-01 13:06:41 UTC568INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: application/soap+xml; charset=utf-8
                            Expires: Tue, 01 Oct 2024 13:05:41 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C533_BL2
                            x-ms-request-id: f172413f-874b-48b8-b924-2d62ebcb1cf4
                            PPServer: PPV: 30 H: BL02EPF0001D75C V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:40 GMT
                            Connection: close
                            Content-Length: 1276
                            2024-10-01 13:06:41 UTC1276INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                            Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                            Session IDSource IPSource PortDestination IPDestination Port
                            1192.168.2.44974240.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:42 UTC446OUTPOST /ppsecure/deviceaddcredential.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 7642
                            Host: login.live.com
                            2024-10-01 13:06:42 UTC7642OUTData Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 71 6b 62 64 62 71 64 76 72 62 69 61 6e 68 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 46 71 5e 42 62 75 3a 34 46 62 54 68 70 2b 75 46 75 6a 4d 6a 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 61 6b 71 72 6c 66 67 75 6b 69 6a 65 76 6c 3c 2f 4f 6c 64 4d
                            Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02qkbdbqdvrbianh</Membername><Password>Fq^Bbu:4FbThp+uFujMj</Password></Authentication><OldMembername>02akqrlfgukijevl</OldM
                            2024-10-01 13:06:44 UTC542INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: text/xml
                            Expires: Tue, 01 Oct 2024 13:05:43 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C528_BAY
                            x-ms-request-id: 985ed898-d7bf-4338-a49d-2e80041ebd5f
                            PPServer: PPV: 30 H: PH1PEPF00011F70 V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:44 GMT
                            Connection: close
                            Content-Length: 17166
                            2024-10-01 13:06:44 UTC15842INData Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 30 30 31 31 43 44 39 35 33 33 30 34 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 32 32 32 66 33 37 39 63 2d 39 32 61 34 2d 34 38 31 39 2d 62 65 66 61 2d 38 30 61 34 61 64 63 38 62 38 36 64 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31
                            Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>00180011CD953304</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="222f379c-92a4-4819-befa-80a4adc8b86d" LicenseID="3252b20c-d425-4711
                            2024-10-01 13:06:44 UTC1324INData Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66
                            Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf


                            Session IDSource IPSource PortDestination IPDestination Port
                            2192.168.2.44974940.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:45 UTC422OUTPOST /RST2.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 3592
                            Host: login.live.com
                            2024-10-01 13:06:45 UTC3592OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                            Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                            2024-10-01 13:06:46 UTC653INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: application/soap+xml; charset=utf-8
                            Expires: Tue, 01 Oct 2024 13:05:46 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30374.3
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C522_BAY
                            x-ms-request-id: df68d09a-d72f-48ba-baf3-c11a8e085362
                            PPServer: PPV: 30 H: PH1PEPF0001B881 V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:46 GMT
                            Connection: close
                            Content-Length: 11389
                            2024-10-01 13:06:46 UTC11389INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                            Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.44975152.165.165.26443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:46 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VXRCG+6Xxbe7s+B&MD=g7hxx7UY HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                            Host: slscr.update.microsoft.com
                            2024-10-01 13:06:47 UTC560INHTTP/1.1 200 OK
                            Cache-Control: no-cache
                            Pragma: no-cache
                            Content-Type: application/octet-stream
                            Expires: -1
                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                            ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                            MS-CorrelationId: 5c130eef-c92e-496f-befa-c7835c28f3b3
                            MS-RequestId: 2070fd2b-57ed-415c-80f8-31fe6edee4bc
                            MS-CV: Kh9V7e2S80OWeFbf.0
                            X-Microsoft-SLSClientCache: 2880
                            Content-Disposition: attachment; filename=environment.cab
                            X-Content-Type-Options: nosniff
                            Date: Tue, 01 Oct 2024 13:06:46 GMT
                            Connection: close
                            Content-Length: 24490
                            2024-10-01 13:06:47 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                            Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                            2024-10-01 13:06:47 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                            Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                            Session IDSource IPSource PortDestination IPDestination Port
                            4192.168.2.44975340.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:47 UTC422OUTPOST /RST2.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 4775
                            Host: login.live.com
                            2024-10-01 13:06:47 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                            Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                            2024-10-01 13:06:47 UTC568INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: application/soap+xml; charset=utf-8
                            Expires: Tue, 01 Oct 2024 13:05:47 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C533_BAY
                            x-ms-request-id: ff119214-f86c-4201-8524-b69630f6d1a5
                            PPServer: PPV: 30 H: PH1PEPF00011F17 V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:47 GMT
                            Connection: close
                            Content-Length: 1918
                            2024-10-01 13:06:47 UTC1918INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                            Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                            Session IDSource IPSource PortDestination IPDestination Port
                            5192.168.2.44975440.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:48 UTC422OUTPOST /RST2.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 4775
                            Host: login.live.com
                            2024-10-01 13:06:48 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                            Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                            2024-10-01 13:06:49 UTC653INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: application/soap+xml; charset=utf-8
                            Expires: Tue, 01 Oct 2024 13:05:48 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30374.3
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C522_BAY
                            x-ms-request-id: b724f520-f2ab-4ad8-976c-b19cf6c15b08
                            PPServer: PPV: 30 H: PH1PEPF0001B87F V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:48 GMT
                            Connection: close
                            Content-Length: 11409
                            2024-10-01 13:06:49 UTC11409INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                            Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                            Session IDSource IPSource PortDestination IPDestination Port
                            6192.168.2.44975640.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:50 UTC422OUTPOST /RST2.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 4775
                            Host: login.live.com
                            2024-10-01 13:06:50 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                            Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                            2024-10-01 13:06:50 UTC569INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: application/soap+xml; charset=utf-8
                            Expires: Tue, 01 Oct 2024 13:05:50 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C522_BAY
                            x-ms-request-id: 2ee85665-528d-4b3f-bd20-18964346092e
                            PPServer: PPV: 30 H: PH1PEPF0001B80C V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:50 GMT
                            Connection: close
                            Content-Length: 11409
                            2024-10-01 13:06:50 UTC11409INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                            Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                            Session IDSource IPSource PortDestination IPDestination Port
                            7192.168.2.44975740.126.32.68443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:06:51 UTC422OUTPOST /RST2.srf HTTP/1.0
                            Connection: Keep-Alive
                            Content-Type: application/soap+xml
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                            Content-Length: 4762
                            Host: login.live.com
                            2024-10-01 13:06:51 UTC4762OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                            Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                            2024-10-01 13:06:51 UTC569INHTTP/1.1 200 OK
                            Cache-Control: no-store, no-cache
                            Pragma: no-cache
                            Content-Type: application/soap+xml; charset=utf-8
                            Expires: Tue, 01 Oct 2024 13:05:51 GMT
                            P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                            Referrer-Policy: strict-origin-when-cross-origin
                            x-ms-route-info: C522_BAY
                            x-ms-request-id: e25af5be-655c-4546-8472-163dd95fc51b
                            PPServer: PPV: 30 H: PH1PEPF0001B87C V: 0
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-XSS-Protection: 1; mode=block
                            Date: Tue, 01 Oct 2024 13:06:50 GMT
                            Connection: close
                            Content-Length: 10197
                            2024-10-01 13:06:51 UTC10197INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                            Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            8192.168.2.45037852.165.165.26443
                            TimestampBytes transferredDirectionData
                            2024-10-01 13:07:14 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VXRCG+6Xxbe7s+B&MD=g7hxx7UY HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                            Host: slscr.update.microsoft.com
                            2024-10-01 13:07:15 UTC560INHTTP/1.1 200 OK
                            Cache-Control: no-cache
                            Pragma: no-cache
                            Content-Type: application/octet-stream
                            Expires: -1
                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                            ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                            MS-CorrelationId: ff704c22-0392-4205-9514-d9a01315b995
                            MS-RequestId: 4ec7610e-1663-485c-9fad-d40a9cdedd03
                            MS-CV: 6Oonmj5Y0UuG3fcO.0
                            X-Microsoft-SLSClientCache: 1440
                            Content-Disposition: attachment; filename=environment.cab
                            X-Content-Type-Options: nosniff
                            Date: Tue, 01 Oct 2024 13:07:14 GMT
                            Connection: close
                            Content-Length: 30005
                            2024-10-01 13:07:15 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                            Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                            2024-10-01 13:07:15 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                            Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:06:31
                            Start date:01/10/2024
                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
                            Imagebase:0xae0000
                            File size:1'875'576 bytes
                            MD5 hash:2A43FE7F9F699F7F53FEBC254F68F46D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:3
                            Start time:09:06:34
                            Start date:01/10/2024
                            Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ACDED7EB-D880-4ACC-A58C-ABC31A66F134" "DD203341-10FD-4262-8EA1-67EA019FAACD" "6160" "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" "PowerPointCombinedFloatieLreOnline.onnx"
                            Imagebase:0x7ff695510000
                            File size:710'048 bytes
                            MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:7
                            Start time:09:06:39
                            Start date:01/10/2024
                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://xmlj.debelfor.com/59lCq/
                            Imagebase:0x7ff76e190000
                            File size:3'242'272 bytes
                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:8
                            Start time:09:06:40
                            Start date:01/10/2024
                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2008,i,12280827540682383525,3330265013288624858,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                            Imagebase:0x7ff76e190000
                            File size:3'242'272 bytes
                            MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            No disassembly